# Binaries

This document covers how to configure and run Pomerium using the official prebuilt binaries.

# Prerequisites

# Download

You can download the latest release from GitHub, or use the repositories we provide through Cloudsmith (opens new window). In addition to the easy updates provided by the package manager, the deb and rpm packages include systemd service unit configurations.

# Operating System Packages

Through Cloudsmith (opens new window), we provide OS packages for Linux distributions using deb and rpm style package managers. Select your system's package format and architecture, then use the Setup tab to add the repository to your package manager.

# Standalone Binary

Download (opens new window) the latest release of Pomerium for your machine's operating system and architecture.

# Configure

Pomerium supports setting configuration variables using both environmental variables and using a configuration file.

# Configuration file

When using our OS packages, we provide a default configuration at /etc/pomerium/config.yaml. Otherwise, create the config file (config.yaml) in your preferred location.

This file will be used to determine Pomerium's configuration settings, routes, and access-policies. Consider the following example:

# See detailed configuration settings : https://www.pomerium.com/docs/reference/

# this is the domain the identity provider will callback after a user authenticates
authenticate_service_url: https://authenticate.localhost.pomerium.io

# certificate settings:  https://www.pomerium.com/docs/reference/certificates.html
autocert: true

autocert_use_staging: true

# identity provider settings : https://www.pomerium.com/docs/identity-providers.html
idp_provider: google
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME

# Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg=

# https://pomerium.io/reference/#routes
  - from: https://verify.localhost.pomerium.io
    to: https://verify.pomerium.com
      - allow:
            - email:
                is: user@example.com
    pass_identity_headers: true

You can also set some or all of your configuration keys as environment variables, in an env file for example. See the Reference page to identify the environment variable for each configuration option.

# Run

# OS Package

  1. The following command allows the Pomerium systemd service to bind to privileged port (opens new window) 443:

    echo -e "[Service]\nAmbientCapabilities=CAP_NET_BIND_SERVICE" | sudo SYSTEMD_EDITOR=tee systemctl edit pomerium
  2. Enable and start the service:

    sudo systemctl enable --now pomerium.service

# Manual Installation

Source the configuration env file, if present, and run pomerium specifying the config.yaml .

./bin/pomerium -config config.yaml

Browse to external-verify.your.domain.example. Connections between you and verify (opens new window) will now be proxied and managed by Pomerium.

Last Updated: 1/11/2022, 6:36:47 PM

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. Pomerium is a registered trademark.