README
¶
Pomerium is an identity-aware proxy that enables secure access to internal applications. Pomerium provides a standardized interface to add access control to applications regardless of whether the application itself has authorization or authentication baked-in. Pomerium gateways both internal and external requests, and can be used in situations where you'd typically reach for a VPN.
Pomerium can be used to:
- provide a single-sign-on gateway to internal applications.
- enforce dynamic access policy based on context, identity, and device identity.
- aggregate access logs and telemetry data.
- a VPN alternative.
Docs
For comprehensive docs, and tutorials see our documentation.
Directories
¶
| Path | Synopsis |
|---|---|
|
Package authenticate is a pomerium service that handles user authentication and refersh (AuthN).
|
Package authenticate is a pomerium service that handles user authentication and refersh (AuthN). |
|
Package authorize is a pomerium service that is responsible for determining if a given request should be authorized (AuthZ).
|
Package authorize is a pomerium service that is responsible for determining if a given request should be authorized (AuthZ). |
|
evaluator
Package evaluator contains rego evaluators for evaluating authorize policy.
|
Package evaluator contains rego evaluators for evaluating authorize policy. |
|
evaluator/opa
Package opa implements the policy evaluator interface to make authorization decisions.
|
Package opa implements the policy evaluator interface to make authorization decisions. |
|
cmd
|
|
|
pomerium-cli
Package main implements the pomerium-cli.
|
Package main implements the pomerium-cli. |
|
Package config is a configuration abstraction that facilitates enabling Pomerium settings forvarious encoding types (JSON/YAML/ENVARS) and methods.
|
Package config is a configuration abstraction that facilitates enabling Pomerium settings forvarious encoding types (JSON/YAML/ENVARS) and methods. |
|
envoyconfig
Package envoyconfig contains a Builder for building Envoy configuration from Pomerium configuration.
|
Package envoyconfig contains a Builder for building Envoy configuration from Pomerium configuration. |
|
envoyconfig/filemgr
Package filemgr defines a Manager for managing files for the controlplane.
|
Package filemgr defines a Manager for managing files for the controlplane. |
|
Package databroker is a pomerium service that handles the storage of user session state.
|
Package databroker is a pomerium service that handles the storage of user session state. |
|
examples
|
|
|
integration
|
|
|
internal/cluster
Package cluster is used to configure a kubernetes cluster for testing.
|
Package cluster is used to configure a kubernetes cluster for testing. |
|
internal/flows
Package flows has helper functions for working with pomerium end-user use-case flows.
|
Package flows has helper functions for working with pomerium end-user use-case flows. |
|
internal/forms
Package forms has helper functions for working with HTML forms.
|
Package forms has helper functions for working with HTML forms. |
|
internal/netutil
Package netutil has helper types for working with network connections.
|
Package netutil has helper types for working with network connections. |
|
backends/httpdetails
Module
|
|
|
backends/ws-echo
Module
|
|
|
internal
|
|
|
authclient
Package authclient contains a CLI authentication client for Pomerium.
|
Package authclient contains a CLI authentication client for Pomerium. |
|
autocert
Package autocert implements automatic management of TLS certificates.
|
Package autocert implements automatic management of TLS certificates. |
|
cliutil
Package cliutil contains functionality related to CLI apps.
|
Package cliutil contains functionality related to CLI apps. |
|
cmd/pomerium
Package pomerium houses the main pomerium CLI command.
|
Package pomerium houses the main pomerium CLI command. |
|
contextkeys
Package contextkeys defines common context keys shared between packages
|
Package contextkeys defines common context keys shared between packages |
|
controlplane
Package controlplane contains the HTTP and gRPC base servers and the xDS gRPC implementation for envoy.
|
Package controlplane contains the HTTP and gRPC base servers and the xDS gRPC implementation for envoy. |
|
controlplane/xdsmgr
Package xdsmgr implements a resource discovery manager for envoy.
|
Package xdsmgr implements a resource discovery manager for envoy. |
|
databroker
Package databroker contains a data broker implementation.
|
Package databroker contains a data broker implementation. |
|
directory
Package directory implements the user group directory service.
|
Package directory implements the user group directory service. |
|
directory/auth0
Package auth0 contains the Auth0 directory provider.
|
Package auth0 contains the Auth0 directory provider. |
|
directory/auth0/mock_auth0
Package mock_auth0 is a generated GoMock package.
|
Package mock_auth0 is a generated GoMock package. |
|
directory/azure
Package azure contains an azure active directory directory provider.
|
Package azure contains an azure active directory directory provider. |
|
directory/github
Package github contains a directory provider for github.
|
Package github contains a directory provider for github. |
|
directory/gitlab
Package gitlab contains a directory provider for gitlab.
|
Package gitlab contains a directory provider for gitlab. |
|
directory/google
Package google contains the Google directory provider.
|
Package google contains the Google directory provider. |
|
directory/okta
Package okta contains the Okta directory provider.
|
Package okta contains the Okta directory provider. |
|
directory/onelogin
Package onelogin contains the onelogin directory provider.
|
Package onelogin contains the onelogin directory provider. |
|
directory/ping
Package ping implements a directory provider for Ping.
|
Package ping implements a directory provider for Ping. |
|
encoding
Package encoding defines interfaces shared by other packages that convert data to and from byte-level and textual representations.
|
Package encoding defines interfaces shared by other packages that convert data to and from byte-level and textual representations. |
|
encoding/ecjson
Package ecjson represents encrypted and compressed content using JSON-based
|
Package ecjson represents encrypted and compressed content using JSON-based |
|
encoding/jws
Package jws represents content secured with digitalsignatures using JSON-based data structures as specified by rfc7515
|
Package jws represents content secured with digitalsignatures using JSON-based data structures as specified by rfc7515 |
|
encoding/mock
Package mock implements a mock implementation of MarshalUnmarshaler.
|
Package mock implements a mock implementation of MarshalUnmarshaler. |
|
envoy
Package envoy creates and configures an envoy server.
|
Package envoy creates and configures an envoy server. |
|
envoy/files
Package files contains files for use with envoy.
|
Package files contains files for use with envoy. |
|
fileutil
Package fileutil provides file utility functions, complementing the lower level abstractions found in the standard library.
|
Package fileutil provides file utility functions, complementing the lower level abstractions found in the standard library. |
|
frontend
Package frontend handles the generation, and instantiation of Pomerium's html templates.
|
Package frontend handles the generation, and instantiation of Pomerium's html templates. |
|
hashutil
Package hashutil provides NON-CRYPTOGRAPHIC utility functions for hashing.
|
Package hashutil provides NON-CRYPTOGRAPHIC utility functions for hashing. |
|
httputil
Package httputil provides HTTP utility functions, complementing the more common ones in the net/http package
|
Package httputil provides HTTP utility functions, complementing the more common ones in the net/http package |
|
httputil/reproxy
Package reproxy contains a handler for re-proxying traffic through the http controlplane.
|
Package reproxy contains a handler for re-proxying traffic through the http controlplane. |
|
identity
Package identity provides support for making OpenID Connect (OIDC) and OAuth2 authenticated HTTP requests with third party identity providers.
|
Package identity provides support for making OpenID Connect (OIDC) and OAuth2 authenticated HTTP requests with third party identity providers. |
|
identity/identity
Package identity is a package to avoid a dependency cycle.
|
Package identity is a package to avoid a dependency cycle. |
|
identity/manager
Package manager contains an identity manager responsible for refreshing sessions and creating users.
|
Package manager contains an identity manager responsible for refreshing sessions and creating users. |
|
identity/oauth
Package oauth provides support for making OAuth2 authorized and authenticated HTTP requests, as specified in RFC 6749.
|
Package oauth provides support for making OAuth2 authorized and authenticated HTTP requests, as specified in RFC 6749. |
|
identity/oauth/github
Package github implements OAuth2 based authentication for github https://www.pomerium.io/docs/identity-providers/github.html
|
Package github implements OAuth2 based authentication for github https://www.pomerium.io/docs/identity-providers/github.html |
|
identity/oidc
Package oidc implements a generic OpenID Connect provider.
|
Package oidc implements a generic OpenID Connect provider. |
|
identity/oidc/auth0
Package auth0 implements OpenID Connect for auth0 https://www.pomerium.io/docs/identity-providers/auth0.html
|
Package auth0 implements OpenID Connect for auth0 https://www.pomerium.io/docs/identity-providers/auth0.html |
|
identity/oidc/azure
Package azure implements OpenID Connect for Microsoft Azure https://www.pomerium.io/docs/identity-providers/azure.html
|
Package azure implements OpenID Connect for Microsoft Azure https://www.pomerium.io/docs/identity-providers/azure.html |
|
identity/oidc/gitlab
Package gitlab implements OpenID Connect for Gitlab https://www.pomerium.io/docs/identity-providers/gitlab.html
|
Package gitlab implements OpenID Connect for Gitlab https://www.pomerium.io/docs/identity-providers/gitlab.html |
|
identity/oidc/google
Package google implements OpenID Connect for Google and GSuite.
|
Package google implements OpenID Connect for Google and GSuite. |
|
identity/oidc/okta
Package okta implements OpenID Connect for okta https://www.pomerium.io/docs/identity-providers/okta.html
|
Package okta implements OpenID Connect for okta https://www.pomerium.io/docs/identity-providers/okta.html |
|
identity/oidc/onelogin
Package onelogin implements OpenID Connect for OneLogin https://www.pomerium.io/docs/identity-providers/one-login.html
|
Package onelogin implements OpenID Connect for OneLogin https://www.pomerium.io/docs/identity-providers/one-login.html |
|
identity/oidc/ping
Package ping implements OpenID Connect for Ping https://www.pomerium.io/docs/identity-providers/ping.html
|
Package ping implements OpenID Connect for Ping https://www.pomerium.io/docs/identity-providers/ping.html |
|
log
Package log provides a global logger for zerolog.
|
Package log provides a global logger for zerolog. |
|
middleware
Package middleware provides a standard set of middleware for pomerium.
|
Package middleware provides a standard set of middleware for pomerium. |
|
middleware/responsewriter
Package responsewriter contains helper functions that useful for hooking into various parts of a response.
|
Package responsewriter contains helper functions that useful for hooking into various parts of a response. |
|
redisutil
Package redisutil contains functions for working with redis.
|
Package redisutil contains functions for working with redis. |
|
registry
Package registry implements a service registry server.
|
Package registry implements a service registry server. |
|
registry/inmemory
Package inmemory implements an in-memory registry.
|
Package inmemory implements an in-memory registry. |
|
registry/redis
Package redis implements a registry in redis.
|
Package redis implements a registry in redis. |
|
registry/redis/lua
Package lua contains lua source code.
|
Package lua contains lua source code. |
|
scheduler
Package scheduler contains a priority queue based on time.
|
Package scheduler contains a priority queue based on time. |
|
sessions
Package sessions handles the storage, management, and validation of pomerium user sessions.
|
Package sessions handles the storage, management, and validation of pomerium user sessions. |
|
sessions/cookie
Package cookie provides a cookie based implementation of session store and loader.
|
Package cookie provides a cookie based implementation of session store and loader. |
|
sessions/header
Package header provides a request header based implementation of a session loader.
|
Package header provides a request header based implementation of a session loader. |
|
sessions/mock
Package mock provides a mock implementation of session store and loader.
|
Package mock provides a mock implementation of session store and loader. |
|
sessions/queryparam
Package queryparam provides a query param based implementation of a both as session store and loader.
|
Package queryparam provides a query param based implementation of a both as session store and loader. |
|
signal
Package signal provides mechanism for notifying multiple listeners when something happened.
|
Package signal provides mechanism for notifying multiple listeners when something happened. |
|
tcptunnel
Package tcptunnel contains an implementation of a TCP tunnel via HTTP Connect.
|
Package tcptunnel contains an implementation of a TCP tunnel via HTTP Connect. |
|
telemetry
Package telemetry contains metrics and tracing constructs
|
Package telemetry contains metrics and tracing constructs |
|
telemetry/metrics
Package metrics contains support for OpenCensus distributed metrics.
|
Package metrics contains support for OpenCensus distributed metrics. |
|
telemetry/requestid
Package requestid has functions for working with x-request-id in http/gRPC requests.
|
Package requestid has functions for working with x-request-id in http/gRPC requests. |
|
telemetry/trace
Package trace contains support for OpenCensus distributed tracing.
|
Package trace contains support for OpenCensus distributed tracing. |
|
tests/xdserr
Package xdserr to load test configuration updates
|
Package xdserr to load test configuration updates |
|
testutil
Package testutil contains helper functions for unit tests.
|
Package testutil contains helper functions for unit tests. |
|
tripper
Package tripper provides utility functions for working with the http.RoundTripper interface.
|
Package tripper provides utility functions for working with the http.RoundTripper interface. |
|
urlutil
Package urlutil provides utility functions for working with go urls.
|
Package urlutil provides utility functions for working with go urls. |
|
version
Package version enables setting build-time version using ldflags.
|
Package version enables setting build-time version using ldflags. |
|
pkg
|
|
|
cryptutil
Package cryptutil provides cryptographic utility functions, complementing the lower level abstractions found in the standard library.
|
Package cryptutil provides cryptographic utility functions, complementing the lower level abstractions found in the standard library. |
|
grpc
Package grpc provides gRPC utility functions, complementing the more common ones in the github.com/grpc/grpc-go package
|
Package grpc provides gRPC utility functions, complementing the more common ones in the github.com/grpc/grpc-go package |
|
grpc/config
Package config contains protobuf definitions for config.
|
Package config contains protobuf definitions for config. |
|
grpc/crypt
Package crypt contains cryptographic protobuf messages.
|
Package crypt contains cryptographic protobuf messages. |
|
grpc/databroker
Package databroker contains databroker protobuf definitions.
|
Package databroker contains databroker protobuf definitions. |
|
grpc/databroker/mock_databroker
Package mock_databroker is a generated GoMock package.
|
Package mock_databroker is a generated GoMock package. |
|
grpc/directory
Package directory contains protobuf types for directory users.
|
Package directory contains protobuf types for directory users. |
|
grpc/session
Package session contains protobuf types for sessions.
|
Package session contains protobuf types for sessions. |
|
grpc/user
Package user contains protobuf types for users.
|
Package user contains protobuf types for users. |
|
grpcutil
Package grpcutil contains functions for interacting with gRPC.
|
Package grpcutil contains functions for interacting with gRPC. |
|
logutil
Package logutil contains functionality for working with logs.
|
Package logutil contains functionality for working with logs. |
|
metrics
Package metrics declares metrics names and labels that pomerium exposes as constants that could be referred to from other projects
|
Package metrics declares metrics names and labels that pomerium exposes as constants that could be referred to from other projects |
|
policy
Package policy contains an implementation of the Pomerium Policy Language.
|
Package policy contains an implementation of the Pomerium Policy Language. |
|
policy/criteria
Package criteria contains all the pre-defined criteria as well as a registry to add new criteria.
|
Package criteria contains all the pre-defined criteria as well as a registry to add new criteria. |
|
policy/generator
Package generator converts Pomerium Policy Language into Rego.
|
Package generator converts Pomerium Policy Language into Rego. |
|
policy/parser
Package parser contains a parser for Pomerium Policy Language.
|
Package parser contains a parser for Pomerium Policy Language. |
|
policy/rules
Package rules contains useful pre-defined rego AST rules.
|
Package rules contains useful pre-defined rego AST rules. |
|
protoutil
Package protoutil contains functions for working with protobuf types.
|
Package protoutil contains functions for working with protobuf types. |
|
storage
Package storage provide generic interface to interact with storage backend.
|
Package storage provide generic interface to interact with storage backend. |
|
storage/inmemory
Package inmemory contains an in-memory implementation of the databroker backend.
|
Package inmemory contains an in-memory implementation of the databroker backend. |
|
storage/redis
Package redis implements the storage.Backend interface for redis.
|
Package redis implements the storage.Backend interface for redis. |
|
Package proxy is a pomerium service that provides reverse proxying of internal routes.
|
Package proxy is a pomerium service that provides reverse proxying of internal routes. |
Click to show internal directories.
Click to hide internal directories.