# TCP Support
Operations and engineering teams frequently require access to lower level administrative and data protocols such as SSH, RDP, Postgres, MySQL, Redis, etc.
In addition to managing HTTP based applications, Pomerium can be used to protect non-HTTP systems with the same consistent authorization policy. This is achieved by tunneling TCP over HTTP with the help of a client side command built into
Internally, Pomerium uses the
CONNECT method (opens new window) to establish the TCP tunnel.
To minimize issues with TCP support, Pomerium should not be placed behind another HTTP proxy. Instead, configure your load balancer in L4 or TCP mode.
Otherwise, the HTTP proxy in front of Pomerium must know how to properly handle the
CONNECT command and proxy it upstream. This capability will be specific to each proxy implementation.
policy: - from: tcp+https://redis.corp.example.com:6379 to: tcp://redis.internal.example.com:6379 allowed_users: - email@example.com allowed_groups: - firstname.lastname@example.org
- When configuring a TCP route, any HTTP specific settings such as
set_request_headershave no effect.
- While data is encrypted from a user system to Pomerium's proxy, the underlying application protocol must also support encryption for data to be fully encrypted end-to-end.
- The ports in
toare independent. Users only need to know the
fromURL to connect. The
tocan be changed without end user participation.
While HTTP routes can be consumed with just a normal browser,
pomerium-cli must serve as a proxy for TCP routes. It is available for a variety of platforms in various formats.
To connect, you normally need just the external hostname and port of your TCP route:
% pomerium-cli tcp redis.corp.example.com:6379 5:57PM INF tcptunnel: listening on 127.0.0.1:52046
pomerium-cli will start a listener on loopback on a random port.
On first connection, you will be sent through a standard Pomerium HTTP authentication flow. After completing this, your TCP connection should be established!
% redis-cli -h localhost -p 52046 localhost:52046> keys * (empty array) localhost:52046>
# Advanced Usage
# Listen Configuration
You may specify an optional address and port for the
tcp command to listen on.
- specifies that STDIN and STDOUT should be directly attached to the remote TCP connection. This is useful for SSH or for sending data through a shell pipe.
# SSH Helper Configuration
A sample SSH ProxyCommand configuration in
Host *.corp.example.com ProxyCommand ~/bin/pomerium-cli tcp --listen - %h:%p
A sample SSH command using
pomerium-cli as a ProxyCommand:
ssh -o ProxyCommand='pomerium-cli tcp --listen - %h:%p' ssh.localhost.pomerium.io
More information on SSH ProxyCommand:
- https://man.openbsd.org/ssh_config.5#ProxyCommand (opens new window)
- https://www.redhat.com/sysadmin/ssh-proxy-bastion-proxyjump (opens new window)
# Custom URL
If the Pomerium proxy is not reachable through port
443 or the route is not in external DNS, a custom URL may be specified:
% pomerium-cli tcp --pomerium-url https://pomerium.corp.example.com:8443 redis.corp.example.com:6379
The above command connects to
https://pomerium.corp.example.com:8443 and then requests the TCP route named