Pomerium with Prebuilt Binaries

The following quick-start guide covers how to configure and run Pomerium using prebuilt binaries.



Download the latest release of Pomerium for your machine's operating system and architecture.


Pomerium supports setting configuration variables using both environmental variables and using a configuration file.

Configuration file

Create a config file (config.yaml). This file will be used to determine Pomerium's configuration settings, routes, and access-policies. Consider the following example:

# See detailed configuration settings : https://www.pomerium.io/reference/
authenticate_service_url: https://authenticate.corp.beyondperimeter.com
authorize_service_url: https://authorize.corp.beyondperimeter.com

# identity provider settings : https://www.pomerium.io/docs/identity-providers.html
idp_provider: google
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME

  - from: https://httpbin.corp.beyondperimeter.com
    to: http://httpbin
      - pomerium.io
  - from: https://external-httpbin.corp.beyondperimeter.com
    to: https://httpbin.org
    allow_public_unauthenticated_access: true

Environmental Variables

As mentioned above, Pomerium supports mixing and matching configuration. For example, we can specify our secret values and domains certificates as environmental configuration variables, and set the rest as part of the configuration file.


# See : https://www.pomerium.io/docs/certificates.html
export CERTIFICATE_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer"                      # optional, defaults to `./cert.pem`
export CERTIFICATE_KEY_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key" # optional, defaults to `./certprivkey.pem`

# 256 bit random keys
export SHARED_SECRET="$(head -c32 /dev/urandom | base64)"
export COOKIE_SECRET="$(head -c32 /dev/urandom | base64)"


Finally, source the the configuration env file and run pomerium specifying the config.yaml .

source ./env
./bin/pomerium -config config.yaml

Browse to external-httpbin.your.domain.example. Connections between you and httpbin will now be proxied and managed by Pomerium.