Skip to main content

Building Pomerium From Source

This document covers how to retrieve and build Pomerium from its source code as well as how to run Pomerium using a minimal but complete configuration.



Retrieve the latest copy of Pomerium's source code by cloning the repository.

git clone $HOME/pomerium

Create local certs

In production, we'd use a public certificate authority such as LetsEncrypt. For local development, we can use mkcert to make locally trusted development certificates with any names you'd like.

# Install mkcert.
go install
# Bootstrap mkcert's root certificate into your operating system's trust store.
mkcert -install
# Create your wildcard domain.
# * is helper domain we've hard-coded to route to localhost
mkcert "*"


Build Pomerium from source in a single step using make.

cd $HOME/pomerium

Make will run all the tests, some code linters, then build the binary. If all is good, you should now have a freshly built Pomerium binary for your architecture and operating system in the pomerium/bin directory.

If you don't have the prerequisites for the tests (Docker, Redis, etc) locally, you can instead run make build to just create the binary.


Pomerium supports setting configuration variables using both environmental variables and using a configuration file. Here, we'll use a file.

Create a config file (config.yaml). This file will be use to determine Pomerium's configuration settings, routes, and access-policies. Consider the following example:

# See detailed configuration settings :

# this is the domain the identity provider will callback after a user authenticates

# certificate settings:
autocert: true
autocert_use_staging: true

# If you're using mkcert to test Pomerium locally, comment the autocert keys and uncomment
# the keys below, adjusting for your mkcert path:
# certificate_file: /home/user/.local/share/mkcert/rootCA.pem
# certificate_key_file: /user/alex/.local/share/mkcert/rootCA-key.pem

# identity provider settings :
idp_provider: google
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME

# Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64`
cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg=

- from:
- allow:
- email:
pass_identity_headers: true


Finally, run Pomerium specifying the configuration file config.yaml.

./bin/pomerium -config config.yaml

Browse to Connections between you and verify will now be proxied and managed by Pomerium.