Configuration & Settings Reference
For details on how to set configuration settings see the configuration internals page.
Name
Description
Type
Allows all requests for any authenticated user or service account. Use with caution.
bool
The authenticate callback path is the path/url from the authenticate service that will receive the response from your identity provider.
string
Authorize Service URL is the location of the internally accessible Authorize service.
URL
Turning on autocert allows Pomerium to automatically retrieve, manage, and renew public facing TLS certificates from Lets Encrypt.
bool
Autocert directory is the path which Autocert will store x509 certificate data.
string
Autocert EAB Key ID is the key identifier when requesting a certificate from a CA with External Account Binding enabled.
string
Autocert EAB MAC Key is the base64, url-encoded secret key corresponding to the Autocert EAB Key ID.
string
Autocert Email is the email address to use when requesting certificates from an ACME CA.
email
Autocert Use Staging setting allows you to use Let's Encrypt's staging environment, which has more lenient usage limits than the production environment.
bool
The cluster token that associates this cluster with a personal account or organization.
A customizable name that identifies a cluster. Defaults to the cluster's randomly generated starter domain name.
The randomly generated starter domain assigned to this cluster. This domain is not changeable, and is designed to be used as a proof of concept.
A custom wildcard subdomain used to define routes in this cluster. Can only be associated with 1 cluster.
Sets the database connection string to connect Databroker service to storage backend.
string
Sets the default timeout applied to a proxied route when no timeout key is specified by the policy.
Adds the explanation presented to an unauthorized user when they access a route with this policy. Optional.
string
Instructs Pomerium to send a static HTTP response to the downstream client for a managed route.
Specifies the response body that Pomerium returns for a static HTTP response. Type: String. For example, 'plain text.'
Sets the status code that Pomerium returns for a static HTTP response. Type: Integer. For example, 200.
A bundle of PEM-encoded X.509 certificates that will be treated as trust anchors when verifying client certificates
string
A bundle of PEM-encoded certificate revocation lists to be consulted during certificate validation.
string
Controls Pomerium's behavior when a client does not present a trusted client certificate.
string
Sets a limit on the depth of a certificate chain presented by the client.
string
Manage client certificate requirements for end users connecting to Pomerium-managed routes with downstream mTLS settings.
Sets the lifetime of session cookies. After this interval, users must reauthenticate.
datetime
Adds the explanation presented to an unauthorized user when they access a route with this policy. Optional.
string
The external URL for a proxied request. Must contain a scheme and Hostname, must not contain a path.
URL
Timeouts set the global server timeouts. Timeouts can also be set for individual routes.
Specifies the ':authority' header value in a gRPC health check request. Optional.
string
Specifies the service name parameter sent to the gRPC service. Optional.
string
If set, GRPC Insecure disables transport security for communication between the proxy and authorize components.
bool
Issues periodic health check requests to upstream servers. Unhealthy servers won't serve traffic.
array of objects
The number of healthy health checks required before a host is marked healthy. Required.
UInt32Value
The number of unhealthy health checks required before a host is marked unhealthy. Required.
UInt32Value
Rewrites the Host header according to a regular expression matching the substitution.
string
Rewrites the Host header according to a regular expression matching the path.
string
Specifies which application protocol to use. Optional.
CodecClientType
Defines a range of HTTP response statuses that are considered healthy. Optional.
Int64Range
The Host header value in the HTTP health check request. If empty, the name of the cluster this health check is associated with will be used. Optional.
string
If set, HTTP Redirect Address specifies the Host and Port to redirect HTTP to HTTPS traffic on.
string
The OAuth 2.0 Client Identifier retrieved from an identity provider.
string
The OAuth 2.0 Secret Identifier retrieved from an identity provider.
string
File path containing the client secret, the OAuth 2.0 Secret Identifier retrieved from your identity provider.
string
Sets the minimum and maximum delay times between requests to the identity provider directory.
string
The short-hand name of an OIDC identity provider used for authentication.
string
Specifies a mapping of HTTP headers to be added to proxied requests. Downstream application headers will be overwritten by Pomerium's headers on conflict.
map of strings key value pairs
IdP scopes correspond to access privilege scopes. For example, 'openid', 'profile', 'email', or 'offline_access'.
comma separated strings
Configure and self-host your own Identity Provider with Pomerium's Identity Provider settings.
string
Sets the time at which a downstream or upstream connection will be terminated if no active streams.
Sets the time to terminate the upstream connection if there are no active streams. Defaults to 5 minutes.
duration
Turning on insecure server mode will result in pomerium starting, and operating without any protocol encryption in transit.
bool
If applied, prevents JavaScript in browsers from reading user session cookies.
bool
Passes user session data to upstream applications as HTTP Request Headers and additional JWT claims.
slice of string
Rows per page:
100
1–100 of 183