Announcing Pomerium v0.21

While we’ve been cooking up something big, we have some nice entrees to whet your appetite. Pomerium v0.21 is packed with performance improvements, bug fixes, new features, and feature updates, including:

• Authenticate Service is Now Stateless

• TCP Gateway Support

• Automatic TLS for Internal Services

• Forward Authentication is Deprecated

Authenticate Service is Now Stateless

Stateless authenticate means that you can scale more elastically with less resource requirements. The result makes Pomerium:

• More flexible to deploy

• More performant

• Easier to manage

TCP Gateway Support

Organizations may not want to create public DNS records or pin public certificates for TCP connections and services like SSH, as doing so gives the public potential insight into the organization’s internal network (it’s better to avoid people knowing you have something than keeping them away from that something).

So, let’s keep that private. Pomerium now acts as a public-facing gateway for TCP connections, ensuring internal information is not leaked to the public internet just to broker that connection. Traffic will go through Pomerium and be redirected to where it needs to go, ensuring malicious snoopers have no idea what’s in your network. 

Automatic TLS for Internal Services

If you like to manually set your certificates, you still can!

However, we wanted to reduce overhead around certificate management, so Pomerium’s internal services now automate TLSing out-of-the-box. Previously, administrators needed to supply that certificate themselves or have a process for certificate management. With v0.21, administrators don’t need to!

With no additional configurations necessary, you can be assured that all the communications between Pomerium’s internal services are encrypted, authenticated, and confidential. 

Forward Authentication is Deprecated

Forward auth was introduced in early versions of Pomerium to provide a gradual migration path for users of other reverse proxies to Pomerium. 

Since then, Pomerium has come a long way — it is now based around first class reverse proxy core (Envoy) and has been battle tested for many years. Unfortunately, supporting forward authentication mode provides a subpar experience in security (cookies cannot be stripped from upstream requests) and configuration (misconfiguration issues are common and hard to troubleshoot); it’s also not compatible with many of Pomerium's newer features and deployment scenarios.

If there’s any feature you were previously able to leverage using forward auth and a third-party proxy, let us know. We are committed to feature parity with all major proxies in the ecosystem. 

Various Performance Improvements and Bug Fixes

If you enjoy looking at squashed bugs, here’s the full changelog.

Next Steps

We always recommend testing new releases in a separate environment before fully implementing them. If you run into any issues, don't hesitate to let us know by submitting a report on the Pomerium GitHub issue tracker. In addition to the usual bug fixes and general improvements, this release also includes some exciting new features. 

Working Towards Zero Trust

Using Pomerium at work? Pomerium Enterprise is purpose-built for companies moving from perimeter to zero trust and identity-based access methods. We are proud to support these companies with features and capabilities built specifically for their needs. To learn how Pomerium can support your organization’s needs, checkout our Github, documentation, or reach out to us directly.