# From Source
This document covers how to retrieve and build Pomerium from its source-code as well as how to run Pomerium using a minimal but complete configuration. One of the benefits of compiling from source is that Go supports building static binaries for a wide array of architectures and operating systems (opens new window).
Retrieve the latest copy of pomerium's source code by cloning the repository.
git clone https://github.com/pomerium/pomerium.git $HOME/pomerium
# Create local certs
In production, we'd use a public certificate authority such as LetsEncrypt. For local development, we can use mkcert (opens new window) to make locally trusted development certificates with any names you'd like.
# Install mkcert. go get -u github.com/FiloSottile/mkcert # Bootstrap mkcert's root certificate into your operating system's trust store. mkcert -install # Create your wildcard domain. # *.localhost.pomerium.io is helper domain we've hard-coded to route to localhost mkcert "*.localhost.pomerium.io"
Build Pomerium from source in a single step using make.
cd $HOME/pomerium make
Make (opens new window) will run all the tests, some code linters, then build the binary. If all is good, you should now have a freshly built Pomerium binary for your architecture and operating system in the
Pomerium supports setting configuration variables using both environmental variables and using a configuration file.
# Configuration file
Create a config file (
config.yaml). This file will be use to determine Pomerium's configuration settings, routes, and access-policies. Consider the following example:
# See detailed configuration settings : https://www.pomerium.com/docs/reference/ # this is the domain the identity provider will callback after a user authenticates authenticate_service_url: https://authenticate.localhost.pomerium.io # certificate settings: https://www.pomerium.com/docs/reference/certificates.html autocert: true # REMOVE FOR PRODUCTION autocert_use_staging: true # identity provider settings : https://www.pomerium.com/docs/identity-providers.html idp_provider: google idp_client_id: REPLACE_ME idp_client_secret: REPLACE_ME # Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64` cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg= # https://pomerium.io/reference/#routes routes: - from: https://verify.localhost.pomerium.io to: https://verify.pomerium.com policy: - allow: or: - email: is: firstname.lastname@example.org pass_identity_headers: true
Finally, run Pomerium specifying the configuration file
make && ./bin/pomerium -config config.yaml
verify.localhost.pomerium.io. Connections between you and verify (opens new window) will now be proxied and managed by Pomerium.