Docker

Docker and docker-compose are tools for defining and running multi-container Docker applications. We've created an example docker-compose file that creates a minimal, but complete test environment for pomerium.

Prerequisites

Download

Copy and paste the contents of the provided example basic.docker-compose.yml.

Configure

Docker-compose

Edit the docker-compose.yml to match your specific identity provider's settings. For example, basic.docker-compose.yml:

# Example Pomerium configuration.
#
# NOTE! Change IDP_* settings to match your identity provider settings!
# NOTE! Generate new SHARED_SECRET and COOKIE_SECRET keys! e.g. `head -c32 /dev/urandom | base64`
# NOTE! Replace `corp.beyondperimeter.com` with whatever your domain is
# NOTE! Make sure certificate files (cert.pem/privkey.pem) are in the same directory as this file
# NOTE! Make sure your policy file (policy.example.yaml) is in the same directory as this file

version: "3"
services:
  pomerium:
    image: pomerium/pomerium:latest # or `build: .` to build from source
    environment:
      - POMERIUM_DEBUG=true
      - SERVICES=all
      - IDP_PROVIDER=google
      - IDP_PROVIDER_URL=https://accounts.google.com
      - IDP_CLIENT_ID=REPLACE_ME.apps.googleusercontent.com
      - IDP_CLIENT_SECRET=REPLACE_ME
      - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
      - CERTIFICATE_FILE=cert.pem
      - CERTIFICATE_KEY_FILE=privkey.pem
      - AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com
      - AUTHORIZE_SERVICE_URL=https://authorize.corp.beyondperimeter.com
      - POLICY_FILE=./policy.yaml
    volumes:
      - ./cert.pem:/pomerium/cert.pem:ro
      - ./privkey.pem:/pomerium/privkey.pem:ro
      - ./policy.example.yaml:/pomerium/policy.yaml:ro
    ports:
      - 443:443

  # https://httpbin.corp.beyondperimeter.com
  httpbin:
    image: kennethreitz/httpbin:latest
    expose:
      - 80
  # https://hello.corp.beyondperimeter.com
  hello:
    image: gcr.io/google-samples/hello-app:1.0
    expose:
      - 8080

Policy configuration

Next, create a policy configuration file which will contain the routes you want to proxy, and their desired access-controls. For example, policy.example.yaml:

- from: httpbin.corp.beyondperimeter.com
  to: http://localhost:8000
  allowed_domains:
    - pomerium.io
    - gmail.com
  cors_allow_preflight: true
  timeout: 30s
- from: external-httpbin.corp.beyondperimeter.com
  to: httpbin.org
  allowed_domains:
    - gmail.com
- from: weirdlyssl.corp.beyondperimeter.com
  to: http://neverssl.com
  allowed_users:
    - bdd@pomerium.io
  allowed_groups:
    - admins
    - developers
- from: hello.corp.beyondperimeter.com
  to: http://hello:8080
  allowed_groups:
    - admins

Certificates

Place your domain's wild-card TLS certificate next to the compose file. If you don't have one handy, the included script generates one from LetsEncrypt.

Run

Docker-compose will automatically download the latest pomerium release as well as two example containers.

docker-compose up

Pomerium is configured to delegate access to two test apps helloworld and httpbin.

Open a browser and navigate to hello.your.domain.com or httpbin.your.domain.com. You should see something like the following in your browser.

Getting started

And in your terminal.

asciicast