Pomerium using Docker

Docker is a straightforward way to start using Pomerium. In the following quick-start, we'll create a minimal but complete environment for running Pomerium with containers.

Prerequisites

Configure

Docker-compose

Download the following docker-compose.yml file and modify it to:

version: "3"
services:
  pomerium:
    image: pomerium/pomerium:latest
    environment:
      # Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
    volumes:
      # Mount your domain's certificates : https://www.pomerium.io/docs/certificates.html
      - ~/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer:/pomerium/cert.pem:ro
      - ~/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key:/pomerium/privkey.pem:ro
      # Mount your config file : https://www.pomerium.io/reference/
      - ../config/config.minimal.yaml:/pomerium/config.yaml:ro
    ports:
      - 443:443

  # https://httpbin.corp.beyondperimeter.com --> Pomerium --> http://httpbin
  httpbin:
    image: kennethreitz/httpbin:latest
    expose:
      - 80

Configuration file

Create a configuration file (config.yaml) for defining Pomerium's configuration settings, routes, and access-policies. Consider the following example:

# See detailed configuration settings : https://www.pomerium.io/reference/
authenticate_service_url: https://authenticate.corp.beyondperimeter.com
authorize_service_url: https://authorize.corp.beyondperimeter.com

# identity provider settings : https://www.pomerium.io/docs/identity-providers.html
idp_provider: google
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME

policy:
  - from: https://httpbin.corp.beyondperimeter.com
    to: http://httpbin
    allowed_domains:
      - pomerium.io
  - from: https://external-httpbin.corp.beyondperimeter.com
    to: https://httpbin.org
    allow_public_unauthenticated_access: true

Ensure the docker-compose.yml contains the correct path to your config.yaml.

Run

Finally, simply run docker compose.

docker-compose up

Docker will automatically download the required container images for Pomerium and httpbin. Then, Pomerium will run with the configuration details set in the previous steps.

You should now be able access to the routes (e.g. https://httpbin.corp.yourdomain.example) as specified in your policy file.