Last active
October 15, 2019 19:02
-
-
Save raghu-icecraft-fullstack/e989889caaf550578e94a01db8e2c85d to your computer and use it in GitHub Desktop.
nginx-pomerium combined example from pomerium docs, Reference from https://www.pomerium.io/docs/reference/examples.html#docker
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##### Main reference is https://www.pomerium.io/docs/reference/examples.html#docker | |
| # Main configuration flags : https://www.pomerium.io/docs/reference/reference/ | |
| # | |
| # address: ":8443" # optional, default is 443 | |
| pomerium_debug: true # optional, default is false | |
| # service: "all" # optional, default is all | |
| # log_level: info # optional, default is debug | |
| authenticate_service_url: https://authenticate.company.com | |
| # Identity Provider Settings | |
| idp_provider: "google" | |
| idp_client_id: "some client id" | |
| idp_client_secret: "some client secret" | |
| # scope: "openid email" # generally, you want the default OIDC scopes | |
| # Proxied routes and per-route policies are defined in a policy block | |
| policy: | |
| - from: https://internal.company.com | |
| to: http://httpbin | |
| allowed_domains: | |
| - company.com | |
| cors_allow_preflight: true | |
| timeout: 30s |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: "3" | |
| services: | |
| nginx: | |
| image: pomerium/nginx-proxy:latest | |
| ports: | |
| - "443:443" | |
| volumes: | |
| # NOTE!!! : nginx must be supplied with your wildcard certificates. | |
| # see : https://github.com/jwilder/nginx-proxy#wildcard-certificates | |
| - ~/.acme.sh/*.company.com_ecc/fullchain.cer:/etc/nginx/certs/company.com.crt:ro | |
| - ~/.acme.sh/*.company.com_ecc/*.company.com.key:/etc/nginx/certs/company.com.key:ro | |
| - /var/run/docker.sock:/tmp/docker.sock:ro | |
| pomerium-authenticate: | |
| image: pomerium/pomerium:v0.4.0 # or `build: .` to build from source | |
| restart: always | |
| environment: | |
| - SERVICES=authenticate | |
| - INSECURE_SERVER=TRUE | |
| # NOTE!: Replace with your identity provider settings https://www.pomerium.io/docs/identity-providers.html | |
| - IDP_PROVIDER=google | |
| - IDP_PROVIDER_URL=https://accounts.google.com | |
| - IDP_CLIENT_ID=some client id | |
| - IDP_CLIENT_SECRET=some client secret | |
| # - IDP_SERVICE_ACCOUNT=REPLACE_ME | |
| # NOTE! Generate new secret keys! e.g. `head -c32 /dev/urandom | base64` | |
| # Generated secret keys must match between services | |
| - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M= | |
| - COOKIE_SECRET=iAsbc7pcQ3St55Pb55+j80r73FU8PdXNzHQr0s9rB8E= | |
| # Tell nginx how to proxy pomerium's routes | |
| - VIRTUAL_PROTO=http | |
| - VIRTUAL_HOST=authenticate.company.com | |
| - VIRTUAL_PORT=443 | |
| volumes: | |
| - /root/config.yaml:/pomerium/config.yaml:ro | |
| expose: | |
| - 443 1,1 Top | |
| pomerium-proxy: | |
| image: pomerium/pomerium:v0.4.0 # or `build: .` to build from source | |
| restart: always | |
| environment: | |
| - SERVICES=proxy | |
| - INSECURE_SERVER=TRUE | |
| # IMPORTANT! If you are running pomerium behind another ingress (loadbalancer/firewall/etc) | |
| # you must tell pomerium proxy how to communicate using an internal hostname for RPC | |
| # - AUTHORIZE_SERVICE_URL=http://localhost:5443 | |
| - AUTHORIZE_SERVICE_URL=http://authorize.company.com:5443 | |
| # When communicating internally, rPC is going to get a name conflict expecting an external | |
| # facing certificate name (i.e. authenticate-service.local vs *.corp.example.com). | |
| - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M= | |
| - COOKIE_SECRET=iAsbc7pcQ3St55Pb55+j80r73FU8PdXNzHQr0s9rB8E= | |
| # Tell nginx how to proxy pomerium's routes | |
| - VIRTUAL_PROTO=http | |
| - VIRTUAL_HOST=*.company.com | |
| - VIRTUAL_PORT=443 | |
| volumes: | |
| # Mount your domain's certificates : https://www.pomerium.io/docs/reference/certificates | |
| - /root/config.yaml:/pomerium/config.yaml:ro | |
| expose: | |
| - 443 | |
| pomerium-authorize: | |
| image: pomerium/pomerium:v0.4.0 # or `build: .` to build from source | |
| restart: always | |
| environment: | |
| - SERVICES=authorize | |
| - INSECURE_SERVER=TRUE | |
| - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M= | |
| - GRPC_INSECURE=TRUE | |
| - GRPC_ADDRESS=:443 | |
| # | |
| volumes: | |
| # Retrieve non-secret config keys from the config file : https://www.pomerium.io/docs/reference/reference/ | |
| # See `config.example.yaml` and modify to fit your needs. | |
| - /root/config.yaml:/pomerium/config.yaml:ro | |
| expose: | |
| - 443 | |
| # https://httpbin.corp.beyondperimeter.com | |
| httpbin: | |
| image: some application as docker image | |
| expose: | |
| - 80 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment