Make it simple for your team to do their work securely.
Proven scalability – built on top of Envoy proxy.
Centralized policies that authorize every single action.
Log every request regardless of identity type.
authenticate_service_url: https://authenticate.pomerium.app
routes:
- from: https://verify.localhost.pomerium.io
to: http://verify:8000
policy:
- allow:
or:
- email:
is: user@example.com
Secure ingress, kubectl, Gateway API and upstream apps without a client.
Allow remote employees, contractors, and distributed teams to work securely without the latency and frustrations of VPNs.
Deploy an agentic gateway for per-request authorization and logging on all agentic requests.
See what random people on the internet have to say about us.
Have you tried Pomerium? Clientless access reverse proxy. Zero trust self-hosted setup, so no gray area like "Changes to a tailnet that were initiated by a request to Tailscale’s support team are currently not included."
Since you said "more secure" is a requirement, I highly recommend shifting away from any hosted solution. Third-party compromise is a real attack vector. Cloudflare recently experienced that when Okta's breach spilled over to them.
Use Pomerium.
Pomerium is awesome.
UNBELIEVABLE.. Nobody mentioned POMERIUM yet. What's going on? I recently discover them a few months back, and it seems to me they are the only ones rightfully aligning with the inevitable ZTNA future!!! What am I missing? are they not big enough? not mainstream? Are there others improving IAM? they seem to be IAM+ or IAM on steroids.
I started with nginx proxy manager since I didn't have patience to manually edit nginx configs and tried using authelia with it, failed. Then Keycloak, same. Then I've found Pomerium and I've been using it ever since. Has everything I need out of the box and it hot reloads when you save a config
I use cloudflared + pomerium core
Awesome find, exactly what I was looking for.
I went a step further and I use pomerium reverse proxy. I chose pomerium, for yaml config making it dead simple, and the ability to add SSO before accessing any service. Basically doing what Authentik or Authelia does but easier to setup and manage. This lets me secure anything behind SSO.
You might want to check out Pomerium. It acts as an identity-aware proxy and supports Keycloak and others. Super easy to run and centrally handles authentication and authorization so you can plug all your dashboards into it and get that global login vibe. Pretty cool project, worth a look
Pomerium is open source, I'd recommend that first
This is really cool - just what I have been looking for!
Instead of using a lot of oath2-proxys you could use pomerium instead. Pomerium has its own policy's you can apply to the url. So Instead of having a oath2-proxy for every point that needs privilege separation you can just use one pomerium instance and create access policy's in it.
Here’s how I approach it Nextcloud is in a VM itself. I have another VM that runs Pomerium, a reverse proxy with simple sign on support, inside of a docker container. I use certbot-cloudflare docker to pull my certs. I have cloudflare setup with edge certs so it’s fully verified.
I’ve mostly moved to Komodo + pomerium with Nextcloud as my IDM.
One major thing I like about Pomerium is the Authorization support.
Pomerium reverse proxy. Yaml configured reverse proxy with built in SSO support to sit in front of any service. Dead simple compared to authelia et. al. I use Nextcloud as my OIDC IDM. Major SAF improvement by having SSO for everything.
Have you checked out Pomerium? The proxy issues a signed JWT for reach request w/ claims in headers instead of using a broad OAuth token. Just got my homelab all setup with it. Pretty straightforward.
Pomerium. Dead simple yaml configuration, built in SSO through any IDP.
Came here to learn how to secure AdGuard with a Pomeranian. Left confused.
I use PocketID. The key is to use something like Pomerium as a proxy and use that to enforce SSO…For other apps, I use their SSO integrations and configure it to re-use the credentials for Pomerium
I went with Pomerium for the following reasons
Many IDPs. vs. LDAP or File like in Authelia
Forward Auth Mode
K8s Helm Support
Zero Knowledge (No DB like in Authelia)
Rich AuthN
Ease of configuration - I was up and running, working great within an hour!
Thanks for sharing this. I tested it with kubernetes-mcp-server and works great.
I use pocket id directly with service that handles oidc, and put all others behind a pomerium reverse proxy that will handle oidc auth before giving access to the service.
I think ztna deployments are in a minority tho. Of course there aRe some companies doing creative things like combining IAM and Access control, for example POMERIUM.
I don’t see a lot of cool stuff on Reddit lately. This, is cool and useful. Nice job
I like Pomerium because it’s a simple yaml to setup, no additional web server needed.
I can recommend Pomerium. We use it as identity aware proxy to protect HTTP endpoints either with Keycloak or Google as respective IDP. Works perfectly fine.
Check out Pomerium. It's a reverse proxy that enforces policy for every request…Pretty slick. Keeps it simple and gives you what you're looking for I think…
That looks amazing, opens up a ton of possibilties for the company i am in. Good work.
Nice :) I've been using pocketid with pomerium and it's been great. Thanks for all the good work!
But after setting this up, replacing my old Traefik without any auth with Pomerium + PocketId (as OIDC), I must say this is a fantastic and comfy setup.
Pomerium has been smooth, easy and nails the final security measures I wanted in the lab. Very excited to expand it to my VPSs’ and other servers.
Just recently found this, wanted to say great job. Pretty much exactly what I've been looking for.
I use Pomerium, and Pangolin is nice too... I like having reverse proxy ans auth handled by a single tool
I use pomerium core. Its an identity aware reverse proxy. It gives you authentication (with your preferred solution) as well as authorization.
One option is to use an MCP gateway that can manage individual users upstream oauth keys, check out https://github.com/pomerium/mcp-app-demo
Interesting, will check it out. Had to make something very similar to this about a month ago. Looks good.
Pomerium Core. Simple yaml config, OIDC redirect like authelia and such but easier to setup. Fantastic reverse proxy.
I’m really enjoying it, it’s an awesome piece of software. It honestly feels like a future of doing user and access control for my home lab.
I personally think Pomerium is the most versatile and powerful solution out there, especially if you are on Kubernetes or even Docker.
There are several competitors that can auth against almost any type of SSO. Pomerium is the one I’ve been enjoying most recently
Have you tried Pomerium? Clientless access reverse proxy. Zero trust self-hosted setup, so no gray area like "Changes to a tailnet that were initiated by a request to Tailscale’s support team are currently not included."
Since you said "more secure" is a requirement, I highly recommend shifting away from any hosted solution. Third-party compromise is a real attack vector. Cloudflare recently experienced that when Okta's breach spilled over to them.
Use Pomerium.
Pomerium is awesome.
UNBELIEVABLE.. Nobody mentioned POMERIUM yet. What's going on? I recently discover them a few months back, and it seems to me they are the only ones rightfully aligning with the inevitable ZTNA future!!! What am I missing? are they not big enough? not mainstream? Are there others improving IAM? they seem to be IAM+ or IAM on steroids.
I started with nginx proxy manager since I didn't have patience to manually edit nginx configs and tried using authelia with it, failed. Then Keycloak, same. Then I've found Pomerium and I've been using it ever since. Has everything I need out of the box and it hot reloads when you save a config
I use cloudflared + pomerium core
Awesome find, exactly what I was looking for.
I went a step further and I use pomerium reverse proxy. I chose pomerium, for yaml config making it dead simple, and the ability to add SSO before accessing any service. Basically doing what Authentik or Authelia does but easier to setup and manage. This lets me secure anything behind SSO.
You might want to check out Pomerium. It acts as an identity-aware proxy and supports Keycloak and others. Super easy to run and centrally handles authentication and authorization so you can plug all your dashboards into it and get that global login vibe. Pretty cool project, worth a look
Pomerium is open source, I'd recommend that first
This is really cool - just what I have been looking for!
Instead of using a lot of oath2-proxys you could use pomerium instead. Pomerium has its own policy's you can apply to the url. So Instead of having a oath2-proxy for every point that needs privilege separation you can just use one pomerium instance and create access policy's in it.
Here’s how I approach it Nextcloud is in a VM itself. I have another VM that runs Pomerium, a reverse proxy with simple sign on support, inside of a docker container. I use certbot-cloudflare docker to pull my certs. I have cloudflare setup with edge certs so it’s fully verified.
I’ve mostly moved to Komodo + pomerium with Nextcloud as my IDM.
One major thing I like about Pomerium is the Authorization support.
Pomerium reverse proxy. Yaml configured reverse proxy with built in SSO support to sit in front of any service. Dead simple compared to authelia et. al. I use Nextcloud as my OIDC IDM. Major SAF improvement by having SSO for everything.
Have you checked out Pomerium? The proxy issues a signed JWT for reach request w/ claims in headers instead of using a broad OAuth token. Just got my homelab all setup with it. Pretty straightforward.
Pomerium. Dead simple yaml configuration, built in SSO through any IDP.
Came here to learn how to secure AdGuard with a Pomeranian. Left confused.
I use PocketID. The key is to use something like Pomerium as a proxy and use that to enforce SSO…For other apps, I use their SSO integrations and configure it to re-use the credentials for Pomerium
I went with Pomerium for the following reasons
Many IDPs. vs. LDAP or File like in Authelia
Forward Auth Mode
K8s Helm Support
Zero Knowledge (No DB like in Authelia)
Rich AuthN
Ease of configuration - I was up and running, working great within an hour!
Thanks for sharing this. I tested it with kubernetes-mcp-server and works great.
I use pocket id directly with service that handles oidc, and put all others behind a pomerium reverse proxy that will handle oidc auth before giving access to the service.
I think ztna deployments are in a minority tho. Of course there aRe some companies doing creative things like combining IAM and Access control, for example POMERIUM.
I don’t see a lot of cool stuff on Reddit lately. This, is cool and useful. Nice job
I like Pomerium because it’s a simple yaml to setup, no additional web server needed.
I can recommend Pomerium. We use it as identity aware proxy to protect HTTP endpoints either with Keycloak or Google as respective IDP. Works perfectly fine.
Check out Pomerium. It's a reverse proxy that enforces policy for every request…Pretty slick. Keeps it simple and gives you what you're looking for I think…
That looks amazing, opens up a ton of possibilties for the company i am in. Good work.
Nice :) I've been using pocketid with pomerium and it's been great. Thanks for all the good work!
But after setting this up, replacing my old Traefik without any auth with Pomerium + PocketId (as OIDC), I must say this is a fantastic and comfy setup.
Pomerium has been smooth, easy and nails the final security measures I wanted in the lab. Very excited to expand it to my VPSs’ and other servers.
Just recently found this, wanted to say great job. Pretty much exactly what I've been looking for.
I use Pomerium, and Pangolin is nice too... I like having reverse proxy ans auth handled by a single tool
I use pomerium core. Its an identity aware reverse proxy. It gives you authentication (with your preferred solution) as well as authorization.
One option is to use an MCP gateway that can manage individual users upstream oauth keys, check out https://github.com/pomerium/mcp-app-demo
Interesting, will check it out. Had to make something very similar to this about a month ago. Looks good.
Pomerium Core. Simple yaml config, OIDC redirect like authelia and such but easier to setup. Fantastic reverse proxy.
I’m really enjoying it, it’s an awesome piece of software. It honestly feels like a future of doing user and access control for my home lab.
I personally think Pomerium is the most versatile and powerful solution out there, especially if you are on Kubernetes or even Docker.
There are several competitors that can auth against almost any type of SSO. Pomerium is the one I’ve been enjoying most recently
Great for highly technical homelab users.
Always free
Great for homelab users, internal teams and small businesses managing a small number of routes.
Free for the first 10 users Business plan starts at $7/user/mo
Great for large enterprises, and highly sensitive deployments requiring advanced features and security controls.
Use Cases
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.
