Skip to main content

Service URL Settings

Pomerium's service URL settings control how the different Pomerium services communicate with each other.

The authenticate service URL setting also controls whether Pomerium will run its own authenticate service or use the Hosted Authenticate Service.

The other service URL settings are needed only for split service deployments. When running in all-in-one mode (which is the recommended mode), these settings are not needed.

Authenticate Service URL

The Authenticate Service URL setting defines the externally accessible URL where Pomerium redirects end users (clients) to authenticate against an identity provider.

If not set, Pomerium will use the Hosted Authenticate Service.

If you prefer to use your own identity provider, you'll need to set an authenticate service URL, and you will need this URL when configuring your identity provider client's OAuth callback URL.

If Pomerium is running in split-service mode, each Pomerium service requires the authenticate service URL in its configuration.

info

Pomerium will use the Hosted Authenticate Service by default in configurations that don't specify an authenticate service URL.

See the Self-Hosted Authenticate Service page if you prefer to use your own authenticate service.

How to configure

Config file keysEnvironment variablesTypeUsage
authenticate_service_urlAUTHENTICATE_SERVICE_URLURLoptional

Examples

authenticate_service_url: https://authenticate.corp.example.com
AUTHENTICATE_SERVICE_URL=https://authenticate.corp.example.com

Authenticate Internal Service URL

The Authenticate Internal Service URL setting is only required for split-service mode deployments where Pomerium can’t access the public Authenticate Service URL.

If set, the Authenticate Internal Service URL will be used for communication between other Pomerium services and the authenticate service.

How to configure

Config file keysEnvironment variablesTypeUsage
authenticate_internal_service_urlAUTHENTICATE_INTERNAL_SERVICE_URLURL*optional

* Excluding the authenticate_internal_service_url defaults to the hosted authenticated service if authenticate_service_url isn't defined.

Examples

authenticate_internal_service_url: https://authenticate.internal
AUTHENTICATE_INTERNAL_SERVICE_URL=https://authenticate.internal

Authorize Service URL

The Authorize Service URL setting defines the location of Pomerium's internally accessible Authorize Service.

note

Unlike the Authenticate Service, the Authorize Service has no publicly accessible HTTP handlers, so this setting is purely for gRPC communication.

If your load balancer does not support gRPC pass-through, you must set this value to an internally routable location (https://pomerium-authorize-service.default.svc.cluster.local) instead of an externally routable one (https://authorize.corp.example.com).

How to configure

Config file keysEnvironment variablesTypeUsage
authorize_service_urlAUTHORIZE_SERVICE_URLURLrequired (Inferred in all-in-one mode to be localhost)
authorize_service_urlsAUTHORIZE_SERVICE_URLSURLrequired (Inferred in all-in-one mode to be localhost)

Examples

You can specify multiple URLs as an array with the authorize_service_urls key:

authorize_service_urls:
- https://localhost:5443
- https://authorize.corp.example.com
AUTHORIZE_SERVICE_URL=https://pomerium-authorize-service.default.svc.cluster.local

Authorize Internal Service URL

The Authorize Internal Service URL setting is only required for split-service mode deployments where Pomerium can’t access the public Authorize Service URL.

If included, Authorize Internal Service URL will override Authorize Service URL.

How to configure

Config file keysEnvironment variablesTypeUsage
authorize_internal_service_urlAUTHORIZE_INTERNAL_SERVICE_URLURLrequired (Inferred in all-in-one mode to be localhost)

Examples

authorize_internal_service_url: https://pomerium-authorize-service.default.svc.cluster.local
AUTHORIZE_INTERNAL_SERVICE_URL=https://localhost:5443

Databroker Service URL

The Databroker Service URL settings points to a databroker which is responsible for storing associated authorization context (for example, sessions, users, and user groups).

How to configure

Config file keysEnvironment variablesTypeDefault
databroker_service_urlDATABROKER_SERVICE_URLURLhttp://localhost:5443 (In all-in-one mode)
databroker_service_urlsDATABROKER_SERVICE_URLSURLhttp://localhost:5443 (In all-in-one mode)

Examples

databroker_service_urls:
- http://databroker.corp.example1.com
- https://databroker.corp.example2.com
DATABROKER_SERVICE_URL=https://databroker.corp.example.com

Databroker Internal Service URL

The Databroker Internal Service URL overrides databroker_service_url when determining the TLS certificate for the Databroker service to listen with.

How to configure

Config file keysEnvironment variablesTypeDefault
databroker_internal_service_urlDATABROKER_INTERNAL_SERVICE_URLURLhttp://localhost:5443 (In all-in-one mode)
databroker_internal_service_urlsDATABROKER_INTERNAL_SERVICE_URLSURLhttp://localhost:5443 (In all-in-one mode)

Examples

databroker_internal_service_urls:
- http://localhost:5443
- http://service_url.com
DATABROKER_INTERNAL_SERVICE_URL=http://localhost:5443