Skip to main content

Pomerium Fundamentals

Welcome to Pomerium Fundamentals, a series of courses designed to teach you the basics of Pomerium so you can secure your apps with confidence.

Each course provides a structured approach to learning how Pomerium works. There are 10 courses in all.

Head to Get Started to get a Pomerium instance up and running. From there, you'll add on to your configuration file in each tutorial.

Below, we’ve included some background information about Pomerium and reverse proxies (if you're not unfamiliar).

Reverse Proxies: a Primer

What is a Reverse Proxy?

A reverse proxy is a server that sits between a client (like your browser) and an application’s origin server. When a client sends a request to an application behind a reverse proxy, the proxy receives the request before forwarding it to the origin server. When the origin server responds, the reverse proxy receives the request before sending it back to the client.

This model affords several benefits:


Because reverse proxies sit in front of an application’s origin server, the origin server’s IP address is hidden. If a malicious attacker attempts to overload or compromise the origin server, the reverse proxy would be targeted instead.

Load Balancing

You can use reverse proxies in your load balancing strategy to distribute traffic to available, healthy servers. So, if a website experiences high volumes of traffic, the reverse proxy can distribute traffic to a healthy server so that no single server is overloaded.

Transport Layer Security (TLS)

TLS encryption is computationally expensive for an origin server. A reverse proxy relieves the burden on the origin server because it can decrypt incoming requests and encrypt outgoing responses.

Check out these posts to learn more:

Pomerium Architecture

To use Pomerium effectively, it helps to understand how Pomerium communicates with clients, identity providers, and upstream applications.

Request Lifecycle

This diagram illustrates how Pomerium handles client requests to access upstream applications:

The request lifecyle

Head to our Architecture page to see these steps in detail and to learn more about how Pomerium at a system and component level.

Pomerium Terminology

You’ll come across a lot of reverse proxy terminology in our documentation and guided tutorials that may not be intuitive or understandable at first.

Below are are a few terms you should know:

  • Resource, Asset, Application, or Service: These terms all essentially represent the same thing: a sensitive destination within your private network that you want to secure behind Pomerium. We typically try not to use “resource” or “asset” because, well, they can mean different things depending on the context.
  • Downstream and Upstream: Pomerium sits between a client and a web app or service. If Pomerium is in the middle, then the client is “downstream” of Pomerium, and the protected app or service is “upstream” of Pomerium.

See our Glossary to review more terms.