# Pomerium using Docker

In the following quick-start, we'll create a minimal but complete environment for running Pomerium with containers.

# Prerequisites

# Configure

# Configuration file

Create a configuration file (e.g config.yaml) for defining Pomerium's configuration settings, routes, and access-policies. Consider the following example:

# See detailed configuration settings : https://www.pomerium.io/docs/reference/reference/

# this is the domain the identity provider will callback after a user authenticates
authenticate_service_url: https://authenticate.localhost.pomerium.io

# certificate settings:  https://www.pomerium.io/docs/reference/certificates.html
autocert: true

# REMOVE FOR PRODUCTION
autocert_use_staging: true

# identity provider settings : https://www.pomerium.io/docs/identity-providers.html
idp_provider: google
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME

# Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg=

# https://www.pomerium.io/configuration/#policy
policy:
  - from: https://verify.localhost.pomerium.io
    to: https://verify.pomerium.com
    allowed_users:
      - bdd@pomerium.io
    pass_identity_headers: true

Ensure the docker-compose.yml contains the correct path to your config.yaml.

# Autocert Docker-compose

Ensure you have set up the requisite DNS and port forwarding in TLS certificates

Download the following docker-compose.yml file and modify it to:

version: "3"
services:
  pomerium:
    image: pomerium/pomerium:latest
    environment:
      # Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
    volumes:
      # Use a volume to store ACME certificates
      - pomerium:/data:rw
    ports:
      - 443:443

  # https://verify.corp.beyondperimeter.com --> Pomerium --> http://verify
  verify:
    image: pomerium/verify:latest
    expose:
      - 80

Please note that you should use a persistent volume to store certificate data, or you may exhaust your domain quota on Let's Encrypt.

# Wildcard Docker-compose

Download the following docker-compose.yml file and modify it to:

version: "3"
services:
  pomerium:
    image: pomerium/pomerium:latest
    environment:
      # Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
    volumes:
      # Mount your domain's certificates : https://www.pomerium.io/docs/reference/certificates
      - ~/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer:/pomerium/cert.pem:ro
      - ~/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key:/pomerium/privkey.pem:ro
      # Mount your config file : https://www.pomerium.io/docs/reference/reference/
      - ../config/config.minimal.yaml:/pomerium/config.yaml:ro
    ports:
      - 443:443

  # https://verify.corp.beyondperimeter.com --> Pomerium --> http://verify
  verify:
    image: pomerium/verify:latest
    expose:
      - 80

# Run

Finally, simply run docker compose.

docker-compose up

Docker will automatically download the required container images (opens new window) for Pomerium and verify (opens new window). Then, Pomerium will run with the configuration details set in the previous steps.

You should now be able access to the routes (e.g. https://verify.localhost.pomerium.io) as specified in your policy file.

You can also navigate to the special pomerium endpoint verify.corp.yourdomain.example/.pomerium/ to see your current user details.

currently logged in user