# Configuration Settings
Pomerium can be configured using a configuration file (YAML (opens new window)/JSON (opens new window)/TOML (opens new window)) or environmental variables (opens new window). In general, environmental variable keys are identical to config file keys but are uppercase. If you are coming from a kubernetes or docker background this should feel familiar. If not, check out the following primers.
- Store config in the environment (opens new window)
- Kubernetes: Environment variables (opens new window)
- Kubernetes: Config Maps (opens new window)
- Docker: Environment variables (opens new window)
Using both environmental variables (opens new window) and config file keys is allowed and encouraged (for instance, secret keys are probably best set as environmental variables). However, if duplicate configuration keys are found, environment variables take precedence.
TIP
Pomerium can hot-reload route configuration details, authorization policy, certificates, and other proxy settings.
# Shared Settings
These configuration variables are shared by all services, in all service modes.
# Address
- Environmental Variable:
ADDRESS
- Config File Key:
address
- Type:
string
- Example:
:443
,:8443
- Default:
:443
- Required
Address specifies the host and port to serve HTTP requests from. If empty, :443
is used. Note, in all-in-one deployments, gRPC traffic will be served on loopback on port :5443
.
# Autocert
- Environmental Variable:
AUTOCERT
- Config File Key:
autocert
- Type:
bool
- Optional
Turning on autocert allows Pomerium to automatically retrieve, manage, and renew public facing TLS certificates from Let's Encrypt (opens new window) which includes managed routes and the authenticate service. Autocert Directory must be used with Autocert must have a place to persist, and share certificate data between services. Note that autocert also provides OCSP stapling (opens new window).
This setting can be useful in situations where you may not have Pomerium behind a TLS terminating ingress or proxy that is already handling your public certificates on your behalf.
WARNING
By using autocert, you agree to the Let's Encrypt Subscriber Agreement (opens new window). There are strict usage limits (opens new window) per domain you should be aware of. Consider testing with autocert_use_staging
first.
WARNING
Autocert requires that ports 80
/443
be accessible from the internet in order to complete a TLS-ALPN-01 challenge (opens new window).
# Autocert Must-Staple
- Environmental Variable:
AUTOCERT_MUST_STAPLE
- Config File Key:
autocert_must_staple
- Type:
bool
- Optional
If true, force autocert to request a certificate with the status_request
extension (commonly called Must-Staple
). This allows the TLS client (id est the browser) to fail immediately if the TLS handshake doesn't include OCSP stapling information. This setting is only used when Autocert is true.
TIP
This setting will only take effect when you request or renew your certificates.
For more details, please see RFC7633 (opens new window) .
# Autocert Directory
Environmental Variable: either
AUTOCERT_DIR
Config File Key:
autocert_dir
Type:
string
pointing to the path of the directoryRequired if using Autocert setting
Default:
/data/autocert
in published Pomerium docker images- $XDG_DATA_HOME (opens new window)
$HOME/.local/share/pomerium
Autocert directory is the path which autocert will store x509 certificate data.
# Autocert Use Staging
- Environmental Variable:
AUTOCERT_USE_STAGING
- Config File Key:
autocert_use_staging
- Type:
bool
- Optional
Let's Encrypt has strict usage limits (opens new window). Enabling this setting allows you to use Let's Encrypt's staging environment (opens new window) which has much more lax usage limits.
# Certificates
- Config File Key:
certificates
(not yet settable using environmental variables) - Config File Key:
certificate
/certificate_key
- Config File Key:
certificate_file
/certificate_key_file
- Environmental Variable:
CERTIFICATE
/CERTIFICATE_KEY
- Environmental Variable:
CERTIFICATE_FILE
/CERTIFICATE_KEY_FILE
- Type: array of relative file locations
string
- Type: base64 encoded (opens new window)
string
- Type: certificate relative file location
string
- Required (if insecure not set)
Certificates are the x509 public-key and private-key used to establish secure HTTP and gRPC connections. Any combination of the above can be used together, and are additive. You can also use any of these settings in conjunction with Autocert
to get OCSP stapling.
For example, if specifying multiple certificates at once:
certificates:
- cert: "$HOME/.acme.sh/authenticate.example.com_ecc/fullchain.cer"
key: "$HOME/.acme.sh/authenticate.example.com_ecc/authenticate.example.com.key"
- cert: "$HOME/.acme.sh/verify.example.com_ecc/fullchain.cer"
key: "$HOME/.acme.sh/verify.example.com_ecc/verify.example.com.key"
- cert: "$HOME/.acme.sh/prometheus.example.com_ecc/fullchain.cer"
key: "$HOME/.acme.sh/prometheus.example.com_ecc/prometheus.example.com.key"
# Client Certificate Authority
- Environment Variable:
CLIENT_CA
/CLIENT_CA_FILE
- Config File Key:
client_ca
/client_ca_file
- Type: base64 encoded (opens new window)
string
or relative file location - Optional
The Client Certificate Authority is the x509 public-key used to validate mTLS (opens new window) client certificates. If not set, no client certificate will be required.
# Cookie Options
# Cookie Name
- Environmental Variable:
COOKIE_NAME
- Config File Key:
cookie_name
- Type:
string
- Default:
_pomerium
The name of the session cookie sent to clients.
# Cookie Secret
- Environmental Variable:
COOKIE_SECRET
- Config File Key:
cookie_secret
- Type: base64 encoded (opens new window)
string
- Required for proxy service
Secret used to encrypt and sign session cookies. You can generate a random key with head -c32 /dev/urandom | base64
.
# Cookie Domain
- Environmental Variable:
COOKIE_DOMAIN
- Config File Key:
cookie_domain
- Type:
string
- Example:
localhost.pomerium.io
- Optional
The scope of session cookies issued by Pomerium.
# HTTPS only
- Environmental Variable:
COOKIE_SECURE
- Config File Key:
cookie_secure
- Type:
bool
- Default:
true
If true, instructs browsers to only send user session cookies over HTTPS.
WARNING
Setting this to false may result in session cookies being sent in cleartext.
# Javascript Security
- Environmental Variable:
COOKIE_HTTP_ONLY
- Config File Key:
cookie_http_only
- Type:
bool
- Default:
true
If true, prevents javascript in browsers from reading user session cookies.
WARNING
Setting this to false enables hostile javascript to steal session cookies and impersonate users.
# Expiration
- Environmental Variable:
COOKIE_EXPIRE
- Config File Key:
cookie_expire
- Type: Go Duration (opens new window)
string
- Default:
14h
Sets the lifetime of session cookies. After this interval, users must reauthenticate.
# Debug
- Environmental Variable:
POMERIUM_DEBUG
- Config File Key:
pomerium_debug
- Type:
bool
- Default:
false
WARNING
Enabling the debug flag could result in sensitive information being logged!!!
By default, JSON encoded logs are produced. Debug enables colored, human-readable logs to be streamed to standard out (opens new window). In production, it is recommended to be set to false
.
For example, if true
10:37AM INF cmd/pomerium version=v0.0.1-dirty+ede4124
10:37AM INF proxy: new route from=verify.localhost.pomerium.io to=https://verify.pomerium.com
10:37AM INF proxy: new route from=ssl.localhost.pomerium.io to=http://neverssl.com
10:37AM INF proxy/authenticator: grpc connection OverrideCertificateName= addr=auth.localhost.pomerium.io:443
If false
{"level":"info","version":"v0.0.1-dirty+ede4124","time":"2019-02-18T10:41:03-08:00","message":"cmd/pomerium"}
{"level":"info","from":"verify.localhost.pomerium.io","to":"https://verify.pomerium.com","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"}
{"level":"info","from":"ssl.localhost.pomerium.io","to":"http://neverssl.com","time":"2019-02-18T10:41:03-08:00","message":"proxy: new route"}
{"level":"info","OverrideCertificateName":"","addr":"auth.localhost.pomerium.io:443","time":"2019-02-18T10:41:03-08:00","message":"proxy/authenticator: grpc connection"}
# Forward Auth
- Environmental Variable:
FORWARD_AUTH_URL
- Config File Key:
forward_auth_url
- Type:
URL
(must contain a scheme and hostname) - Example:
https://forwardauth.corp.example.com
- Resulting Verification URL:
https://forwardauth.corp.example.com/?uri={URL-TO-VERIFY}
- Optional
Forward authentication creates an endpoint that can be used with third-party proxies that do not have rich access control capabilities (nginx (opens new window), nginx-ingress (opens new window), ambassador (opens new window), traefik (opens new window)). Forward authentication allows you to delegate authentication and authorization for each request to Pomerium.
# Request flow
# Examples
# NGINX Ingress
Some reverse-proxies, such as nginx split access control flow into two parts: verification and sign-in redirection. Notice the additional path /verify
used for auth-url
indicating to Pomerium that it should return a 401
instead of redirecting and starting the sign-in process.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: verify
annotations:
kubernetes.io/ingress.class: "nginx"
certmanager.k8s.io/issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/auth-url: https://forwardauth.corp.example.com/verify?uri=$scheme://$host$request_uri
nginx.ingress.kubernetes.io/auth-signin: "https://forwardauth.corp.example.com/?uri=$scheme://$host$request_uri"
spec:
tls:
- hosts:
- verify.corp.example.com
secretName: quickstart-example-tls
rules:
- host: verify.corp.example.com
http:
paths:
- path: /
backend:
serviceName: verify
servicePort: 80
# Traefik docker-compose
If the forward_auth_url
is also handled by Traefik, you will need to configure Traefik to trust the X-Forwarded-*
headers as described in the documentation (opens new window).
version: "3"
services:
traefik:
# The official v2.2 Traefik docker image
image: traefik:v2.2
# Enables the web UI and tells Traefik to listen to docker
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--entrypoints.web.address=:80"
- "--entrypoints.web.forwardedheaders.insecure=true"
ports:
# The HTTP port
- "80:80"
# The Web UI (enabled by --api.insecure=true)
- "8080:8080"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
verify:
# A container that exposes an API to show its IP address
image: pomerium/verify:latest
labels:
- "traefik.http.routers.verify.rule=Host(`verify.corp.example.com`)"
# Create a middleware named `foo-add-prefix`
- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Pomerium-Authenticated-User-Email,x-pomerium-authenticated-user-id,x-pomerium-authenticated-user-groups,x-pomerium-jwt-assertion"
- "traefik.http.middlewares.test-auth.forwardauth.address=http://forwardauth.corp.example.com/?uri=https://verify.corp.example.com"
- "traefik.http.routers.verify.middlewares=test-auth@docker"
# Global Timeouts
- Environmental Variables:
TIMEOUT_READ
TIMEOUT_WRITE
TIMEOUT_IDLE
- Config File Key:
timeout_read
timeout_write
timeout_idle
- Type: Go Duration (opens new window)
string
- Example:
TIMEOUT_READ=30s
- Defaults:
TIMEOUT_READ=30s
TIMEOUT_WRITE=0
TIMEOUT_IDLE=5m
Timeouts set the global server timeouts. Timeouts can also be set for individual routes.
For a deep dive on timeout values see these (opens new window) two (opens new window) excellent blog posts.
# GRPC Options
# GRPC Address
- Environmental Variable:
GRPC_ADDRESS
- Config File Key:
grpc_address
- Type:
string
- Example:
:443
,:8443
- Default:
:443
or:5443
if in all-in-one mode
gRPC Address specifies the host and port to serve gRPC requests from.
# GRPC Insecure
- Environmental Variable:
GRPC_INSECURE
- Config File Key:
grpc_insecure
- Type:
bool
This setting disables transport security for gRPC communication. If running in all-in-one mode, defaults to true as communication will run over localhost's own socket.
# GRPC Client Timeout
- Environmental Variable:
GRPC_CLIENT_TIMEOUT
- Config File Key:
grpc_client_timeout
- Type: Go Duration (opens new window)
string
- Default:
10s
Maximum time before canceling an upstream gRPC request. During transient failures, the proxy will retry upstreams for this duration. You should leave this high enough to handle backend service restart and rediscovery so that client requests do not fail.
# GRPC Client DNS RoundRobin
- Environmental Variable:
GRPC_CLIENT_DNS_ROUNDROBIN
- Config File Key:
grpc_client_dns_roundrobin
- Type:
bool
- Default:
true
Enable gRPC DNS based round robin load balancing. This method uses DNS to resolve endpoints and does client side load balancing of all addresses returned by the DNS record. Do not disable unless you have a specific use case.
# GRPC Server Max Connection Age
- Environmental Variable:
GRPC_SERVER_MAX_CONNECTION_AGE
- Config File Key:
grpc_server_max_connection_age
- Type: Go Duration (opens new window)
string
- Default:
5m
Set max connection age for GRPC servers. After this interval, servers ask clients to reconnect and perform any rediscovery for new/updated endpoints from DNS.
See https://godoc.org/google.golang.org/grpc/keepalive#ServerParameters (opens new window) for details
# GRPC Server Max Connection Age Grace
- Environmental Variable:
GRPC_SERVER_MAX_CONNECTION_AGE_GRACE
- Config File Key:
grpc_server_max_connection_age_grace
- Type: Go Duration (opens new window)
string
- Default:
5m
Additive period with grpc_server_max_connection_age
, after which servers will force connections to close.
See https://godoc.org/google.golang.org/grpc/keepalive#ServerParameters (opens new window) for details
# HTTP Redirect Address
- Environmental Variable:
HTTP_REDIRECT_ADDR
- Config File Key:
http_redirect_addr
- Type:
string
- Example:
:80
,:8080
- Optional
If set, the HTTP Redirect Address specifies the host and port to redirect http to https traffic on. If unset, no redirect server is started.
# Insecure Server
- Environmental Variable:
INSECURE_SERVER
- Config File Key:
insecure_server
- Type:
bool
- Required if certificates unset
Turning on insecure server mode will result in pomerium starting, and operating without any protocol encryption in transit.
This setting can be useful in a situation where you have Pomerium behind a TLS terminating ingress or proxy. However, even in that case, it is highly recommended to use TLS to protect the confidentiality and integrity of service communication even behind the ingress using self-signed certificates or an internal CA. Please see our helm-chart for an example of just that.
WARNING
Pomerium should never be exposed to the internet without TLS encryption.
# DNS Lookup Family
- Environmental Variable:
DNS_LOOKUP_FAMILY
- Config File Key:
dns_lookup_family
- Type:
string
- Options:
V4_ONLY
V6_ONLY
AUTO
- Optional
The DNS IP address resolution policy. If not specified, the value defaults to AUTO
.
# Log Level
- Environmental Variable:
LOG_LEVEL
- Config File Key:
log_level
- Type:
string
- Options:
debug
info
warn
error
- Default:
debug
Log level sets the global logging level for pomerium. Only logs of the desired level and above will be logged.
# Metrics Address
- Environmental Variable:
METRICS_ADDRESS
- Config File Key:
metrics_address
- Type:
string
- Example:
:9090
,127.0.0.1:9090
- Default:
disabled
- Optional
Expose a prometheus endpoint on the specified port.
WARNING
Use with caution: the endpoint can expose frontend and backend server names or addresses. Do not externally expose the metrics if this is sensitive information.
# Pomerium Metrics Tracked
Name | Type | Description |
---|---|---|
grpc_client_request_duration_ms | Histogram | GRPC client request duration by service |
grpc_client_request_size_bytes | Histogram | GRPC client request size by service |
grpc_client_requests_total | Counter | Total GRPC client requests made by service |
grpc_client_response_size_bytes | Histogram | GRPC client response size by service |
grpc_server_request_duration_ms | Histogram | GRPC server request duration by service |
grpc_server_request_size_bytes | Histogram | GRPC server request size by service |
grpc_server_requests_total | Counter | Total GRPC server requests made by service |
grpc_server_response_size_bytes | Histogram | GRPC server response size by service |
http_client_request_duration_ms | Histogram | HTTP client request duration by service |
http_client_request_size_bytes | Histogram | HTTP client request size by service |
http_client_requests_total | Counter | Total HTTP client requests made by service |
http_client_response_size_bytes | Histogram | HTTP client response size by service |
http_server_request_duration_ms | Histogram | HTTP server request duration by service |
http_server_request_size_bytes | Histogram | HTTP server request size by service |
http_server_requests_total | Counter | Total HTTP server requests handled by service |
http_server_response_size_bytes | Histogram | HTTP server response size by service |
pomerium_build_info | Gauge | Pomerium build metadata by git revision, service, version and goversion |
pomerium_config_checksum_int64 | Gauge | Currently loaded configuration checksum by service |
pomerium_config_last_reload_success | Gauge | Whether the last configuration reload succeeded by service |
pomerium_config_last_reload_success_timestamp | Gauge | The timestamp of the last successful configuration reload by service |
redis_conns | Gauge | Number of total connections in the pool |
redis_idle_conns | Gauge | Total number of times free connection was found in the pool |
redis_wait_count_total | Counter | Total number of connections waited for |
redis_wait_duration_ms_total | Counter | Total time spent waiting for connections |
storage_operation_duration_ms | Histogram | Storage operation duration by operation, result, backend and service |
# Envoy Proxy Metrics
As of v0.9
, Pomerium uses envoy (opens new window) for the data plane. As such, proxy related metrics are sourced from envoy, and use envoy's internal stats data model (opens new window). Please see Envoy's documentation for information about specific metrics.
All metrics coming from envoy will be labeled with service="pomerium"
or service="pomerium-proxy"
, depending if you're running all-in-one or distributed service mode.
# Proxy Log Level
- Environmental Variable:
PROXY_LOG_LEVEL
- Config File Key:
proxy_log_level
- Type:
string
- Options:
debug
info
warn
error
- Default: value of
log_level
ordebug
if both are unset
Proxy log level sets the logging level for the pomerium proxy service access logs. Only logs of the desired level and above will be logged.
# Service Mode
- Environmental Variable:
SERVICES
- Config File Key:
services
- Type:
string
- Default:
all
- Options:
all
authenticate
authorize
databroker
orproxy
Service mode sets which service(s) to run. If testing, you may want to set to all
and run pomerium in "all-in-one mode." In production, you'll likely want to spin up several instances of each service mode for high availability.
# Shared Secret
- Environmental Variable:
SHARED_SECRET
- Config File Key:
shared_secret
- Type: base64 encoded (opens new window)
string
- Required
Shared Secret is the base64 encoded 256-bit key used to mutually authenticate requests between services. It's critical that secret keys are random, and stored safely. Use a key management system or /dev/urandom
to generate a key. For example:
head -c32 /dev/urandom | base64
# Tracing
Tracing tracks the progression of a single user request as it is handled by Pomerium.
Each unit work is called a Span in a trace. Spans include metadata about the work, including the time spent in the step (latency), status, time events, attributes, links. You can use tracing to debug errors and latency issues in your applications, including in downstream connections.
# Shared Tracing Settings
Config Key | Description | Required |
---|---|---|
tracing_provider | The name of the tracing provider. (e.g. jaeger, zipkin) | ✅ |
tracing_sample_rate | Percentage of requests to sample in decimal notation. Default is 0.0001 , or .01% | ❌ |
# Datadog
Datadog is a real-time monitoring system that supports distributed tracing and monitoring.
Config Key | Description | Required |
---|---|---|
tracing_datadog_address | host:port address of the Datadog Trace Agent. Defaults to localhost:8126 | ❌ |
# Jaeger (partial)
Warning At this time, Jaeger protocol does not capture spans inside the proxy service. Please use Zipkin protocol with Jaeger for full support.
Jaeger (opens new window) is a distributed tracing system released as open source by Uber Technologies. It is used for monitoring and troubleshooting microservices-based distributed systems, including:
- Distributed context propagation
- Distributed transaction monitoring
- Root cause analysis
- Service dependency analysis
- Performance / latency optimization
Config Key | Description | Required |
---|---|---|
tracing_jaeger_collector_endpoint | Url to the Jaeger HTTP Thrift collector. | ✅ |
tracing_jaeger_agent_endpoint | Send spans to jaeger-agent at this address. | ✅ |
# Zipkin
Zipkin is an open source distributed tracing system and protocol.
Many tracing backends support zipkin either directly or through intermediary agents, including Jaeger. For full tracing support, we recommend using the Zipkin tracing protocol.
Config Key | Description | Required |
---|---|---|
tracing_zipkin_endpoint | Url to the Zipkin HTTP endpoint. | ✅ |
# Example
# Use Proxy Protocol
- Environment Variable:
USE_PROXY_PROTOCOL
- Config File Key:
use_proxy_protocol
- Type:
bool
- Optional
Setting use_proxy_protocol
will configure Pomerium to require the HAProxy proxy protocol (opens new window) on incoming connections. Versions 1 and 2 of the protocol are supported.
# Authenticate Service
# Authenticate Callback Path
- Environmental Variable:
AUTHENTICATE_CALLBACK_PATH
- Config File Key:
authenticate_callback_path
- Type:
string
- Default:
/oauth2/callback
- Optional
Authenticate callback path sets the path at which the authenticate service receives callback responses from your identity provider. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client.
This value is referred to as the redirect_url
in the OpenIDConnect (opens new window) and OAuth2 specs.
See also:
- OAuth2 RFC 6749 (opens new window)
- OIDC Spec (opens new window)
- Google - Setting Redirect URI (opens new window)
# Authenticate Service URL
- Environmental Variable:
AUTHENTICATE_SERVICE_URL
- Config File Key:
authenticate_service_url
- Type:
URL
- Required
- Example:
https://authenticate.corp.example.com
Authenticate Service URL is the externally accessible URL for the authenticate service.
# Identity Provider Client ID
- Environmental Variable:
IDP_CLIENT_ID
- Config File Key:
idp_client_id
- Type:
string
- Required
Client ID is the OAuth 2.0 Client Identifier retrieved from your identity provider. See your identity provider's documentation, and our identity provider docs for details.
# Identity Provider Client Secret
- Environmental Variable:
IDP_CLIENT_SECRET
- Config File Key:
idp_client_secret
- Type:
string
- Required
Client Secret is the OAuth 2.0 Secret Identifier retrieved from your identity provider. See your identity provider's documentation, and our identity provider docs for details.
# Identity Provider Name
- Environmental Variable:
IDP_PROVIDER
- Config File Key:
idp_provider
- Type:
string
- Required
- Options:
auth0
azure
google
okta
onelogin
oroidc
Provider is the short-hand name of a built-in OpenID Connect (oidc) identity provider to be used for authentication. To use a generic provider,set to oidc
.
See identity provider for details.
# Identity Provider Scopes
- Environmental Variable:
IDP_SCOPES
- Config File Key:
idp_scopes
- Type: list of
string
- Default:
oidc
,profile
,email
,offline_access
(typically) - Optional for built-in identity providers.
Identity provider scopes correspond to access privilege scopes as defined in Section 3.3 of OAuth 2.0 RFC6749. The scopes associated with Access Tokens determine what resources will be available when they are used to access OAuth 2.0 protected endpoints.
WARNING
If you are using a built-in provider, you probably don't want to set customized scopes.
WARNING
Some providers, like Amazon Cognito, do not support the offline_access
scope.
# Identity Provider Service Account
- Environmental Variable:
IDP_SERVICE_ACCOUNT
- Config File Key:
idp_service_account
- Type:
string
- Required for group based policies (most configurations)
The identity provider service account setting is used to query associated identity information from your identity provider.
WARNING
If you plan to write authorization policies using groups, or any other data that exists in your identity provider's directory service, this setting is mandatory.
# Identity Provider URL
- Environmental Variable:
IDP_PROVIDER_URL
- Config File Key:
idp_provider_url
- Type:
string
- Required, depending on provider
Provider URL is the base path to an identity provider's OpenID connect discovery document (opens new window). For example, google's URL would be https://accounts.google.com
for their discover document (opens new window).
# Identity Provider Request Params
- Environmental Variable:
IDP_REQUEST_PARAMS
- Config File Key:
idp_request_params
- Type: map of
strings
key value pairs - Optional
Request parameters to be added as part of a signin request using OAuth2 code flow.
For more information see:
- OIDC Request Parameters (opens new window)
- IANA OAuth Parameters (opens new window)
- Microsoft Azure Request params (opens new window)
- Google Authentication URI parameters (opens new window)
# Identity Provider Refresh Directory Settings
- Environmental Variables:
IDP_REFRESH_DIRECTORY_INTERVAL
IDP_REFRESH_DIRECTORY_TIMEOUT
- Config File Key:
idp_refresh_directory_interval
idp_refresh_directory_timeout
- Type: Go Duration (opens new window)
string
- Example:
IDP_REFRESH_DIRECTORY_INTERVAL=30m
- Defaults:
IDP_REFRESH_DIRECTORY_INTERVAL=10m
IDP_REFRESH_DIRECTORY_TIMEOUT=1m
Refresh directory interval is the time that pomerium will sync your IDP diretory, while refresh directory timeout is the maximum time allowed each run.
WARNING
Use it at your own risk, if you set a too low value, you may reach IDP API rate limit.
# Proxy Service
# Authenticate Service URL
- Environmental Variable:
AUTHENTICATE_SERVICE_URL
- Config File Key:
authenticate_service_url
- Type:
URL
- Required
- Example:
https://authenticate.corp.example.com
Authenticate Service URL is the externally accessible URL for the authenticate service.
# Authorize Service URL
- Environmental Variable:
AUTHORIZE_SERVICE_URL
- Config File Key:
authorize_service_url
- Type:
URL
- Required; inferred in all-in-one mode to be localhost.
- Example:
https://pomerium-authorize-service.default.svc.cluster.local
orhttps://localhost:5443
Authorize Service URL is the location of the internally accessible authorize service. NOTE: Unlike authenticate, authorize has no publicly accessible http handlers so this setting is purely for gRPC communication.
If your load balancer does not support gRPC pass-through you'll need to set this value to an internally routable location (https://pomerium-authorize-service.default.svc.cluster.local
) instead of an externally routable one (https://authorize.corp.example.com
).
# Certificate Authority
- Environmental Variable:
CERTIFICATE_AUTHORITY
orCERTIFICATE_AUTHORITY_FILE
- Config File Key:
certificate_authority
orcertificate_authority_file
- Type: base64 encoded (opens new window)
string
or relative file location - Optional
Certificate Authority is set when behind-the-ingress service communication uses custom or self-signed certificates.
WARNING
Be sure to include the intermediary certificate.
# Default Upstream Timeout
- Environmental Variable:
DEFAULT_UPSTREAM_TIMEOUT
- Config File Key:
default_upstream_timeout
- Type: Duration (opens new window)
string
- Example:
10m
,1h45m
- Default:
30s
Default Upstream Timeout is the default timeout applied to a proxied route when no timeout
key is specified by the policy.
# Headers
Environmental Variable:
HEADERS
Config File Key:
headers
Type: map of
strings
key value pairsExamples:
Comma Separated:
X-Content-Type-Options:nosniff,X-Frame-Options:SAMEORIGIN
JSON:
'{"X-Test": "X-Value"}'
YAML:
headers: X-Test: X-Value
To disable:
disable:true
Default :
X-Content-Type-Options : nosniff, X-Frame-Options:SAMEORIGIN, X-XSS-Protection:1; mode=block, Strict-Transport-Security:max-age=31536000; includeSubDomains; preload,
Headers specifies a mapping of HTTP Header (opens new window) to be added to proxied requests. Nota bene Downstream application headers will be overwritten by Pomerium's headers on conflict.
By default, conservative secure HTTP headers (opens new window) are set.
# JWT Claim Headers
- Environmental Variable:
JWT_CLAIMS_HEADERS
- Config File Key:
jwt_claims_headers
- Type: slice of
string
- Example:
email
,groups
,user
- Optional
The JWT Claim Headers setting allows you to pass specific user session data down to upstream applications as HTTP request headers. Note, unlike the header x-pomerium-jwt-assertion
these values are not signed by the authorization service.
Any claim in the pomerium session JWT can be placed into a corresponding header for upstream consumption. This claim information is sourced from your Identity Provider (IdP) and Pomerium's own session metadata. The header will have the following format:
X-Pomerium-Claim-{Name}
where {Name}
is the name of the claim requested.
Use this option if you previously relied on x-pomerium-authenticated-user-{email|user-id|groups}
.
# Override Certificate Name
- Environmental Variable:
OVERRIDE_CERTIFICATE_NAME
- Config File Key:
override_certificate_name
- Type:
int
- Optional
- Example:
*.corp.example.com
if wild card orauthenticate.corp.example.com
/authorize.corp.example.com
Secure service communication can fail if the external certificate does not match the internally routed service hostname/SNI (opens new window). This setting allows you to override that value.
# Refresh Cooldown
- Environmental Variable:
REFRESH_COOLDOWN
- Config File Key:
refresh_cooldown
- Type: Duration (opens new window)
string
- Example:
10m
,1h45m
- Default:
5m
Refresh cooldown is the minimum amount of time between allowed manually refreshed sessions.
# X-Forwarded-For HTTP Header
- Environmental Variable:
SKIP_XFF_APPEND
- Config File Key:
skip_xff_append
- Type:
bool
- Default:
false
Do not append proxy IP address to x-forwarded-for
HTTP header. See Envoy (opens new window) docs for more detail.
# Data Broker Service
The databroker service is used for storing user session data.
# Data Broker Service URL
- Environmental Variable:
DATABROKER_SERVICE_URL
- Config File Key:
databroker_service_url
- Type:
URL
- Example:
https://databroker.corp.example.com
- Default: in all-in-one mode,
http://localhost:5443
The data broker service URL points to a data broker which is responsible for storing associated authorization context (e.g. sessions, users and user groups).
By default, the databroker
service uses an in-memory databroker.
To create your own data broker, implement the following gRPC interface:
For an example implementation, the in-memory database used by the databroker service can be found here:
# Data Broker Storage Type
- Environmental Variable:
DATABROKER_STORAGE_TYPE
- Config File Key:
databroker_storage_type
- Type:
string
- Optional
- Example:
redis
,memory
- Default:
memory
The backend storage that databroker server will use.
# Data Broker Storage Connection String
- Environmental Variable:
DATABROKER_STORAGE_CONNECTION_STRING
- Config File Key:
databroker_storage_connection_string
- Type:
string
- Required when storage type is
redis
- Example:
"redis://localhost:6379/0"
,"rediss://localhost:6379/0"
The connection string that the databroker service will use to connect to storage backend.
# Data Broker Storage Certificate File
- Environment Variable:
DATABROKER_STORAGE_CERT_FILE
- Config File Key:
databroker_storage_cert_file
- Type: relative file location
- Optional
The certificate used to connect to a storage backend.
# Data Broker Storage Certificate Key File
- Environment Variable:
DATABROKER_STORAGE_KEY_FILE
- Config File Key:
databroker_storage_key_file
- Type: relative file location
- Optional
The certificate key used to connect to a storage backend.
# Data Broker Storage Certificate Authority
- Environment Variable:
DATABROKER_STORAGE_CA_FILE
- Config File Key:
databroker_storage_ca_file
- Type: relative file location
- Optional
This setting defines the set of root certificates used when verifying storage server connections.
# Data Broker Storage TLS Skip Verify
- Environment Variable:
DATABROKER_STORAGE_TLS_SKIP_VERIFY
- Config File Key:
databroker_storage_tls_skip_verify
- Type: relative file location
- Optional
If set, the TLS connection to the storage backend will not be verified.
# Policy
- Environmental Variable:
POLICY
- Config File Key:
policy
- Type: base64 encoded (opens new window)
string
or inline policy structure in config file - Required However, pomerium will safely start without a policy configured, but will be unable to authorize or proxy traffic until the configuration is updated to contain a policy.
Policy contains route specific settings, and access control details. If you are configuring via POLICY environment variable, just the contents of the policy needs to be passed. If you are configuring via file, the policy should be present under the policy key. For example,
# This file contains only policy and route configuration details. Other
# configuration settings required by pomerium are excluded for clarity.
# See: https://www.pomerium.io/docs/reference/reference/
#
# For a complete self contained configuration see : config.example.yaml.
# Or, mix and match a policy file (this) with env vars : config.example.env
# Proxied routes and per-route policies are defined in a policy block
# NOTA BENE: You must uncomment the below 'policy' key if you are loading policy as a file.
# policy:
- from: https://verify.localhost.pomerium.io
to: http://localhost:8000
allowed_domains:
- pomerium.io
cors_allow_preflight: true
timeout: 30s
- from: https://external-verify.localhost.pomerium.io
to: https://verify.pomerium.com
allowed_domains:
- gmail.com
- from: https://weirdlyssl.localhost.pomerium.io
to: http://neverssl.com
allowed_users:
- bdd@pomerium.io
allowed_groups:
- admins
- developers
- from: https://hello.localhost.pomerium.io
to: http://localhost:8080
allowed_groups:
- admins@pomerium.io
Policy routes are checked in the order they appear in the policy, so more specific routes should appear before less specific routes. For example:
policies:
- from: http://from.example.com
to: http://to.example.com
prefix: /admin
allowed_groups: ["superuser"]
- from: http://from.example.com
to: http://to.example.com
allow_public_unauthenticated_access: true
In this example, an incoming request with a path prefix of /admin
would be handled by the first route (which is restricted to superusers). All other requests for from.example.com
would be handled by the second route (which is open to the public).
A list of policy configuration variables follows.
# Allowed Domains
yaml
/json
setting:allowed_domains
- Type: list of
string
- Required
- Example:
pomerium.io
,gmail.com
Allowed domains is a collection of whitelisted domains to authorize for a given route.
# Allowed Groups
yaml
/json
setting:allowed_groups
- Type: list of
string
- Required
- Example:
admins
,support@company.com
Allowed groups is a collection of whitelisted groups to authorize for a given route.
# Allowed IdP Claims
yaml
/json
setting:allowed_idp_claims
- Type: map of
strings
lists - Required
Allowed IdP Claims is a collection of whitelisted claim key-value pairs to authorize for a given route.
This is useful if your identity provider has extra information about a user that is not in the directory. It can also be useful if you wish to use groups with the generic OIDC provider.
Example:
- from: http://from.example.com
to: http://to.example.com
allowed_idp_claims:
family_name:
- Doe
- Smith
This policy would match users with the family_name
claim containing Smith
or Doe
.
Claims are represented as a map of strings to a list of values:
{
"family_name": ["Doe"],
"given_name": ["John"]
}
- Nested maps are flattened:
{ "a": { "b": ["c"] } }
becomes{ "a.b": ["c"] }
- Values are always a list:
{ "a": "b" }
becomes{ "a": ["b"] }
# Allowed Users
yaml
/json
setting:allowed_users
- Type: list of
string
- Required
- Example:
alice@pomerium.io
,bob@contractor.co
Allowed users is a collection of whitelisted users to authorize for a given route.
# CORS Preflight
yaml
/json
setting:cors_allow_preflight
- Type:
bool
- Optional
- Default:
false
Allow unauthenticated HTTP OPTIONS requests as per the CORS spec (opens new window).
# Enable Google Cloud Serverless Authentication
- Environmental Variable:
ENABLE_GOOGLE_CLOUD_SERVERLESS_AUTHENTICATION
- Config File Key:
enable_google_cloud_serverless_authentication
- Type:
bool
- Default:
false
Enable sending a signed Authorization Header (opens new window) to upstream GCP services.
Requires setting Google Cloud Serverless Authentication Service Account or running Pomerium in an environment with a GCP service account present in default locations.
# From
yaml
/json
setting:from
- Type:
URL
(must contain a scheme and hostname, must not contain a path) - Schemes:
https
,tcp+https
- Required
- Example:
https://verify.corp.example.com
,tcp+https://ssh.corp.example.com:22
From
is the externally accessible URL for the proxied request.
Specifying tcp+https
for the scheme enables TCP proxying support for the route. You may map more than one port through the same hostname by specifying a different :port
in the URL.
# Kubernetes Service Account Token
yaml
/json
setting:kubernetes_service_account_token
/kubernetes_service_account_token_file
- Type:
string
or relative file location containing a Kubernetes bearer token - Optional
- Example:
eyJ0eXAiOiJKV1QiLCJhbGciOiJ...
or/var/run/secrets/kubernetes.io/serviceaccount/token
Use this token to authenticate requests to a Kubernetes API server.
Pomerium will impersonate (opens new window) the Pomerium user's identity, and Kubernetes RBAC can be applied to IdP user and groups.
# Signout Redirect URL
- Environmental Variable:
SIGNOUT_REDIRECT_URL
- Config File Key:
signout_redirect_url
- Type:
URL
- Required
- Example:
https://signout-redirect-url.corp.example.com
Signout redirect url is the url user will be redirected to after signing out.
You can overwrite this behavior by passing the query param pomerium_redirect_uri
or post value pomerium_redirect_uri
to the /.pomerium/signout/
endpoint.
# Path
yaml
/json
setting:path
- Type:
string
- Optional
- Example:
/admin/some/exact/path
If set, the route will only match incoming requests with a path that is an exact match for the specified path.
# Prefix
yaml
/json
setting:prefix
- Type:
string
- Optional
- Example:
/admin
If set, the route will only match incoming requests with a path that begins with the specified prefix.
# Prefix Rewrite
yaml
/json
setting:prefix_rewrite
- Type:
string
- Optional
- Example:
/subpath
If set, indicates that during forwarding, the matched prefix (or path) should be swapped with this value. For example, given this policy:
from: https://from.example.com
to: https://to.example.com
prefix: /admin
prefix_rewrite: /
A request to https://from.example.com/admin
would be forwarded to https://to.example.com/
.
# Host Rewrite
yaml
/json
settings:host_rewrite
,host_rewrite_header
,host_path_regex_rewrite_pattern
,host_path_regex_rewrite_substitution
- Type:
string
- Optional
- Example:
host_rewrite: "example.com"
The host
header can be preserved via the preserve_host_header
setting or customized via 3 mutually exclusive options:
preserve_host_header
when enabled, this option will pass the host header from the incoming request to the proxied host, instead of the destination hostname. It's an optional parameter of typebool
that defaults tofalse
. See ProxyPreserveHost (opens new window).host_rewrite
which will rewrite the host to a new literal value.host_rewrite_header
which will rewrite the host to match an incoming header value.host_path_regex_rewrite_pattern
,host_path_regex_rewrite_substitution
which will rewrite the host according to a regex matching the path. For example with the following config:host_path_regex_rewrite_pattern: "^/(.+)/.+$" host_path_regex_rewrite_substitution: \1
Would rewrite the host header to
example.com
given the path/example.com/some/path
.
The 2nd, 3rd and 4th options correspond to the envoy route action host related options, which can be found here (opens new window).
# Public Access
yaml
/json
setting:allow_public_unauthenticated_access
- Type:
bool
- Optional
- Default:
false
Use with caution: Allow all requests for a given route, bypassing authentication and authorization. Suitable for publicly exposed web services.
If this setting is enabled, no whitelists (e.g. Allowed Users) should be provided in this route.
# Allow Any Authenticated User
yaml
/json
setting:allow_any_authenticated_user
- Type:
bool
- Optional
- Default:
false
Use with caution: This setting will allow all requests for any user which is able to authenticate with our given identity provider. For instance, if you are using a corporate GSuite account, an unrelated gmail user will be able to access the underlying upstream.
Use of this setting means Pomerium will not enforce centralized authorization policy for this route. The upstream is responsible for handling any authorization.
# Regex
yaml
/json
setting:regex
- Type:
string
(containing a regular expression) - Optional
- Example:
^/(admin|superuser)/.*$
If set, the route will only match incoming requests with a path that matches the specified regular expression. The supported syntax is the same as the Go regexp package (opens new window) which is based on re2 (opens new window).
# Regex Rewrite
yaml
/json
setting:regex_rewrite_pattern
,regex_rewrite_substitution
- Type:
string
- Optional
- Example:
{ "regex_rewrite_pattern":"^/service/([^/]+)(/.*)$", "regex_rewrite_substitution": "\\2/instance/\\1" }
If set, the URL path will be rewritten according to the pattern and substitution, similar to prefix_rewrite
.
# Outlier Detection
yaml
/json
setting:outlier_detection
- Type:
object
- Optional
- Example:
{ "consecutive_5xx": 12 }
Outlier detection and ejection is the process of dynamically determining whether some number of hosts in an upstream cluster are performing unlike the others and removing them from the healthy load balancing set.
See Envoy documentation (opens new window) and API (opens new window) for more details.
# Route Timeout
yaml
/json
setting:timeout
- Type: Go Duration (opens new window)
string
- Optional
- Default:
30s
Policy timeout establishes the per-route timeout value. Cannot exceed global timeout values.
# Set Request Headers
- Config File Key:
set_request_headers
- Type: map of
strings
key value pairs - Optional
Set Request Headers allows you to set static values for given request headers. This can be useful if you want to pass along additional information to downstream applications as headers, or set authentication header to the request. For example:
- from: https://verify.corp.example.com
to: https://verify.pomerium.com
allowed_users:
- bdd@pomerium.io
set_request_headers:
# works auto-magically!
# https://verify.corp.example.com/basic-auth/root/hunter42
Authorization: Basic cm9vdDpodW50ZXI0Mg==
X-Your-favorite-authenticating-Proxy: "Pomerium"
# Remove Request Headers
- Config File Key:
remove_request_headers
- Type: array of
strings
- Optional
Remove Request Headers allows you to remove given request headers. This can be useful if you want to prevent privacy information from being passed to downstream applications. For example:
- from: https://verify.corp.example.com
to: https://verify.pomerium.com
allowed_users:
- bdd@pomerium.io
remove_request_headers:
- X-Email
- X-Username
# Redirect
yaml
/json
setting: 'redirect'- Type: object
- Optional
- Example:
{ "host_redirect": "example.com" }
Redirect
is used to redirect incoming requests to a new URL. The redirect
field is an object with several possible
options:
https_redirect
(boolean): the incoming scheme will be swapped with "https".scheme_redirect
(string): the incoming scheme will be swapped with the given value.host_redirect
(string): the incoming host will be swapped with the given value.port_redirect
(integer): the incoming port will be swapped with the given value.path_redirect
(string): the incoming path portion of the URL will be swapped with the given value.prefix_rewrite
(string): the incoming matched prefix will be swapped with the given value.response_code
(integer): the response code to use for the redirect. Defaults to 301.strip_query
(boolean): indicates that during redirection, the query portion of the URL will be removed. Defaults to false.
Either redirect
or to
must be set.
# To
yaml
/json
setting:to
- Type:
URL
or list ofURL
s (must contain a scheme and hostname) with an optional weight - Schemes:
http
,https
,tcp
- Optional
- Example:
http://verify
,https://192.1.20.12:8080
,http://neverssl.com
,https://verify.pomerium.com/anything/
,["http://a", "http://b"]
,["http://a,10", "http://b,20"]
To
is the destination(s) of a proxied request. It can be an internal resource, or an external resource. Multiple upstream resources can be targeted by using a list instead of a single URL:
- from: https://example.com
to:
- https://a.example.com
- https://b.example.com
A load balancing weight may be associated with a particular upstream by appending ,[weight]
to the URL. The exact behavior depends on your lb_policy
setting. See Load Balancing for example configurations.
Must be tcp
if from
is tcp+https
.
WARNING
Be careful with trailing slash.
With rule:
- from: https://verify.corp.example.com
to: https://verify.pomerium.com/anything
Requests to https://verify.corp.example.com
will be forwarded to https://verify.pomerium.com/anything
, while requests to https://verify.corp.example.com/foo
will be forwarded to https://verify.pomerium.com/anythingfoo
.To make the request forwarded to https://httbin.org/anything/foo
, you can use double slashes in your request https://httbin.corp.example.com//foo
.
While the rule:
- from: https://verify.corp.example.com
to: https://verify.pomerium.com/anything/
All requests to https://verify.corp.example.com/*
will be forwarded to https://verify.pomerium.com/anything/*
. That means accessing to https://verify.corp.example.com
will be forwarded to https://verify.pomerium.com/anything/
. That said, if your application does not handle trailing slash, the request will end up with 404 not found.
Either redirect
or to
must be set.
# TLS Skip Verification
- Config File Key:
tls_skip_verify
- Type:
bool
- Default:
false
TLS Skip Verification controls whether a client verifies the server's certificate chain and host name. If enabled, TLS accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.
# TLS Server Name
- Config File Key:
tls_server_name
- Type:
string
- Optional
TLS Server Name overrides the hostname specified in the to
field. If set, this server name will be used to verify the certificate name. This is useful when the backend of your service is an TLS server with a valid certificate, but mismatched name.
# TLS Custom Certificate Authority
- Config File Key:
tls_custom_ca
ortls_custom_ca_file
- Type: base64 encoded (opens new window)
string
or relative file location - Optional
TLS Custom Certificate Authority defines a set of root certificate authorities that clients use when verifying server certificates.
Note: This setting will replace (not append) the system's trust store for a given route.
# TLS Downstream Client Certificate Authority
- Config File Key:
tls_downstream_client_ca
ortls_downstream_client_ca_file
- Type: base64 encoded (opens new window)
string
or relative file location - Optional
If specified downstream clients (eg a user's browser) will be required to provide a valid client TLS
certificate. This overrides the global client_ca
option for this route.
# TLS Client Certificate
- Config File Key:
tls_client_cert
andtls_client_key
ortls_client_cert_file
andtls_client_key_file
- Type: base64 encoded (opens new window)
string
or relative file location - Optional
Pomerium supports client certificates which can be used to enforce mutually authenticated and encrypted TLS connections (opens new window) (mTLS). For more details, see our mTLS example repository (opens new window) and the certificate docs.
# Pass Identity Headers
yaml
/json
setting:pass_identity_headers
- Type:
bool
- Optional
- Default:
false
When enabled, this option will pass identity headers to upstream applications. These headers include:
- X-Pomerium-Jwt-Assertion
- X-Pomerium-Claim-*
# SPDY
- Config File Key:
allow_spdy
- Type:
bool
- Default:
false
If set, enables proxying of SPDY protocol upgrades.
# Cluster Name
- Config File Key:
name
- Type:
string
- Optional
Runtime metrics for this policy would be available under envoy_cluster_
name
prefix.
# Load Balancing Policy
- Config File Key:
lb_policy
- Type:
enum
- Optional
In presence of multiple upstreams, defines load balancing strategy between them.
See Envoy documentation (opens new window) for more details.
ROUND_ROBIN
(opens new window) (default)LEAST_REQUEST
(opens new window) and may be further configured usingleast_request_lb_config
(opens new window)RING_HASH
(opens new window) and may be further configured usingring_hash_lb_config
(opens new window) optionRANDOM
(opens new window)MAGLEV
(opens new window) and may be further configured usingmaglev_lb_config
(opens new window) option
Some policy types support additional configuration.
# Load Balancing Policy Config
- Config File Key:
least_request_lb_config
,ring_hash_lb_config
,maglev_lb_config
- Type:
object
- Optional
When lb_policy
is configured, you may further customize policy settings for LEAST_REQUEST
, RING_HASH
, AND MAGLEV
using one of the following options.
least_request_lb_config
(opens new window)ring_hash_lb_config
(opens new window)maglev_lb_config
(opens new window)
See Load Balancing for example configurations
# Health Checks
- Config File Key:
health_checks
- Type:
array of objects
- Optional
When defined, will issue periodic health check requests to upstream servers. When health checks are defined, unhealthy upstream servers would not serve traffic.
See also outlier_detection
for automatic upstream server health detection.
In presence of multiple upstream servers, it is recommended to set up either health_checks
or outlier_detection
or both.
See Envoy documentation (opens new window) for a list of supported parameters (opens new window).
Only one of http_health_check
, tcp_health_check
, or grpc_health_check
may be configured per health_check object definition.
See Load Balancing for example configurations.
# Websocket Connections
- Config File Key:
allow_websockets
- Type:
bool
- Default:
false
If set, enables proxying of websocket connections.
WARNING
Use with caution: websockets are long-lived connections, so global timeouts are not enforced (though the policy-specific timeout
is enforced). Allowing websocket connections to the proxy could result in abuse via DOS attacks (opens new window).
# Authorize Service
# Authorize Service URL
- Environmental Variable:
AUTHORIZE_SERVICE_URL
- Config File Key:
authorize_service_url
- Type:
URL
- Required
- Example:
https://authorize.corp.example.com
Authorize Service URL is the location of the internally accessible authorize service.
# Google Cloud Serverless Authentication Service Account
- Environmental Variable:
GOOGLE_CLOUD_SERVERLESS_AUTHENTICATION_SERVICE_ACCOUNT
- Config File Key:
google_cloud_serverless_authentication_service_account
- Type: base64 encoded (opens new window)
string
- Optional
Manually specify the service account credentials to support GCP's Authorization Header (opens new window) format.
If unspecified:
- If Identity Provider Name is set to
google
, will default to Identity Provider Service Account - Otherwise, will default to ambient credentials in the default locations searched by the Google SDK. This includes GCE metadata server tokens.
# Signing Key
- Environmental Variable:
SIGNING_KEY
- Config File Key:
signing_key
- Type: base64 encoded (opens new window)
string
- Optional
Signing Key is the private key used to sign a user's attestation JWT which can be consumed by upstream applications to pass along identifying user information like username, id, and groups.
If set, the signing key's public key will can retrieved by hitting Pomerium's /.well-known/pomerium/jwks.json
endpoint which lives on the authenticate service. (If running the authentication service separately, this option must also be set there.)
For example:
$ curl https://authenticate.int.example.com/.well-known/pomerium/jwks.json | jq
{
"keys": [
{
"use": "sig",
"kty": "EC",
"kid": "ccc5bc9d835ff3c8f7075ed4a7510159cf440fd7bf7b517b5caeb1fa419ee6a1",
"crv": "P-256",
"alg": "ES256",
"x": "QCN7adG2AmIK3UdHJvVJkldsUc6XeBRz83Z4rXX8Va4",
"y": "PI95b-ary66nrvA55TpaiWADq8b3O1CYIbvjqIHpXCY"
}
]
}
If no certificate is specified, one will be generated and the base64'd public key will be added to the logs. Note, however, that this key be unique to each service, ephemeral, and will not be accessible via the authenticate service's jwks_uri
endpoint.
# Signing Key Algorithm
- Environmental Variable:
SIGNING_KEY_ALGORITHM
- Config File Key:
signing_key_algorithm
- Type:
string
- Options:
ES256
orEdDSA
orRS256
- Default:
ES256
This setting specifies which signing algorithm to use when signing the upstream attestation JWT. Cryptographic algorithm choice is subtle, and beyond the scope of this document, but we suggest sticking to the default ES256
unless you have a good reason to use something else.
Be aware that any RSA based signature method may be an order of magnitude lower than elliptic curve (opens new window) variants like EdDSA (ed25519
) and ECDSA (ES256
). For more information, checkout this article (opens new window).