Installing Pomerium on Clear Linux

Pomerium is an open-source, identity-aware access proxy that provides cross-domain SSO (Single Sign-On) authentication and authorization for your application. It helps to secure your applications, APIs, and services using your existing identity provider.

Clear Linux is an open-source, Linux-based operating system that provides excellent performance and security. In this tutorial, we will show you how to install Pomerium on Clear Linux and secure a sample web application.

Prerequisites

• A machine running Clear Linux
• A user account with sudo privileges
• A domain name or a DNS server that resolves Pomerium's hostname.

Step 1: Install Pomerium on Clear Linux

To install Pomerium on Clear Linux, follow these steps:

1. Open a terminal on your Clear Linux machine and run the following command to download and extract the latest Pomerium release:

   curl -L https://github.com/pomerium/pomerium/releases/latest/download/pomerium-linux-amd64.tar.gz -o pomerium.tar.gz
   tar -xvzf pomerium.tar.gz
   

2. Next, navigate to the newly extracted pomerium directory:

   cd pomerium-*
   

3. Install Pomerium by running the following command:

   sudo ./install -a
   

   This command installs Pomerium as a systemd service, copies the Pomerium binary to /usr/local/bin, and creates a sample configuration file in /etc/pomerium.

   This command also enables Pomerium to start automatically at boot time.

4. Start the Pomerium service by running the following command:

   sudo systemctl start pomerium
   

   Verify that Pomerium is running correctly by checking its status:

   sudo systemctl status pomerium
   

   You should see the following output if Pomerium is running correctly:

   ● pomerium.service - Pomerium
   Loaded: loaded (/etc/systemd/system/pomerium.service; enabled; vendor preset: disabled)
   Active: active (running) since ...
   ...
   

Step 2: Configure Pomerium

Now that Pomerium is installed, we need to configure it to secure a sample web application. In this example, we will use a web application running on port 5000.

1. Open the Pomerium configuration file:

   sudo vim /etc/pomerium/config.yaml
   

2. Find the routes section and add the following configuration block:

   routes:
     - from: https://webapp.example.com
       to: http://localhost:5000
   

   Replace https://webapp.example.com with your hostname or domain name.

   This configuration tells Pomerium to forward any requests to https://webapp.example.com to http://localhost:5000.

3. Find the authorize_service and authenticate_service sections and configure them according to your identity provider. For example, to use Google OAuth, configure these sections as follows:

   authorize_service:
     ...
     providers:
       google:
         client_id: "<your-google-oauth-client-id>"
         client_secret: "<your-google-oauth-client-secret>"
         authorization_url: "https://accounts.google.com/o/oauth2/auth"
         token_url: "https://accounts.google.com/o/oauth2/token"
         scopes: ["https://www.googleapis.com/auth/userinfo.profile", "https://www.googleapis.com/auth/userinfo.email"]
         maps:
            email: "email"
            groups: "groups"
          
   authenticate_service:
     ...
     idp:
       provider: "google"
       client_id: "<your-google-oauth-client-id>"
       client_secret: "<your-google-oauth-client-secret>"
       authorization_url: "https://accounts.google.com/o/oauth2/auth"
       token_url: "https://accounts.google.com/o/oauth2/token"
       scopes: ["https://www.googleapis.com/auth/userinfo.profile", "https://www.googleapis.com/auth/userinfo.email"]
       redirect_url: "https://webapp.example.com/_oauth2/callback"
     session:
        name: "_pomerium"
        secret: "<your-session-secret>"
   

   Substitute <your-google-oauth-client-id>, <your-google-oauth-client-secret>, and <your-session-secret> with your own values.

   Save and close the configuration file.

Step 3: Launch the Sample Web Application

In this example, we will use a sample web application written in Python and Flask.

1. Install Python and Flask framework:

   sudo swupd bundle-add python3 flask
   

2. Create a new file named app.py with the following contents:

   from flask import Flask, render_template
   
   app = Flask(__name__)
   
   @app.route('/')
   def index():
       return render_template('index.html')
   
   if __name__ == "__main__":
       app.run(debug=True, port=5000)
   

   This code is a simple Flask web application that serves a index.html template file.

3. Create a new directory named templates and create a new file named index.html with the following content:

   <!DOCTYPE html>
   <html lang="en">
   <head>
       <meta charset="UTF-8">
       <title>Sample Web Application</title>
   </head>
   <body>
       <h1>Welcome to the Sample Web Application</h1>
   </body>
   </html>
   

   This code is a simple HTML page that displays a "Welcome" message.

4. Start the web application by running the following command:

   python3 app.py
   

5. Open a web browser and navigate to http://localhost:5000 to view the sample web application.

Step 4: Test Pomerium

To test Pomerium, follow these steps:

1. Open a web browser and navigate to https://webapp.example.com.

   You should see the Pomerium login screen.

2. Click on the Google button to log in using your Google account.

   After logging in successfully, you should be redirected to the sample web application running on http://localhost:5000.

That's it! You have successfully installed and configured Pomerium on Clear Linux and secured a sample web application. You can now secure your own applications and APIs using Pomerium.