Run ToolJet with Docker
Run Pomerium with Docker Compose to secure your ToolJet application.
What is ToolJet?
ToolJet is a self-hosted, low-code platform that helps you build and deploy internal developer tools.
Why use Pomerium with ToolJet?
Pomerium can secure ToolJet by applying policy to your routes that only grants access to ToolJet to certain users.
ToolJet provides its own RBAC-based permissions and several user authentication flows, so proxied requests will require users to sign in twice.
Before you begin
To complete this guide, you need:
Set up Pomerium
- Core
- Enterprise
Create a config.yaml
file and add the following code:
authenticate_service_url: https://authenticate.localhost.pomerium.io
idp_provider: github
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME
# Update the signing key: https://www.pomerium.com/docs/reference/signing-key
signing_key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSURRemVZWDZyT2tuemFnTjRJVTYxaEtRc3pzY1EvRllmbzZPcXhWd2YvdGZvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFc1V0V2psYXZ3eHprSU9DVUNDeFVnTDJza2NjL3QxSTFmQXlxUDgrMWw5YU1CWDlzdm1pYgpRajJxcWFUbUJZZWhuQzhmak5LODZmVXhpc3d1SXN5bnp3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
routes:
- from: https://verify.localhost.pomerium.io
to: http://verify:8000
policy:
- allow:
or:
- email:
is: user@example.com
pass_identity_headers: true
- from: https://tooljet.localhost.pomerium.io
to: http://tooljet:80
host_rewrite_header: true
policy:
- allow:
or:
- email:
is: user@example.com
Next, you need to:
- Update the IdP configuration variables with your own (See the GitHub guide for more information)
- Replace user@example.com with the email associated with your IdP
- Generate a signing key
To generate a signing key, use the commands below:
# Generates a P-256 (ES256) signing key
openssl ecparam -genkey -name prime256v1 -noout -out ec_private.pem
# Prints the base64 encoded value of the signing key
cat ec_private.pem | base64
Add the base64-encoded signing key to the signing_key
variable in your config.yaml
file.
Add Pomerium services to Docker Compose
Update docker-compose.yaml
with the following configuration:
networks:
main: {}
services:
pomerium:
image: cr.pomerium.com/pomerium/pomerium:latest
volumes:
## Mount your config file: https://www.pomerium.com/docs/reference/
- ./config.yaml:/pomerium/config.yaml:ro
ports:
- 443:443
## A network alias is only required when using `localhost.pomerium.io`
networks:
main:
aliases:
- authenticate.localhost.pomerium.io
## https://verify.localhost.pomerium.io --> Pomerium --> http://verify
verify:
networks:
main: {}
image: cr.pomerium.com/pomerium/verify:latest
expose:
- 8000
tooljet:
networks:
main: {}
tty: true
stdin_open: true
image: tooljet/tooljet-ce:latest
restart: always
env_file: .env
ports:
- 80:80
depends_on:
- postgres
environment:
SERVE_CLIENT: "true"
PORT: "80"
command: npm run start:prod
postgres:
networks:
main: {}
image: postgres:13
restart: always
ports:
- 5432:5432
volumes:
- postgres:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=postgres
volumes:
postgres:
driver: local
driver_opts:
o: bind
type: none
device: ${PWD}/postgres_data
certs:
logs:
fallbackcerts:
This configuration also includes the Docker image to run ToolJet.