Building Pomerium From Source
The following quick-start guide covers how to retrieve and build Pomerium directly from it's source-code as well as how to run Pomerium using a minimal but complete configuration. One of the benefits of compiling from source is that Go supports building static binaries for a wide array of architectures and operating systems — some of which may not yet be supported by Pomerium's official images or binaries.
Retrieve the latest copy of pomerium's source code by cloning the repository.
git clone https://github.com/pomerium/pomerium.git $HOME/pomerium
Build pomerium from source in a single step using make.
cd $HOME/pomerium make
Make will run all the tests, some code linters, then build the binary. If all is good, you should now have a freshly built pomerium binary for your architecture and operating system in the
Pomerium supports setting configuration variables using both environmental variables and using a configuration file.
Create a config file (
config.yaml). This file will be use to determine Pomerium's configuration settings, routes, and access-policies. Consider the following example:
# See detailed configuration settings : https://www.pomerium.io/reference/ authenticate_service_url: https://authenticate.corp.beyondperimeter.com authorize_service_url: https://authorize.corp.beyondperimeter.com # identity provider settings : https://www.pomerium.io/docs/identity-providers.html idp_provider: google idp_client_id: REPLACE_ME idp_client_secret: REPLACE_ME policy: - from: httpbin.corp.beyondperimeter.com to: http://httpbin allowed_domains: - pomerium.io - from: external-httpbin.corp.beyondperimeter.com to: https://httpbin.org allow_public_unauthenticated_access: true
As mentioned above, Pomerium supports mixing and matching where configuration details are set. For example, we can specify our secret values and domains certificates as environmental configuration variables.
#!/bin/bash # See : https://www.pomerium.io/docs/certificates.html export CERTIFICATE_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer" # optional, defaults to `./cert.pem` export CERTIFICATE_KEY_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key" # optional, defaults to `./certprivkey.pem` # 256 bit random keys export SHARED_SECRET="$(head -c32 /dev/urandom | base64)" export COOKIE_SECRET="$(head -c32 /dev/urandom | base64)"
Finally, source the the configuration
env file and run pomerium specifying the configuration file
source ./env ./bin/pomerium -config config.yaml
external-httpbin.your.domain.example. Connections between you and httpbin will now be proxied and managed by Pomerium.