# From Source
This document covers how to retrieve and build Pomerium from its source-code as well as how to run Pomerium using a minimal but complete configuration. One of the benefits of compiling from source is that Go supports building static binaries for a wide array of architectures and operating systems (opens new window).
# Prerequisites
- git (opens new window)
- go (opens new window) programming language
- A configured identity provider
# Download
Retrieve the latest copy of pomerium's source code by cloning the repository.
git clone https://github.com/pomerium/pomerium.git $HOME/pomerium
# Create local certs
In production, we'd use a public certificate authority such as LetsEncrypt. For local development, we can use mkcert (opens new window) to make locally trusted development certificates with any names you'd like.
# Install mkcert.
go get -u github.com/FiloSottile/mkcert
# Bootstrap mkcert's root certificate into your operating system's trust store.
mkcert -install
# Create your wildcard domain.
# *.localhost.pomerium.io is helper domain we've hard-coded to route to localhost
mkcert "*.localhost.pomerium.io"
# Build
Build Pomerium from source in a single step using make.
cd $HOME/pomerium
make
Make (opens new window) will run all the tests, some code linters, then build the binary. If all is good, you should now have a freshly built Pomerium binary for your architecture and operating system in the pomerium/bin
directory.
# Configure
Pomerium supports setting configuration variables using both environmental variables and using a configuration file.
# Configuration file
Create a config file (config.yaml
). This file will be use to determine Pomerium's configuration settings, routes, and access-policies. Consider the following example:
# See detailed configuration settings : https://www.pomerium.com/docs/reference/
# this is the domain the identity provider will callback after a user authenticates
authenticate_service_url: https://authenticate.localhost.pomerium.io
# certificate settings: https://www.pomerium.com/docs/reference/certificates.html
autocert: true
# REMOVE FOR PRODUCTION
autocert_use_staging: true
# identity provider settings : https://www.pomerium.com/docs/identity-providers.html
idp_provider: google
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME
# Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64`
cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg=
# https://pomerium.io/reference/#routes
routes:
- from: https://verify.localhost.pomerium.io
to: https://verify.pomerium.com
policy:
- allow:
or:
- email:
is: user@example.com
pass_identity_headers: true
# Run
Finally, run Pomerium specifying the configuration file config.yaml
.
make && ./bin/pomerium -config config.yaml
# Navigate
Browse to verify.localhost.pomerium.io
. Connections between you and verify (opens new window) will now be proxied and managed by Pomerium.