Service URL Settings
Pomerium's service URL settings control how the different Pomerium services communicate with each other.
The authenticate service URL setting also controls whether Pomerium will run its own authenticate service or use the Hosted Authenticate Service.
The other service URL settings are needed only for split service deployments. When running in all-in-one mode (which is the recommended mode), these settings are not needed.
Authenticate Service URL
The Authenticate Service URL setting defines the externally accessible URL where Pomerium redirects end users (clients) to authenticate against an identity provider.
If not set, Pomerium will use the Hosted Authenticate Service.
If you prefer to use your own identity provider, you'll need to set an authenticate service URL, and you will need this URL when configuring your identity provider client's OAuth callback URL.
If Pomerium is running in split-service mode, each Pomerium service requires the authenticate service URL in its configuration.
Pomerium will use the Hosted Authenticate Service by default in configurations that don't specify an authenticate service URL.
See the Self-Hosted Authenticate Service page if you prefer to use your own authenticate service.
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Usage |
|---|---|---|---|
authenticate_service_url | AUTHENTICATE_SERVICE_URL | URL | optional |
Examples
authenticate_service_url: https://authenticate.corp.example.com
AUTHENTICATE_SERVICE_URL=https://authenticate.corp.example.com
authenticate_service_url is a bootstrap configuration setting and is not configurable in the Console.
| [Parameter name](/docs/k8s/reference#spec | Type | Usage |
|---|---|---|
authenticate.url | URL | optional |
Examples
authenticate:
url: https://authenticate.corp.example.com
See the Kubernetes - Global Configuration for more information.
Authenticate Internal Service URL
The Authenticate Internal Service URL setting is only required for split-service mode deployments where Pomerium can’t access the public Authenticate Service URL.
If set, the Authenticate Internal Service URL will be used for communication between other Pomerium services and the authenticate service.
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Usage |
|---|---|---|---|
authenticate_internal_service_url | AUTHENTICATE_INTERNAL_SERVICE_URL | URL | *optional |
* Excluding the authenticate_internal_service_url defaults to the hosted authenticated service if authenticate_service_url isn't defined.
Examples
authenticate_internal_service_url: https://authenticate.internal
AUTHENTICATE_INTERNAL_SERVICE_URL=https://authenticate.internal
authenticate_internal_service_url is a bootstrap configuration setting and is not configurable in the Console.
Kubernetes does not support authenticate_internal_service_url
Authorize Service URL
The Authorize Service URL setting defines the location of Pomerium's internally accessible Authorize Service.
Unlike the Authenticate Service, the Authorize Service has no publicly accessible HTTP handlers, so this setting is purely for gRPC communication.
If your load balancer does not support gRPC pass-through, you must set this value to an internally routable location (https://pomerium-authorize-service.default.svc.cluster.local) instead of an externally routable one (https://authorize.corp.example.com).
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Usage |
|---|---|---|---|
authorize_service_url | AUTHORIZE_SERVICE_URL | URL | required (Inferred in all-in-one mode to be localhost) |
authorize_service_urls | AUTHORIZE_SERVICE_URLS | URL | required (Inferred in all-in-one mode to be localhost) |
Examples
You can specify multiple URLs as an array with the authorize_service_urls key:
authorize_service_urls:
- https://localhost:5443
- https://authorize.corp.example.com
AUTHORIZE_SERVICE_URL=https://pomerium-authorize-service.default.svc.cluster.local
authorize_service_url/s is a bootstrap configuration setting and is not configurable in the Console.
The authorize_service_url is not customizable in all-in-one mode with the CRD
Authorize Internal Service URL
The Authorize Internal Service URL setting is only required for split-service mode deployments where Pomerium can’t access the public Authorize Service URL.
If included, Authorize Internal Service URL will override Authorize Service URL.
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Usage |
|---|---|---|---|
authorize_internal_service_url | AUTHORIZE_INTERNAL_SERVICE_URL | URL | required (Inferred in all-in-one mode to be localhost) |
Examples
authorize_internal_service_url: https://pomerium-authorize-service.default.svc.cluster.local
AUTHORIZE_INTERNAL_SERVICE_URL=https://localhost:5443
authorize_internal_service_url is a bootstrap configuration setting and is not configurable in the Console.
Kubernetes does not support authorize_internal_service_url
Databroker Service URL
The Databroker Service URL settings points to a databroker which is responsible for storing associated authorization context (for example, sessions, users, and user groups).
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Default |
|---|---|---|---|
databroker_service_url | DATABROKER_SERVICE_URL | URL | http://localhost:5443 (In all-in-one mode) |
databroker_service_urls | DATABROKER_SERVICE_URLS | URL | http://localhost:5443 (In all-in-one mode) |
Examples
databroker_service_urls:
- http://databroker.corp.example1.com
- https://databroker.corp.example2.com
DATABROKER_SERVICE_URL=https://databroker.corp.example.com
databroker_service_url and databroker_internal_service_urls are bootstrap configuration settings and are not configurable in the Console.
databroker_service_url is not customizable in Kubernetes for all-in-one mode deployments
Databroker Internal Service URL
The Databroker Internal Service URL overrides databroker_service_url when determining the TLS certificate for the Databroker service to listen with.
How to configure
- Core
- Enterprise
- Kubernetes
| Config file keys | Environment variables | Type | Default |
|---|---|---|---|
databroker_internal_service_url | DATABROKER_INTERNAL_SERVICE_URL | URL | http://localhost:5443 (In all-in-one mode) |
databroker_internal_service_urls | DATABROKER_INTERNAL_SERVICE_URLS | URL | http://localhost:5443 (In all-in-one mode) |
Examples
databroker_internal_service_urls:
- http://localhost:5443
- http://service_url.com
DATABROKER_INTERNAL_SERVICE_URL=http://localhost:5443
databroker_internal_service_url and databroker_internal_service_urls are bootstrap configuration settings and are not configurable in the Console.
databroker_internal_service_url is not customizable in Kubernetes