adds TCP guide

Author: ZPain8464

content/docs/courses/zero-fundamentals/advanced-routes.mdx

@@ -7,7 +7,7 @@ sidebar_position: 5
 
 # Build Advanced Routes
 
-In this guide, you'll build advanced routes in the Zero Console. To do that, you'll configure route settings in Pomerium Zero and test them against an upstream service called HTTPbin.
+In this guide, you'll build advanced routes by exploring some of the route settings available in Pomerium Zero.
 
 :::note **Before You Start**
 
@@ -22,20 +22,18 @@ Each tutorial builds on the same configuration files. In this tutorial, you’ll
 
 :::
 
-## Advanced route configuration settings
+## What are advanced routes?
 
-Pomerium provides route-level settings that allow you to customize how the Proxy service handles requests. More advanced configurations allow identity header pass-through, path and prefix rewrites, and request and response header modifications.
+Pomerium provides many route-level settings that allow you to customize how the Proxy service handles requests. More advanced configurations allow identity header pass-through, path and prefix rewrites, and request and response header modifications.
 
-For the purposes of this guide, we will only review select settings from the list below to give you an idea of how you can further configure routes for your use case:
+In the Zero Console, these settings are organized into categories, like TLS Settings and Headers settings. For the purposes of this guide, we will test only select settings from the categories listed below:
 
 - **Headers**
 - **Path Matching**
 - **Path Rewriting**
-- **Prefix & Prefix Rewrite**
-- **Redirects**
-- **Direct Response**
+- **Advanced settings**
 
-### Configure HTTPBin
+### Set up HTTPBin
 
 To test these settings, we will configure Pomerium Zero and Docker Compose to host an HTTPBin server. If you’re not familiar with [HTTPBin](https://httpbin.org/), it’s a call-and-response HTTP server you can use to test (you guessed it) HTTP requests and responses.
 
@@ -133,7 +131,7 @@ Now, configure [**Set Request Headers**](/docs/reference/routes/headers#set-requ
 
     ![Setting and removing HTTP request headers in the Zero Console](./img/advanced-routes/set-and-remove-request-headers.png)
 
-Apply your changeset and test the request again. You'll notice that the set request header was added to the request, and the specified JWT claim headers were removed:
+Apply your changeset and test the request again. You'll notice that the request header was added to the request, and the specified JWT claim headers were removed:
 
     ![Reviewing the response body in HTTPBin after setting and removing HTTP headers](./img/advanced-routes/set-and-remove-headers-response-body.png)
 
@@ -282,7 +280,7 @@ In the Zero Console:
 1. Select **Path Matching**
 1. In the **Prefix** field, enter `/admin`
 
-If you append the `/admin` endpoint to your route, Pomerium should direct you to the `/admin` only page. If you don't append `/admin`, you will see a 404 error:
+If you append the `/admin` endpoint to your route, Pomerium should direct you to the `/admin` only page. If you don't append `/admin`, you will see a `404` error:
 
 ![Adding the /admin prefix to the Node server route](./img/advanced-routes/nodeserver-prefix-setting.gif)
 
@@ -308,3 +306,70 @@ Great job! You've configured several advanced routes in Pomerium Zero.
 In the next guide, you'll secure TCP routes and access an SSH service.
 
 Go to [TCP Routes](/docs/courses/zero-fundamentals/tcp-ssh).
+
+#### Configuration file state
+
+At this point, your Docker Compose file should look like:
+
+```yaml title="docker-compose.yaml"
+services:
+  pomerium:
+    image: pomerium/pomerium:v0.25.1
+    ports:
+      - 443:443
+    restart: always
+    environment:
+      POMERIUM_ZERO_TOKEN: <CLUSTER_TOKEN>
+      XDG_CACHE_HOME: /var/cache
+    volumes:
+      - pomerium-cache:/var/cache
+    networks:
+      main:
+        aliases:
+        - verify.<CLUSTER_SUBDOMAIN>.pomerium.app
+        - authenticate.<CLUSTER_SUBDOMAIN>.pomerium.app
+  verify:
+    image: cr.pomerium.com/pomerium/verify:latest
+    networks:
+      main:
+        aliases:
+        - verify
+  grafana:
+    image: grafana/grafana:latest
+    ports:
+      - 3000:3000
+    networks:
+      main: {}
+    environment:
+      - GF_AUTH_SIGNOUT_REDIRECT_URL=https://grafana.<CLUSTER_SUBDOMAIN>.pomerium.app/.pomerium/sign_out
+      - GF_AUTH_JWT_ENABLED=true
+      - GF_AUTH_JWT_HEADER_NAME=X-Pomerium-Jwt-Assertion
+      - GF_AUTH_JWT_EMAIL_CLAIM=email
+      - GF_AUTH_JWT_USERNAME_CLAIM=sub
+      - GF_AUTH_JWT_JWK_SET_URL=https://authenticate.<CLUSTER_SUBDOMAIN>.pomerium.app/.well-known/pomerium/jwks.json
+      - GF_AUTH_JWT_CACHE_TTL=60m
+      - GF_AUTH_JWT_AUTO_SIGN_UP=true
+    volumes:
+      - ./grafana-storage:/var/lib/grafana
+
+  httpbin:
+    networks:
+      main: {}
+    image: kennethreitz/httpbin
+    ports:
+      - 80:80
+
+  nodeserver:
+    networks:
+      main: {}
+    build:
+      context: ./app
+    ports:
+      - 5001:5001
+
+networks:
+  main: {}
+
+volumes:
+  pomerium-cache:
+```

content/docs/courses/zero-fundamentals/certificates.mdx

@@ -1,5 +1,5 @@
 ---
-id: certificats
+id: certificates
 title: Certificates
 sidebar_label: 07. Certificates
 sidebar_position: 7

content/docs/courses/zero-fundamentals/img/tcp/redis-service.png

@@ -0,0 +1,196 @@
+---
+id: tcp-routes
+title: TCP Routes
+sidebar_label: 06. TCP Routes
+sidebar_position: 6
+---
+
+# Secure TCP and SSH Connections
+
+Now that you’ve built several routes, you'll learn how to proxy TCP and SSH connections with Pomerium Zero.
+
+:::note **Before You Start**
+
+Make sure you’ve completed the following tutorials:
+
+- [**Build a Simple Route**](/docs/courses/zero-fundamentals/build-routes)
+- [**Build a Simple Policy**](/docs/courses/zero-fundamentals/build-policies)
+- [**Single Sign-on with JWTs**](/docs/courses/zero-fundamentals/single-sign-on)
+- [**Build Advanced Policies**](/docs/courses/zero-fundamentals/advanced-policies)
+- [**Build Advanced Routes**](/docs/courses/zero-fundamentals/advanced-routes)
+
+Each tutorial builds on the same configuration files. In this guide, you'll proxy TCP connections to a Redis database and a remote OpenSSH server.
+
+:::
+
+## Background
+
+When replacing a traditional VPN, there are often non-HTTP based applications you still need to reach. Pomerium can provide the same type of protection to these services with [Pomerium CLI](/docs/deploy/clients/pomerium-cli), a client-side application to proxy TCP connections.
+
+In this guide, you'll proxy TCP connections to a Redis database and an OpenSSH server.
+
+Pomerium’s CLI client comes with a `tcp` command that you can use to secure this connection.
+
+## Prerequisites
+
+To complete this guide, you need:
+
+- [Pomerium CLI](/docs/deploy/clients/pomerium-cli) to proxy TCP connections between end-users and services behind Pomerium
+
+:::note
+
+This guide assumes you've installed the Pomerium CLI client to your system.
+
+:::
+
+## Test Pomerium CLI installation
+
+Test the installation:
+
+```shell-session
+$ pomerium-cli
+Usage:
+  pomerium-cli [command]
+
+Available Commands:
+  cache       commands for working with the cache
+  completion  Generate the autocompletion script for the specified shell
+  help        Help about any command
+  k8s         commands for the kubernetes credential plugin
+  tcp         creates a TCP tunnel through Pomerium
+  version     version
+
+Flags:
+  -h, --help      help for pomerium-cli
+  -v, --version   version for pomerium-cli
+
+Use "pomerium-cli [command] --help" for more information about a command.
+```
+
+## Add Redis and OpenSSH services
+
+Add the Redis and OpenSSH server configurations to your Docker Compose file:
+
+```yaml
+  redis:
+    image: redis:latest
+    networks:
+      main: {}
+    expose:
+      - 6379
+
+  myssh:
+    image: linuxserver/openssh-server:latest
+    networks:
+      main: {}
+    expose:
+      - 2222
+    environment:
+      PASSWORD_ACCESS: "true"
+      USER_PASSWORD: supersecret
+      USER_NAME: user
+```
+
+## Add routes in Pomerium Zero
+
+Create a Redis route:
+
+1. Create a new route for your Redis database
+1. In **From**, select **tcp+https://** in the protocol dropdown menu
+1. Enter your external route and append `:6379` to it
+    1. For example, `redis.super-hero-7645.pomerium.app:6379`
+1. In **To**, enter `tcp://redis:6379`
+1. In **Policies**, select `Any Authenticated User`
+
+    ![Building the Redis route in the Zero Console](./img/tcp/redis-service.png)
+
+Create an OpenSSH route:
+
+1. Create a new route for the OpenSSH server
+1. In **From**, select **tcp+https://** in the protocol dropdown menu
+1. Enter your external route and append `:22` to it
+    1. For example, `myssh.super-hero-7645.pomerium.app:22`
+1. In **To**, enter `tcp://myssh:2222`
+
+    ![Building the OpenSSH route in the Zero Console](./img/tcp/ssh-server.png)
+
+Save your changes and apply them.
+
+## Connect to Redis
+
+In a terminal, run the following command:
+
+```shell-session
+$ pomerium-cli tcp redis.<CLUSTER_SUBDOMAIN>.pomerium.app:6379 --listen localhost:6379
+```
+
+If set up correctly, Pomerium will open your browser to authenticate you. This will establish a TCP connection.
+
+In a separate terminal window, run the following `redis-cli` command:
+
+```bash
+$  redis-cli info
+# Server
+redis_version:7.0.5
+redis_git_sha1:00000000
+redis_git_dirty:0
+redis_build_id:d9291579292e26e3
+redis_mode:standalone
+os:Linux 6.3.13-linuxkit aarch64
+arch_bits:64
+monotonic_clock:POSIX clock_gettime
+multiplexing_api:epoll
+atomicvar_api:c11-builtin
+gcc_version:10.2.1
+process_id:1
+process_supervised:no
+run_id:bc1b8bcd39f1e51d615f5739158e6ae964f7e724
+tcp_port:6379
+server_time_usec:1713989553900448
+uptime_in_seconds:64
+uptime_in_days:0
+hz:10
+configured_hz:10
+lru_clock:2713521
+executable:/data/redis-server
+config_file:
+io_threads_active:0
+```
+
+We truncated the Redis response above for the sake of brevity, but it demonstrates that you successfully proxied a TCP connection to the Redis service.
+
+## Connect to SSH server
+
+In a terminal, run the following command:
+
+```shell-session
+$ pomerium-cli tcp myssh.<CLUSTER_SUBDOMAIN>.pomerium.app:22 --listen :2222
+```
+
+If set up correctly, Pomerium will open your browser to authenticate you. This will establish a TCP connection.
+
+In a separate terminal window, run:
+
+```bash
+ssh user@myssh.<CLUSTER_SUBDOMAIN>.pomerium.app -p 2222
+```
+
+This will prompt the SSH server to request a password. The credentials are hardcoded in the Docker Compose file:
+
+- **USER_PASSWORD:** supersecret
+- **USER_NAME:** user
+
+After authenticating, you should see a greeting from OpenSSH, like:
+
+```shell-session
+$ user@myssh.<CLUSTER_SUBDOMAIN>.pomerium.app's password:
+Welcome to OpenSSH Server
+
+f157ed9f7a38:~$
+```
+
+Awesome! You successfully configured two services that take advantage of Pomerium's TCP capabilities to proxy requests.
+
+## Up Next: Certificates
+
+Go to [Certificates](/docs/courses/zero-fundamentals/certificates)