Pre-built binaries
This document covers how to configure and run Pomerium using the official prebuilt binaries.
Prerequisites
- A configured identity provider
- TLS certificates
Download
You can download the latest release from GitHub, or use the repositories we provide through Cloudsmith. In addition to the easy updates provided by the package manager, the deb
and rpm
packages include systemd service unit configurations.
Operating System Packages
Through Cloudsmith, we provide OS packages for Linux distributions using deb
and rpm
style package managers. Select your system's package format and architecture, then use the Setup tab to add the repository to your package manager.
Standalone Binary
Download the latest release of Pomerium for your machine's operating system and architecture.
Configure
Pomerium supports setting configuration variables using both environmental variables and using a configuration file.
When using our OS packages, we provide a default configuration at /etc/pomerium/config.yaml
. Otherwise, create the config file (config.yaml
) in your preferred location.
This file will be used to determine Pomerium's configuration settings, routes, and access-policies. Consider the following example:
# See detailed configuration settings : https://www.pomerium.com/docs/reference/
# this is the domain the identity provider will callback after a user authenticates
authenticate_service_url: https://authenticate.localhost.pomerium.io
# certificate settings: https://www.pomerium.com/docs/reference/certificates.html
autocert: true
# REMOVE FOR PRODUCTION
autocert_use_staging: true
# If you're using mkcert to test Pomerium locally, comment the autocert keys and uncomment
# the keys below, adjusting for your mkcert path:
# certificate_file: /home/user/.local/share/mkcert/rootCA.pem
# certificate_key_file: /user/alex/.local/share/mkcert/rootCA-key.pem
# identity provider settings : https://www.pomerium.com/docs/identity-providers.html
idp_provider: google
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME
# Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64`
cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg=
# https://pomerium.io/reference/#routes
routes:
- from: https://verify.localhost.pomerium.io
to: https://verify.pomerium.com
policy:
- allow:
or:
- email:
is: user@example.com
pass_identity_headers: true
You can also set some or all of your configuration keys as environment variables, in an env
file for example. See the Reference page to identify the environment variable for each configuration option.
Run
OS Package
The following command allows the Pomerium systemd service to bind to privileged port
443
:echo -e "[Service]\nAmbientCapabilities=CAP_NET_BIND_SERVICE" | sudo SYSTEMD_EDITOR=tee systemctl edit pomerium
Enable and start the service:
sudo systemctl enable --now pomerium.service
Manual Installation
Source the configuration env
file, if present, and run pomerium specifying the config.yaml
.
./bin/pomerium -config config.yaml
Browse to external-verify.your.domain.example
. Connections between you and verify will now be proxied and managed by Pomerium.