Stay up to date with Pomerium news and announcements.
Pomerium v0.27 is here! This update brings new features to Enterprise and Core, in addition to officially announcing Pomerium Zero with its own updates. We've also made a slew of performance and stability improvements.
New version, new features. Here's a quick breakdown!
New widget: Report an issue
The Enterprise Console now includes a Report Issue widget for streamlining the feedback process. The widget is loaded from a third-party service and can be disabled by setting the new option --disable-feedback-widget. Fear not, we're still accepting feedback on our Discuss forums and via the usual support channels. Pigeon messengers accepted too, but they tend to get lost in flight.
New policy condition: Exists
(yes, that's the name)
The policy builder now has a new Exists condition for use with external data source records. This condition is true when an incoming request matches any record in the selected external data source. Here's an example use-case: you can enforce that incoming requests must match a maintained list of approved client certificates. It's like whitelisting, but for certificates!
Performance and quality-of-life improvements
Identity provider directory sync is improved, particularly for Okta
The "Foreign Key" input for configuring external data sources will now display all valid choices
The --disable-validation option has been expanded to include an additional validation mode. The existing validation modes are now represented by a new option --validation-mode. There are now three modes:
full, the default validation mode
static, a lighter-weight validation mode that should still catch most potential issues
none, equivalent to the existing --disable-validation option
Additionally, the none mode now also disables a safety check related to overlapping certificate domain names.
Pomerium Core
New: TLS 1.3 for upstream connections. We've balanced the streams! Previously, Pomerium only supported TLS 1.3 for downstream connections from end users, but now supports upstream as well!
Change: Downstream mTLS support
The Match Subject Alt Names setting now supports UserPrincipalName matching.
The reject_connection enforcement mode now enables TLS connection failure logging. This allows you to monitor for connection attempts blocked due to mTLS requirements.
Performance and quality-of-life improvements
Linux-only: Improved reliability at high memory loads. Pomerium will now configure Envoy overload actions based on memory pressure, relative to an applied cgroup limit. This should improve reliability in the case of excessive memory loads. This feature can be disabled by setting the runtime flag envoy_overload_manager to false.
Databroker Storage Connection String now supports reading this setting from a file, standardizing with other potentially sensitive configuration settings.
You can now configure Pomerium routes to non-https HTTP/2 upstream services, by using the scheme h2c:// in a route’s To URL.
The error page served by Pomerium in the case of an upstream error now includes the request ID, to aid in debugging.
All error pages served by Pomerium now include a link to the /.pomerium user info page, to aid in debugging.
Logging of gRPC requests now respects GRPC_GO_LOG_VERBOSITY_LEVEL.
Pomerium Zero
Pomerium Zero, a free hosted control plane version of Pomerium, has officially been launched! Explore Pomerium Zero’s capabilities and sign up for free.
For those already using Zero, we've introduced detailed metrics and visualizations!
Zero's new metrics!
When running Zero-managed mode, Pomerium will now report usage metrics for display in a new Traffic tab in the Zero user interface. This provides a useful visualization of both overall and per-route request rate, size, and duration. It's also fascinating to stare at when Pomerium is doing its job of stopping the bots from getting in!
Before You Upgrade
This release will include the following breaking changes:
Deprecated. The /.pomerium/jwt endpoint is now deprecated and disabled by default. To temporarily opt out of this deprecation, please set the runtime flag pomerium_jwt_endpoint to true. This flag will be removed in a future release.
Pomerium Zero Kubernetes deployments. The installation manifest now uses a Deployment rather than a StatefulSet. When upgrading, you will need to first remove the existing StatefulSet before re-installing, using a command like:
We always recommend testing in a separate environment and backing up your database before fully implementing new releases. Feel free to reach out to us on our Discuss forums if there are any issues.
Secure All Your Web Applications With Pomerium
Pomerium is purpose-built for companies moving from perimeter to zero-trust and identity-based access. We are proud to support these companies with features and capabilities built specifically for their needs. To learn how Pomerium can support your organization’s needs, check out our comparison pages, documentation, or reach out to us directly.
