# Pomerium using Docker
In the following quick-start, we'll create a minimal but complete environment for running Pomerium with containers.
# Prerequisites
- A configured identity provider
- Docker (opens new window) and docker-compose (opens new window)
- TLS certificates
# Configure
# Configuration file
Create a configuration file (e.g config.yaml) for defining Pomerium's configuration settings, routes, and access-policies. Consider the following example:
# See detailed configuration settings : https://www.pomerium.io/docs/reference/reference/
# this is the domain the identity provider will callback after a user authenticates
authenticate_service_url: https://authenticate.localhost.pomerium.io
# certificate settings: https://www.pomerium.io/docs/reference/certificates.html
autocert: true
# REMOVE FOR PRODUCTION
autocert_use_staging: true
# identity provider settings : https://www.pomerium.io/docs/identity-providers.html
idp_provider: google
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME
# Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64`
cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg=
# https://www.pomerium.io/configuration/#policy
policy:
- from: https://verify.localhost.pomerium.io
to: https://verify.pomerium.com
allowed_users:
- bdd@pomerium.io
pass_identity_headers: true
Ensure the docker-compose.yml contains the correct path to your config.yaml.
# Autocert Docker-compose
Ensure you have set up the requisite DNS and port forwarding in TLS certificates
Download the following docker-compose.yml file and modify it to:
- generate new secrets
- mount your TLS certificates
- mount your
config.yamlconfiguration file - Set
autocert_use_stagingtofalseonce you have finished testing
version: "3"
services:
pomerium:
image: pomerium/pomerium:latest
environment:
# Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
- COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
volumes:
# Use a volume to store ACME certificates
- pomerium:/data:rw
ports:
- 443:443
# https://verify.corp.beyondperimeter.com --> Pomerium --> http://verify
verify:
image: pomerium/verify:latest
expose:
- 80
Please note that you should use a persistent volume to store certificate data, or you may exhaust your domain quota on Let's Encrypt.
# Wildcard Docker-compose
Download the following docker-compose.yml file and modify it to:
- generate new secrets
- mount your TLS certificates
- mount your
config.yamlconfiguration file
version: "3"
services:
pomerium:
image: pomerium/pomerium:latest
environment:
# Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
- COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
volumes:
# Mount your domain's certificates : https://www.pomerium.io/docs/reference/certificates
- ~/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer:/pomerium/cert.pem:ro
- ~/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key:/pomerium/privkey.pem:ro
# Mount your config file : https://www.pomerium.io/docs/reference/reference/
- ../config/config.minimal.yaml:/pomerium/config.yaml:ro
ports:
- 443:443
# https://verify.corp.beyondperimeter.com --> Pomerium --> http://verify
verify:
image: pomerium/verify:latest
expose:
- 80
# Run
Finally, simply run docker compose.
docker-compose up
Docker will automatically download the required container images (opens new window) for Pomerium and verify (opens new window). Then, Pomerium will run with the configuration details set in the previous steps.
You should now be able access to the routes (e.g. https://verify.localhost.pomerium.io) as specified in your policy file.
You can also navigate to the special pomerium endpoint verify.corp.yourdomain.example/.pomerium/ to see your current user details.
