Skip to main content

Tunneled Git Connections

When hosting a self-hosted Git server like GitLab behind Pomerium, you can protect desktop client access to the source code with the same identity-aware access as the web interface using an encrypted TCP tunnel.

Long-lived connections behavior

When you create a TCP or Websocket connection, Pomerium validates the access policy at the time the connection is made.

Currently, there is no mechanism in place to terminate long-running connections if a policy becomes invalid.


This example assumes you've already created a TCP route for this service.

Basic Connection

  1. Create a TCP tunnel, using either pomerium-cli or the Pomerium Desktop client. These examples use Git connections over SSH:

    pomerium-cli tcp --listen :2202

    The --listen flag is optional. It lets you define what port the tunnel listens on locally. If not specified, the client will choose a random available port.

  2. Clone the repository using the tunneled connection as a remote:

    git clone ssh://git@

Now when you first initiate a pull, push, or fetch command your web browser will open to authenticate and authorize the connection.

Always Tunnel through Pomerium

Because Git uses the SSH protocol, we can define a Host block in our local SSH configuration file to initiate the tunneled connection whenever it's needed.

  1. Open your local SSH configuration file at ~/.ssh/config and add a new Hosts block:

    Host git-tunnel
    User git
    ProxyCommand pomerium-cli tcp --listen - %h:%p
  2. For each repository, clone using this host:

    git clone git@git-tunnel:userName/projectName

If you've already defined an SSH configuration for all domains managed by Pomerium as described in our SSH Example, you can skip the first step above and define your new remote with the Git server's domain name.

More Resources