How do I set up Pomerium with Google OAuth for authentication?

Pomerium supports OIDC providers like Google OAuth. You need to create OAuth credentials in Google Cloud, then configure the client ID and secret in Pomerium's YAML configuration file. Detailed steps are available in the official documentation, including examples for common identity providers.

What's the difference between Pomerium and Cloudflare Access?

Pomerium is an open-source, self-hostable zero-trust proxy that offers full control and customization, while Cloudflare Access is a SaaS solution with easier deployment but potential vendor lock-in. Pomerium is better for teams needing on-premises or cloud flexibility, whereas Cloudflare Access suits those preferring a managed service.

Does Pomerium support SSH tunneling or access?

No, Pomerium is designed for web applications and HTTP/HTTPS traffic only. It does not support non-HTTP protocols like SSH or RDP. For such needs, you would require additional tools or consider VPN alternatives that handle raw TCP traffic.

How to scale Pomerium for high-traffic production environments?

Pomerium is built in Go and can be scaled horizontally using load balancers and multiple instances. However, as a reverse proxy, it adds latency; optimizing with caching, proper resource allocation, and monitoring can help maintain performance under heavy loads.

Can Pomerium be used as an API gateway?

While Pomerium can secure APIs with identity-aware access controls, it lacks advanced API gateway features like rate limiting, request transformation, or API versioning. It's best suited for access control rather than comprehensive API management, so consider supplementing with other tools if needed.

What identity providers does Pomerium work with?

Pomerium integrates with any OIDC-compliant identity provider, such as Google, Azure AD, Okta, or Keycloak. It also supports SAML and other protocols via extensions, but OIDC is the primary method, and configuration details vary by provider as outlined in the docs.

Open-Awesome

Pomerium

Apache-2.0Gov0.32.8Self-Hosted

A zero-trust identity and context-aware reverse proxy for secure, clientless access to internal web apps without a VPN.

Visit Website GitHub

4.8k stars334 forks0 contributors

What is Pomerium?

Pomerium is an identity and context-aware reverse proxy that enables secure, clientless access to internal web applications and services. It replaces traditional corporate VPNs by building zero-trust connections that verify every action before allowing access, ensuring continuous security and auditability.

Target Audience

Organizations and DevOps teams needing secure remote access to internal applications, especially those looking to replace or augment VPNs with a zero-trust, identity-aware solution.

Value Proposition

Developers choose Pomerium for its clientless, tunnel-free architecture that provides faster, more secure access than VPNs, with granular context-aware policies and continuous verification for every request.

Overview

Pomerium is an identity and context-aware access proxy.

Use Cases

Best For

Securely exposing internal web applications to remote employees without a VPN
Implementing zero-trust network access (ZTNA) for cloud or on-premises services
Replacing legacy VPN infrastructure with a modern, identity-aware proxy
Enforcing context-aware access policies based on user identity and device context
Auditing and verifying every access request to internal resources
Providing clientless browser-based access to internal tools and dashboards

Not Ideal For

Projects requiring access to non-HTTP protocols like SSH or RDP, as Pomerium is primarily designed for web traffic.
Organizations with simple, static access controls that don't need the overhead of identity-aware policies and continuous verification.
Teams seeking a fully managed, plug-and-play solution without any self-hosting or configuration, as Pomerium requires setup with identity providers.

Pros & Cons

Pros

Clientless Browser Access

Users can securely connect to internal applications directly from their browser without installing any software, eliminating the need for corporate VPN clients as emphasized in the README.

Zero-Trust Security Model

Implements continuous verification where every action is audited and verified before execution, providing a high-security standard that moves beyond traditional VPNs.

Context-Aware Access Policies

Integrates organizational data to make intelligent, tailored access decisions based on user identity and context, which is a core feature highlighted in the philosophy.

Tunnel-Free Architecture

Deploys alongside applications for faster, more direct access without VPN tunneling overhead, improving performance as described in the key features.

Cons

Complex Identity Integration

Requires setup with OIDC or similar identity providers, which can be challenging and time-consuming for teams without prior experience in identity management.

Limited Protocol Support

Focused primarily on HTTP/HTTPS traffic, so it's not suitable for securing non-web services or protocols, which may necessitate additional tools.

Management Overhead

Self-hosted deployments demand ongoing configuration, maintenance, and monitoring, unlike fully managed solutions, potentially increasing operational burden.

Frequently Asked Questions

Related Projects

Kubernetes

Production-Grade Container Scheduling and Management

The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

Stars71,637

Forks18,960

Last commit3 days ago

traefik

The Cloud Native Application Proxy

Stars63,596

Forks6,040

Last commit3 days ago

Gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD

Stars56,177

Forks6,781

Last commit1 day ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub

Pomerium

Apache-2.0Gov0.32.8Self-Hosted

A zero-trust identity and context-aware reverse proxy for secure, clientless access to internal web apps without a VPN.

Visit Website GitHub

4.8k stars334 forks0 contributors

What is Pomerium?

Target Audience

Organizations and DevOps teams needing secure remote access to internal applications, especially those looking to replace or augment VPNs with a zero-trust, identity-aware solution.

Value Proposition

Overview

Pomerium is an identity and context-aware access proxy.

Use Cases

Best For

Securely exposing internal web applications to remote employees without a VPN
Implementing zero-trust network access (ZTNA) for cloud or on-premises services
Replacing legacy VPN infrastructure with a modern, identity-aware proxy
Enforcing context-aware access policies based on user identity and device context
Auditing and verifying every access request to internal resources
Providing clientless browser-based access to internal tools and dashboards

Not Ideal For

Projects requiring access to non-HTTP protocols like SSH or RDP, as Pomerium is primarily designed for web traffic.
Organizations with simple, static access controls that don't need the overhead of identity-aware policies and continuous verification.
Teams seeking a fully managed, plug-and-play solution without any self-hosting or configuration, as Pomerium requires setup with identity providers.

Pros & Cons

Pros

Clientless Browser Access

Users can securely connect to internal applications directly from their browser without installing any software, eliminating the need for corporate VPN clients as emphasized in the README.

Zero-Trust Security Model

Implements continuous verification where every action is audited and verified before execution, providing a high-security standard that moves beyond traditional VPNs.

Context-Aware Access Policies

Integrates organizational data to make intelligent, tailored access decisions based on user identity and context, which is a core feature highlighted in the philosophy.

Tunnel-Free Architecture

Deploys alongside applications for faster, more direct access without VPN tunneling overhead, improving performance as described in the key features.

Cons

Complex Identity Integration

Requires setup with OIDC or similar identity providers, which can be challenging and time-consuming for teams without prior experience in identity management.

Limited Protocol Support

Focused primarily on HTTP/HTTPS traffic, so it's not suitable for securing non-web services or protocols, which may necessitate additional tools.

Management Overhead

Self-hosted deployments demand ongoing configuration, maintenance, and monitoring, unlike fully managed solutions, potentially increasing operational burden.

Frequently Asked Questions

Related Projects

Kubernetes

Production-Grade Container Scheduling and Management

The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

Stars71,637

Forks18,960

Last commit3 days ago

traefik

The Cloud Native Application Proxy

Stars63,596

Forks6,040

Last commit3 days ago

Gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD

Stars56,177

Forks6,781

Last commit1 day ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub