3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-01 03:16:31 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/docs/docs/tcp
History
backport-actions-token[bot] 652d3eadc4
Docs: Ingress Controller (#2667) (#2745) 
* update k8s install for ingress conrtoller

* typo correction

* prep k8s section

* squashme

* init Ingress Controller doc

Co-authored-by: travisgroth <tgroth@pomerium.com>
Co-authored-by: wasaga <dmishin@pomerium.com>

* update, organize, annotate

* breakout custom from standard annotations

* more info links

* Update docs/docs/k8s/ingress.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/docs/k8s/ingress.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/docs/k8s/ingress.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* prep k8s section

* document YAML policies in Ingress

* sort and compress standard annotations

* final draft

* link cleanup

* Create ingress.md

* Update docs/docs/k8s/ingress.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Apply suggestions from code review

* rm redundant config

* fix file reference

* update available annotations

* Copy Proofread

Grammar updates.

* discussed copy edit

* whitespace cleanup

* add redirect for moved k8s docs

* fixed malformed links

* Update docs/docs/k8s/ingress.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/docs/k8s/ingress.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Update docs/docs/k8s/ingress.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Update docs/docs/k8s/ingress.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

partial copy edits

Update docs/docs/k8s/ingress.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Update docs/docs/k8s/ingress.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

partial copy edits

Update docs/docs/k8s/ingress.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Update docs/docs/k8s/ingress.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Update docs/docs/k8s/ingress.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

partial copy edits

* One last TLS

* Update docs/docs/k8s/ingress.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* clarify namespaces flag

* Update docs/docs/k8s/ingress.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Co-authored-by: travisgroth <tgroth@pomerium.com>
Co-authored-by: wasaga <dmishin@pomerium.com>
Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
Co-authored-by: cmo-pomerium <91488121+cmo-pomerium@users.noreply.github.com>
Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>
Co-authored-by: travisgroth <tgroth@pomerium.com>
Co-authored-by: wasaga <dmishin@pomerium.com>
Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
Co-authored-by: cmo-pomerium <91488121+cmo-pomerium@users.noreply.github.com>
Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
2021-11-04 16:36:05 -04:00
..
img Refresh and Update TCP documentation (#2627) (#2679) 2021-10-14 07:58:37 -07:00
client.md Refresh and Update TCP documentation (#2627) (#2679) 2021-10-14 07:58:37 -07:00
mysql.md Refresh and Update TCP documentation (#2627) (#2679) 2021-10-14 07:58:37 -07:00
rdp.md Refresh and Update TCP documentation (#2627) (#2679) 2021-10-14 07:58:37 -07:00
readme.md Docs: Ingress Controller (#2667) (#2745) 2021-11-04 16:36:05 -04:00
redis.md Docs: Ingress Controller (#2667) (#2745) 2021-11-04 16:36:05 -04:00
service-template.md Refresh and Update TCP documentation (#2627) (#2679) 2021-10-14 07:58:37 -07:00
ssh.md Refresh and Update TCP documentation (#2627) (#2679) 2021-10-14 07:58:37 -07:00

readme.md

title description meta
TCP Support This article describes how to leverage pomerium for TCP proxying
name content
keywords pomerium pomerium-cli proxy identity-access-proxy ssh tcp postgres database redis mysql application non-http

TCP Support

Operations and engineering teams frequently require access to lower level administrative and data protocols such as SSH, RDP, Postgres, MySQL, Redis, etc.

In addition to managing HTTP based applications, Pomerium can be used to protect non-HTTP systems with the same consistent authorization policy. This is achieved by tunneling TCP over HTTP with the help of a client side command built into pomerium-cli.

Internally, Pomerium uses the CONNECT method to establish the TCP tunnel.

::: warning To minimize issues with TCP support, Pomerium should not be placed behind another HTTP proxy. Instead, configure your load balancer in L4 or TCP mode.

Otherwise, the HTTP proxy in front of Pomerium must know how to properly handle the CONNECT command and proxy it upstream. This capability will be specific to each proxy implementation. :::

Configure Routes

TCP configuration is simple. Just specify the correct scheme and ports in your route to and from fields.

Example:

routes:
  - from: tcp+https://redis.corp.example.com:6379
    to: tcp://redis.internal.example.com:6379
    policy:
    - allow:
        or:
          - email:
              is: contractor@not-example.com
          - groups:
              has: "datascience@example.com"

When creating TCP routes, note the following:

  • When configuring a TCP route, any HTTP specific settings such as regex_rewrite_pattern or set_request_headers have no effect.
  • While data is encrypted from a user system to Pomerium's proxy, the underlying application protocol must also support encryption for data to be fully encrypted end-to-end. Otherwise, traffic from the Pomerium proxy service to the upstream service will be unencrypted.
  • The ports in from and to are independent. Users only need to know the from URL to connect. The to can be changed without end user participation.
  • The port defined in from does not dictate what port the tunneled traffic uses. This will always be the port defined by address in your Pomerium configuration (443 by default). The port instead differentiates multiple routes to the same hostname for different services.

Connect to TCP Routes

While HTTP routes can be consumed with just a normal browser, pomerium-cli must serve as a proxy for TCP routes. It is available for a variety of platforms in various formats.

To connect, you normally need just the external hostname and port of your TCP route:

pomerium-cli tcp redis.corp.example.com:6379
5:57PM INF tcptunnel: listening on 127.0.0.1:52046

By default, pomerium-cli will start a listener on loopback on a random port.

On first connection, you will be sent through a standard Pomerium HTTP authentication flow. After completing this, your TCP connection should be established!

% redis-cli -h localhost -p 52046
localhost:52046> keys *
(empty array)
localhost:52046>

Advanced Usage

Listen Configuration

You may specify an optional address and port for the tcp command to listen on.

- specifies that STDIN and STDOUT should be directly attached to the remote TCP connection. This is useful for SSH or for sending data through a shell pipe.

Custom URL

If the Pomerium proxy is not reachable through port 443 or the route is not in external DNS, you can specify a custom URL:

pomerium-cli tcp --pomerium-url https://pomerium.corp.example.com:8443 redis.corp.example.com:6379

The command above connects to https://pomerium.corp.example.com:8443 and then requests the TCP route for redis.corp.example.com:6379.

Service-Specific Documentation

We've outlined how to use a TCP tunnel through Pomerium for several popular services that use TCP connections: