Policy (Deprecated)
The policy
field as a top-level configuration key has been replaced with routes
. Moving forward, define policies within each defined route.
Existing policy definitions will currently behave as expected, but are deprecated and will be removed in a future version of Pomerium.
Policy contains route specific settings, and access control details. If you are configuring via POLICY environment variable, just the contents of the policy needs to be passed. If you are configuring via file, the policy should be present under the policy key. For example,
# This file contains only policy and route configuration details. Other
# configuration settings required by pomerium are excluded for clarity.
# See: https://www.pomerium.com/docs/reference/
#
# For a complete self contained configuration see : config.example.yaml.
# Or, mix and match a policy file (this) with env vars : config.example.env
# Proxied routes and per-route policies are defined in a policy block
# NOTA BENE: You must uncomment the below 'policy' key if you are loading policy as a file.
# policy:
- from: https://verify.localhost.pomerium.io
to: http://localhost:8000
allowed_domains:
- pomerium.io
cors_allow_preflight: true
timeout: 30s
- from: https://external-verify.localhost.pomerium.io
to: https://verify.pomerium.com
allowed_domains:
- gmail.com
- from: https://weirdlyssl.localhost.pomerium.io
to: http://neverssl.com
allowed_users:
- user@example.com
- from: https://hello.localhost.pomerium.io
to: http://localhost:8080
allowed_users:
- user@example.com
Policy routes are checked in the order they appear in the policy, so more specific routes should appear before less specific routes. For example:
policy:
- from: http://from.example.com
to: http://to.example.com
prefix: /admin
allowed_users: ['superuser@example.com']
- from: http://from.example.com
to: http://to.example.com
allow_public_unauthenticated_access: true
In this example, an incoming request with a path prefix of /admin
would be handled by the first route (which is restricted to superusers). All other requests for from.example.com
would be handled by the second route (which is open to the public).
A list of configuration variables specific to policy
follows Note that this also shares all configuration variables listed under routes, excluding policy
and its child variables.