Configuration & Settings Reference
For details on how to set configuration settings see the configuration internals page.
Name
Description
Type
The authenticate callback path is the path/url from the authenticate service that will receive the response from your identity provider.
string
Authenticate Service URL is the externally accessible URL for the authenticate service.
URL
Use Authorize Log Fields to display HTTP request logs from the authorize service.
string
Authorize Service URL is the location of the internally accessible Authorize service.
URL
Turning on autocert allows Pomerium to automatically retrieve, manage, and renew public facing TLS certificates from Lets Encrypt.
bool
Autocert directory is the path which Autocert will store x509 certificate data.
string
Autocert EAB Key ID is the key identifier when requesting a certificate from a CA with External Account Binding enabled.
string
Autocert EAB MAC Key is the base64, url-encoded secret key corresponding to the Autocert EAB Key ID.
string
Autocert Email is the email address to use when requesting certificates from an ACME CA.
email
Autocert Use Staging setting allows you to use Let's Encrypt's staging environment, which has more lenient usage limits than the production environment.
bool
Certificate Authority is set when behind-the-ingress service communication uses self-signed certificates.
string
Default Upstream Timeout is the default timeout applied to a proxied route when no timeout key is specified by the policy.
A bundle of PEM-encoded X.509 certificates that will be treated as trust anchors when verifying client certificates
string
A bundle of PEM-encoded certificate revocation lists to be consulted during certificate validation.
string
Controls Pomerium's behavior when a client does not present a trusted client certificate.
string
Sets a limit on the depth of a certificate chain presented by the client.
string
Manage client certificate requirements for end users connecting to Pomerium-managed routes with downstream mTLS settings.
Sets the lifetime of session cookies. After this interval, users must reauthenticate.
datetime
Timeouts set the global server timeouts. Timeouts can also be set for individual routes.
If set, GRPC Insecure disables transport security for communication between the proxy and authorize components.
bool
If set, the HTTP Redirect Address specifies the host and port to redirect http to https traffic on.
string
(Deprecated) If true, instructs browsers to only send user session cookies over HTTPS.
bool
Client ID is the OAuth 2.0 Client Identifier retrieved from your identity provider.
string
Client Secret is the OAuth 2.0 Secret Identifier retrieved from your identity provider.
string
File path containing the client secret, the OAuth 2.0 Secret Identifier retrieved from your identity provider.
string
Sets the minimum and maximum delay times between requests to the identity provider directory.
string
Provider is the short-hand name of a built-in OpenID Connect (oidc) identity provider to be used for authentication.
string
Headers specifies a mapping of HTTP Header to be added to proxied requests. Nota bene Downstream application headers will be overwritten by Pomerium's headers on conflict.
map of strings key value pairs
Identity provider scopes correspond to access privilege scopes as defined in Section 33 of OAuth 20 RFC6749.
comma separated strings
Configure and self-host your own Identity Provider with Pomerium's Identity Provider settings.
string
Provider URL is the base path to an identity provider's OpenID connect discovery document.
string
Sets the time at which a downstream or upstream connection will be terminated if there are no active streams.
Turning on insecure server mode will result in pomerium starting, and operating without any protocol encryption in transit.
bool
The JWT Claim Headers setting allows you to pass specific user session data to upstream applications as HTTP request headers and additional JWT claims.
slice of string
Secure service communication can fail if the external certificate does not match the internally routed service hostname/SNI.
string
The global Pass Identity Headers setting passes identity headers to all upstream applications.
boolean
When set, Pass Identity Headers passes identity headers to the upstream application.
boolean
Rows per page:
100
1–100 of 144