Configuration Settings

Pomerium can be configured using a configuration file (YAML/JSON/TOML) or environmental variables. In general, environmental variable keys are identical to config file keys but are uppercase. If you are coming from a kubernetes or docker background this should feel familiar. If not, check out the following primers.

• Store config in the environment
• Kubernetes: Environment variables
• Kubernetes: Config Maps
• Docker: Environment variables

Using both environmental variables and config file keys is allowed and encouraged (for instance, secret keys are probably best set as environmental variables). However, if duplicate configuration keys are found, environment variables take precedence.

tip

Pomerium can hot-reload route configuration details, authorization policy, certificates, and other proxy settings.

All-In-One vs Split Service mode

When running Pomerium as a single system service or container, all the options on this page can be set in a single config.yaml file, or passed to the single instance as environment variables.

When running Pomerium in a distributed environment where there are multiple processes, each handling separate components, all services can still share a single config file or set of environment variables.

Alternately, you can create individual config files or sets of environment variables for each service. When doing so, each file or set can define which component a process will run as using the service mode key.

The table contains all config options for Pomerium Core. You can also browse each key using the index on the left.

Name

Description

Type

Address

Address specifies the host and port to serve HTTP requests from.

string

Allow Any Authenticated User

bool

Allowed Domains

comma separated strings

Allowed Groups

comma separated strings

Allowed IdP Claims

Authorize users by matching claims attached to a user's identity token by their identity provider

map of strings lists

Allowed Users

comma separated strings

Authenticate Callback Path

The authenticate callback path is the path/url from the authenticate service that will receive the response from your identity provider.

string

Authenticate Internal Service URL

URL

Authenticate Service URL

Authenticate Service URL is the externally accessible URL for the authenticate service.

URL

Authorize Internal Service URL

URL

Authorize Service URL

Authorize Service URL is the location of the internally accessible Authorize service.

URL

Autocert

Turning on autocert allows Pomerium to automatically retrieve, manage, and renew public facing TLS certificates from Lets Encrypt.

bool

Autocert CA

Autocert CA is the directory URL of the ACME CA to use when requesting certificates.

Autocert Directory

Autocert directory is the path which autocert will store x509 certificate data.

string

Autocert EAB Key ID

Autocert EAB Key ID is the key identifier when requesting a certificate from a CA with External Account Binding enabled.

string

Autocert EAB MAC Key

Autocert EAB MAC Key is the base64url-encoded secret key corresponding to the Autocert EAB Key ID.

string

Autocert Email

Autocert Email is the email address to use when requesting certificates from an ACME CA.

email

Autocert Must-Staple

bool

Autocert Trusted Certificate Authority

string

Autocert Use Staging

Let's Encrypt has strict usage limits. Enabling this setting allows you to use Let's Encrypt's staging environment which has much more lax usage limits.

bool

Certificate Authority

Certificate Authority is set when behind-the-ingress service communication uses self-signed certificates.

string

Certificates

string

Client Certificate Authority

string

Client CRL

string

Cluster Name

string

Rows per page:

25

1–25 of 120