Pre-built binaries

This document covers how to configure and run Pomerium using the official prebuilt binaries.

Prerequisites

A configured identity provider
TLS certificates

Download

You can download the latest release from GitHub, or use the repositories we provide through Cloudsmith. In addition to the easy updates provided by the package manager, the deb and rpm packages include systemd service unit configurations.

Operating System Packages

Through Cloudsmith, we provide OS packages for Linux distributions using deb and rpm style package managers. Select your system's package format and architecture, then use the Setup tab to add the repository to your package manager.

Standalone Binary

Download the latest release of Pomerium for your machine's operating system and architecture.

Configure

Pomerium supports setting configuration variables using both environmental variables and using a configuration file.

When using our OS packages, we provide a default configuration at /etc/pomerium/config.yaml. Otherwise, create the config file (config.yaml) in your preferred location.

This file will be used to determine Pomerium's configuration settings, routes, and access-policies. Consider the following example:

# See detailed configuration settings : https://www.pomerium.com/docs/reference/

# this is the domain the identity provider will callback after a user authenticates
authenticate_service_url: https://authenticate.localhost.pomerium.io

# certificate settings:  https://www.pomerium.com/docs/reference/certificates.html
autocert: true
# REMOVE FOR PRODUCTION
autocert_use_staging: true

# If you're using mkcert to test Pomerium locally, comment the autocert keys and uncomment
# the keys below, adjusting for your mkcert path:
# certificate_file: /home/user/.local/share/mkcert/rootCA.pem
# certificate_key_file: /user/alex/.local/share/mkcert/rootCA-key.pem

# identity provider settings : https://www.pomerium.com/docs/identity-providers.html
idp_provider: google
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME

# Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg=

# https://pomerium.io/reference/#routes
routes:
  - from: https://verify.localhost.pomerium.io
    to: https://verify.pomerium.com
    policy:
      - allow:
          or:
            - email:
                is: user@example.com
    pass_identity_headers: true

You can also set some or all of your configuration keys as environment variables, in an env file for example. See the Reference page to identify the environment variable for each configuration option.

Run

OS Package

The following command allows the Pomerium systemd service to bind to privileged port 443:

echo -e "[Service]\nAmbientCapabilities=CAP_NET_BIND_SERVICE" | sudo SYSTEMD_EDITOR=tee systemctl edit pomerium

Enable and start the service:

sudo systemctl enable --now pomerium.service

Manual Installation

Source the configuration env file, if present, and run pomerium specifying the config.yaml .

./bin/pomerium -config config.yaml

Browse to external-verify.your.domain.example. Connections between you and verify will now be proxied and managed by Pomerium.

Pre-built binaries

Prerequisites​

Download​

Operating System Packages​

Standalone Binary​

Configure​

Run​

OS Package​

Manual Installation​