Skip to main content

Policy (Deprecated)

danger

The policy field as a top-level configuration key has been replaced with routes. Moving forward, define policies within each defined route.

Existing policy definitions will currently behave as expected, but are deprecated and will be removed in a future version of Pomerium.

Policy contains route specific settings, and access control details. If you are configuring via POLICY environment variable, just the contents of the policy needs to be passed. If you are configuring via file, the policy should be present under the policy key. For example,

# This file contains only policy and route configuration details. Other
# configuration settings required by pomerium are excluded for clarity.
# See: https://www.pomerium.com/docs/reference/

#
# For a complete self contained configuration see : config.example.yaml.
# Or, mix and match a policy file (this) with env vars : config.example.env

# Proxied routes and per-route policies are defined in a policy block
# NOTA BENE: You must uncomment the below 'policy' key if you are loading policy as a file.
# policy:
- from: https://verify.localhost.pomerium.io
to: http://localhost:8000
allowed_domains:
- pomerium.io
cors_allow_preflight: true
timeout: 30s
- from: https://external-verify.localhost.pomerium.io
to: https://verify.pomerium.com
allowed_domains:
- gmail.com
- from: https://weirdlyssl.localhost.pomerium.io
to: http://neverssl.com
allowed_users:
- user@example.com
allowed_groups:
- admins
- developers
- from: https://hello.localhost.pomerium.io
to: http://localhost:8080
allowed_groups:
- admins@pomerium.io

Policy routes are checked in the order they appear in the policy, so more specific routes should appear before less specific routes. For example:

policy:
- from: http://from.example.com
to: http://to.example.com
prefix: /admin
allowed_groups: ["superuser"]
- from: http://from.example.com
to: http://to.example.com
allow_public_unauthenticated_access: true

In this example, an incoming request with a path prefix of /admin would be handled by the first route (which is restricted to superusers). All other requests for from.example.com would be handled by the second route (which is open to the public).

A list of configuration variables specific to policy follows Note that this also shares all configuration variables listed under routes, excluding policy and its child variables.