Skip to main content

Deploying to Production

This page covers the topic of running Pomerium in a production configuration.

Before deploying Pomerium to Production, you should have already tested Pomerium in one or more demo environments and confirmed:

  • A working connection to your IdP.
  • Working test routes to your upstream services, including JWT verification where applicable.
  • For Pomerium Enterprise, a working demo of the Pomerium Enterprise Console, with confirmed access for your Admins and Managers.

SSL/TLS Certificates

Pomerium utilizes TLS end to end, so the placement, certificate authorities and covered subjects are critical to align correctly.

In a typical deployment, a minimum of two certs are required:

  • A wildcard certificate which covers the external from names, the Proxy service's external name and the Authenticate service's external name
    • Must be trusted by user browsers or clients
    • Must cover subject names from the user perspective
  • A certificate which covers the Authorize service's name
    • Must be trusted by the Proxy
    • Must cover the subject name from the Proxy's perspective

If you have L7 load balancing in front of the Proxy/Authenticate:

  • Your wildcard certificate should live on the load balancer
  • Your Authenticate and Proxy services will need a certificate accepted by the load balancer
  • Your load balancer can be configured to verify the identity of the Authenticate and Proxy certificates

If you have TLS enabled applications behind the proxy:

  • you may provide a client certificate for the Proxy service to connect to downstream services with and verify
  • the Proxy may be configured to verify the name and certificate authority of downstream services with either the standard Root CA bundle or a custom CA

Securing Pomerium

Pomerium is a tool for securing your infrastructure while adhering to the principles of Zero Trust. But that doesn't mean that your stack is "secure" right out of the box. Additionally, security is a battle of give and take; more security often comes at the cost of more complexity, both for the administrator and the end-user. What layers of security you choose to apply (and how you configure them) is highly dependent on your use case.

While we can't tell you what tools and technologies are right for you, we've compiled a list of all the security-related documentation we have, organized to help you discover what path to take.

Background and Concepts

If you're just getting started, we suggest reviewing the following pages:

  • Background - A quick primer on the failures of legacy models of "perimeter security" and an introduction to the concept of Zero Trust.
  • Architecture - Learn how Pomerium is broken down into component services. How you choose to deploy Pomerium will set the stage for the kind of security practices that apply to your stack.
  • Mutual Authentication: A Component of Zero Trust - Zero Trust's core principle could be said as "trust nothing without first (and continuously) verifying it". Mutual authentication is a big part of bringing that principle to bear. This page explains the concept and how it's achieved across several different layers of the network stack.
  • Glossary - Keep this page handy for when you run into new or unfamiliar terminology.

TLS Certificates

The long-time standard for server identity verification, the use of TLS certificates has exploded ever since Let's Encrypt made it possible for anyone to get a trusted certificate for free.

User Identity and Context

Part of Pomerium's strength comes from the ability to pass user identity and context to your upstream service. This enables repeated verification of authorization throughout a system.

Device Identity

Often overlooked or confused with multi-factor authentication (MFA), device identity (and posture) is one of the most important and under-utilized aspects of a strong zero trust security model.

  • Device Identity provides background on the concept, and points the reader on how to configure policies that use device identity, and enroll devices in both open-source and Enterprise environments.

Service Mesh

If you've read through all the docs linked above, first of all wow. That's a lot to absorb, kudos to you. But if you got this far and you're overwhelmed thinking about how to manage mutual authentication, user context verification, etc, between all your various applications, then you're primed and ready for a service mesh. A service mesh is a software component that acts as an infrastructure layer to facilitate the communication (and authentication) between services.

  • Our Istio guide covers integration between Pomerium and Istio, the most common service mesh.