pomerium · ZPain8464 · Jan 29, 2024 · Jan 10, 2024 · Jan 23, 2024 · Jan 23, 2024
@@ -1,5 +1,5 @@
 ---
-# cSpell:ignore abac gset
+# cSpell:ignore abac, gset, nxon
 
 title: Authorization & Policy
 lang: en-US
@@ -93,9 +93,9 @@ In this example, only a user with the email `[email protected]` can access the ta
 
 In the Enterprise Console, you can use the **EDITOR** to manually configure policy with PPL:
 
-![Build policy with PPL in Console](./img/authorization/ppl-editor-policy.png)
+![Build an authorization policy with PPL in the Enterprise Console](./img/authorization/ppl-edit-policy.png)
 
-In this example, a user will have access if their email address ends in `example.com` and they are a member of the `admin` group. The user will be denied access on Saturdays and Sundays.
+In this example, Pomerium will grant a user access if their email address ends in `example.com` and their `groups` ID matches `00gso9nxonHI4YfbM4x6`. Pomerium will deny the user access on Saturdays and Sundays.
 
 </TabItem>
 </Tabs>

@@ -18,6 +18,8 @@ keywords:
 
 import ManageDevices from '../reference/_manage-devices.md';
 import NewEnrollment from '../reference/_new-enrollment.md';
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
 
 Device identity is the unique ID associated with a device. In the context of zero trust, device identity can be used to authenticate and authorize users and to determine if a device can be trusted before granting a user access to a protected application or service.
 

@@ -138,7 +138,7 @@ OpenSSL is installed or easily available for most 'nix-based operating systems l
 
    Pomerium should automatically process changes when the configuration file is updated.
 
-1. Visit <https://openssl.localhost.pomerium.io> in your browser to confirm the route:
+1. Visit [https://openssl.localhost.pomerium.io](https://openssl.localhost.pomerium.io) in your browser to confirm the route:
 
    ![OpenSSL Upstream without client certificate verification](./img/mtls/openssl-test1.png)
 
@@ -156,7 +156,7 @@ OpenSSL is installed or easily available for most 'nix-based operating systems l
    openssl s_server -Verify 1 -key ./openssl.localhost-key.pem -cert ./openssl.localhost.pem -accept 44330 -www
    ```
 
-1. When you refresh <https://openssl.localhost.pomium.io> in your browser, the connection will fail. Back in the terminal, the OpenSSL server should output errors containing:
+1. When you refresh [https://openssl.localhost.pomium.io](https://openssl.localhost.pomium.i) in your browser, the connection will fail. Back in the terminal, the OpenSSL server should output errors containing:
 
    ```log
    SSL routines:tls_process_client_certificate:peer did not return a certificate
@@ -179,7 +179,7 @@ OpenSSL is installed or easily available for most 'nix-based operating systems l
                  is: [email protected]
    ```
 
-Now when you visit <https://openssl.localhost.pomium.io> you should see additional output under **Client certificate**, confirming that the upstream service has read and validated Pomerium's client certificate. Your upstream service is now using mTLS for mutual authentication!
+Now when you visit [https://openssl.localhost.pomium.io](https://openssl.localhost.pomium.io) you should see additional output under **Client certificate**, confirming that the upstream service has read and validated Pomerium's client certificate. Your upstream service is now using mTLS for mutual authentication!
 
 Obviously, the OpenSSL server is a trivial upstream service, and is purpose-built to work with encryption and not much else. Practical mutual authenticate can be a much more complex setup depending on the service, and may require a sidecar or service mesh. This exercise merely serves to demonstrate how easy it is to configure Pomerium to provide client certificates to the upstream service.
 

@@ -61,7 +61,7 @@ To learn more about JWTs and identity verification, see the following docs:
 
 ### Alternative to Login API for `localhost` development
 
-Alternatively you can create a new policy to route an endpoint to a [bastion host](https://en.wikipedia.org/wiki/Bastion_host). You should include a HTTP proxy on this bastion host for HTTPS traffic. Here's one way to do it with nginx: <https://jerrington.me/posts/2019-01-29-self-hosted-ngrok.html> An HTTP proxy on the bastion allows us to receive HTTPS traffic with a self signed cert through LetsEncrypt.
+Alternatively you can create a new policy to route an endpoint to a [bastion host](https://en.wikipedia.org/wiki/Bastion_host). You should include a HTTP proxy on this bastion host for HTTPS traffic. Here's one way to do it with nginx: [https://jerrington.me/posts/2019-01-29-self-hosted-ngrok.html](https://jerrington.me/posts/2019-01-29-self-hosted-ngrok.html) An HTTP proxy on the bastion allows us to receive HTTPS traffic with a self signed cert through LetsEncrypt.
 
 This alternative will allow you to act as if your service is deployed and fronted by Pomerium. We will then forward the remote port from the bastion host behind the pomerium-proxy to localhost.
 

@@ -30,13 +30,11 @@ When first installing Pomerium Enterprise, users may want to import existing rou
 
 From the main Routes page you can view and manage existing routes. From the table of routes you can:
 
-- filter visible routes,
-- delete one or more routes,
-- move routes between Namespaces,
-- export one or more route definitions to a CSV file
-
-
-- create a JSON-formatted policy report on one or more selected routes.
+- Filter visible routes
+- Delete one or more routes
+- Move routes between Namespaces
+- Export one or more route definitions to a CSV file
+- Create a JSON-formatted policy report on one or more selected routes
 
 The sections below cover the options available when creating or editing a route.
 

@@ -43,7 +43,7 @@ Here are some of the expectations we have of contributors:
 
 ## Docs
 
-Pomerium's documentation is available at <https://www.pomerium.io/docs>. If you find a typo, feel a section could be better described, or have an idea for a totally new application or section, don't hesitate to make a pull request change. There are few ways you can do this.
+Pomerium's documentation is available at [https://www.pomerium.io/docs](https://www.pomerium.io/docs). If you find a typo, feel a section could be better described, or have an idea for a totally new application or section, don't hesitate to make a pull request change. There are few ways you can do this.
 
 ### Simple edits
 

@@ -26,7 +26,7 @@ Hardware-backed device identity is becoming more widely discussed as more produc
 
 | ![Verge Article Header and Apple Video Page](./img/verge-apple.png) |
 | :-- |
-| **Sources:**<br />- <https://www.theverge.com/2021/6/25/22550376/microsoft-windows-11-tpm-chips-requirement-security><br/>- <https://developer.apple.com/videos/play/wwdc2021/10106/> |
+| **Sources:**<br />- [https://www.theverge.com/2021/6/25/22550376/microsoft-windows-11-tpm-chips-requirement-security](https://www.theverge.com/2021/6/25/22550376/microsoft-windows-11-tpm-chips-requirement-security)<br/>- [https://developer.apple.com/videos/play/wwdc2021/10106](https://developer.apple.com/videos/play/wwdc2021/10106) |
 
 Device identity protects a trusted user from accessing sensitive data from a potentially unsafe device, like their personal computer or phone. Think of it as similar to multi-factor authentication (**MFA**); where MFA covers "what you know" (password) and "who you are" (biometrics, face recognition, etc), device identity asks "is this device safe?" by confirming that the device you are using to access a system is trusted.
 

@@ -20,6 +20,9 @@ sidebar_label: Pomerium-CLI (Client)
 sidebar_position: 3
 ---
 
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
 # Pomerium's Command Line Interface
 
 `pomerium-cli` (optional, Pomerium is clientless for HTTP based protocols) is a command-line client for working with Pomerium. Functions include acting as an authentication helper for tools like [kubectl](/docs/deploy/k8s/configure.md) or TCP [based applications](/docs/capabilities/tcp/).

@@ -122,7 +122,7 @@ We recommend following the steps in the Kubernetes [Installation](/docs/deploy/k
 
 :::
 
-Pomerium maintains a [helm](https://helm.sh) chart for easy Kubernetes deployment with best practices <https://helm.pomerium.io/>
+Pomerium maintains a [helm](https://helm.sh) chart for easy Kubernetes deployment with best practices [https://helm.pomerium.io/](https://helm.pomerium.io/)
 
 ```bash
 helm repo add pomerium https://helm.pomerium.io

@@ -904,16 +904,16 @@ Please refer to the [upgrade guide](/docs/deploy/core/upgrading) before upgradin
 
 ### Changes
 
-- authenticate: fix internal service URL CORS check by @calebdoxsey in <https://github.com/pomerium/pomerium/pull/3328>
-- authenticate: fix internal service URL dashboard redirect by @calebdoxsey in <https://github.com/pomerium/pomerium/pull/3306>
-- DOCS: Add device identity video <https://github.com/pomerium/pomerium/pull/3307>
-- DOCS: Update changelog <https://github.com/pomerium/pomerium/pull/3308>
-- DOCS: update helm values file <https://github.com/pomerium/pomerium/pull/3287>
-- fix: close the ticker after opened by @clwluvw <https://github.com/pomerium/pomerium/pull/3323>
-- httputil/reproxy: fix policy transport by @calebdoxsey <https://github.com/pomerium/pomerium/pull/3324>
-- Update docs for supported Ingress annotations <https://github.com/pomerium/pomerium/pull/3325>
-
-**Full Changelog**: <https://github.com/pomerium/pomerium/compare/v0.17.2...v0.17.3>
+- authenticate: fix internal service URL CORS check by @calebdoxsey in [https://github.com/pomerium/pomerium/pull/3328](https://github.com/pomerium/pomerium/pull/3328)
+- authenticate: fix internal service URL dashboard redirect by @calebdoxsey in [https://github.com/pomerium/pomerium/pull/3306](https://github.com/pomerium/pomerium/pull/3306)
+- DOCS: Add device identity video [https://github.com/pomerium/pomerium/pull/3307](https://github.com/pomerium/pomerium/pull/3307)
+- DOCS: Update changelog [https://github.com/pomerium/pomerium/pull/3308](https://github.com/pomerium/pomerium/pull/3308)
+- DOCS: update helm values file [https://github.com/pomerium/pomerium/pull/3287](https://github.com/pomerium/pomerium/pull/3287)
+- fix: close the ticker after opened by @clwluvw [https://github.com/pomerium/pomerium/pull/3323](https://github.com/pomerium/pomerium/pull/3323)
+- httputil/reproxy: fix policy transport by @calebdoxsey [https://github.com/pomerium/pomerium/pull/3324](https://github.com/pomerium/pomerium/pull/3324)
+- Update docs for supported Ingress annotations [https://github.com/pomerium/pomerium/pull/3325](https://github.com/pomerium/pomerium/pull/3325)
+
+**Full Changelog**: [https://github.com/pomerium/pomerium/compare/v0.17.2...v0.17.3](https://github.com/pomerium/pomerium/compare/v0.17.2...v0.17.3)
 
 ## [v0.17.2](https://github.com/pomerium/pomerium/tree/v0.17.2) (2022-04-22)
 

@@ -172,7 +172,7 @@ To improve performance, IdP directory synchronization for GitHub now uses the Gr
 
 #### CLI Source and Packaging Update
 
-`pomerium-cli` has been factored out of the core repository and now resides at <https://github.com/pomerium/cli>. If you currently install the CLI tool from [Packages](/docs/deploy/core#packages-2) or [Homebrew](/docs/deploy/core#homebrew), no changes should be required to your process. However, users of docker images or direct github release downloads will need to update their references.
+`pomerium-cli` has been factored out of the core repository and now resides at [https://github.com/pomerium/cli](https://github.com/pomerium/cli). If you currently install the CLI tool from [Packages](/docs/deploy/core#packages-2) or [Homebrew](/docs/deploy/core#homebrew), no changes should be required to your process. However, users of docker images or direct github release downloads will need to update their references.
 
 Please see the [updated install instructions](/docs/deploy/clients/pomerium-cli) for additional details.
 

@@ -33,7 +33,7 @@ You should now have a working Argo installation using [Minio](https://min.io/) t
 kubectl --namespace kube-system port-forward svc/argo-minio 9000:9000
 ```
 
-You should now be able to reach the Minio UI by accessing <http://localhost:9000/minio>. If you're curious the Access Key and Secret Key are generated by the Helm chart and stored in a Kubernetes secret:
+You should now be able to reach the Minio UI by accessing [http://localhost:9000/minio](http://localhost:9000/minio). If you're curious the Access Key and Secret Key are generated by the Helm chart and stored in a Kubernetes secret:
 
 ```bash
 kubectl --namespace=kube-system get secret argo-minio -o yaml
@@ -45,7 +45,7 @@ For now though, let's terminate the Minio `kubectl port-forward` and create one
 kubectl --namespace kube-system port-forward svc/argo-server 2746:2746
 ```
 
-Visiting <http://localhost:2746> should take you to the Argo Workflows dashboard.
+Visiting [http://localhost:2746](http://localhost:2746) should take you to the Argo Workflows dashboard.
 
 ## Install NGINX Ingress Controller
 
@@ -101,4 +101,4 @@ You should now be able to reach argo by using `kubectl port-forward` with the NG
 kubectl --namespace kube-system port-forward svc/ingress-nginx-controller 443:443
 ```
 
-And visit: <https://argo.localhost.pomerium.io/>.
+And visit: [https://argo.localhost.pomerium.io](https://argo.localhost.pomerium.io/).
@@ -97,15 +97,15 @@ Here are the domain mappings set up:
 
 ### Direct Access
 
-Let's verify we cannot access the main application directly by visiting <https://hello-direct.cloudrun.pomerium.io>
+Let's verify we cannot access the main application directly by visiting [https://hello-direct.cloudrun.pomerium.io](https://hello-direct.cloudrun.pomerium.io)
 
 ![Hello Direct Access](img/cloud-run/hello-direct.png)
 
 You should see a 403 error because you do not have the proper credentials.
 
 ### Authenticated Access
 
-Now let's access via <https://hello.cloudrun.pomerium.io>
+Now let's access via [https://hello.cloudrun.pomerium.io](https://hello.cloudrun.pomerium.io)
 
 We should get an auth flow through your IdP:
 

@@ -163,31 +163,33 @@ If you haven't already, install cert-manager and create a CA issuer. You can fol
 
 1.  Create a values file for Helm to use when installing Pomerium. Our example is named `pomerium-values.yaml`.
 
-    <PomeriumValues />
+        <PomeriumValues />
 
-    :::tip
+        :::tip
 
-    The options required in the `authenticate.idp` block will vary depending on your [identity provider].
+        The options required in the `authenticate.idp` block will vary depending on your [identity provider].
 
-    If you changed the `*.localhost.pomerium.io` value in `pomerium-certificates.yaml` update `config.rootDomain` to match, omitting the `*`.
+        If you changed the `*.localhost.pomerium.io` value in `pomerium-certificates.yaml` update `config.rootDomain` to match, omitting the `*`.
 
-    :::
+        :::
 
-    <details><summary>Default Certificate</summary>
+        <details>
 
-    If you're using a single wildcard certificate for all routes managed by Pomerium, you can set it in an annotation for the ingress controller.
+    <summary>Default Certificate</summary>
 
-    Add a block defining the default certificate to `pomerium-values.yaml`:
+        If you're using a single wildcard certificate for all routes managed by Pomerium, you can set it in an annotation for the ingress controller.
 
-    ```yaml
-    ingressController:
-    ingressClassResource:
-      defaultCertSecret: 'namespace/certSecretName'
-    ```
+        Add a block defining the default certificate to `pomerium-values.yaml`:
+
+        ```yaml
+        ingressController:
+        ingressClassResource:
+          defaultCertSecret: 'namespace/certSecretName'
+        ```
 
-    Now when defining ingresses you need not specify individual certificates, as documented in our example service below.
+        Now when defining ingresses you need not specify individual certificates, as documented in our example service below.
 
-    </details>
+        </details>
 
 1.  Add Pomerium's Helm repo:
 

@@ -15,7 +15,7 @@ Using Pomerium on your Synology DSM device enables:
 - Access to services by sub-domain (e.g. `plex.int.nas.example` or `wiki.int.nas.example`)
 - TLS everywhere.
 
-Pomerium is lightweight, can easily handle hundreds of concurrent requests, and a single instance typically uses <20MB of memory and very little CPU.
+Pomerium is lightweight, can easily handle hundreds of concurrent requests, and a single instance typically uses less than 20MB of memory and very little CPU.
 
 ## Prerequisites
 

@@ -19,7 +19,7 @@ While we do our best to keep our documentation up to date, changes to third-part
 
 If you plan on allowing users to log in using a Microsoft Azure Active Directory account, either from your company or from external directories, you must register your application through the Microsoft Azure portal. If you don't have a Microsoft Azure account, you can [sign up](https://azure.microsoft.com/en-us/free) for free.
 
-You can access the Azure management portal from your Microsoft service, or visit <https://portal.azure.com> and sign in to Azure using the global administrator account used to create the Office 365 organization.
+You can access the Azure management portal from your Microsoft service, or visit [https://portal.azure.com](https://portal.azure.com) and sign in to Azure using the global administrator account used to create the Office 365 organization.
 
 :::tip
 

@@ -75,7 +75,7 @@ If you need to make changes after creating your pool, be aware that some setting
    | **Field** | **Description** |
    | --- | --- |
    | Enabled Identity Providers | Choose **Cognito User Pool**, unless you have set up another **Identity Provider** (eg SAML) |
-   | Callback URL(s) | https://${authenticate_service_url}/oauth2/callback |
+   | Callback URL(s) | https://{AUTHENTICATE_SERVICE_URL}/oauth2/callback |
    | Allowed OAuth Flows | Authorization code grant |
    | Allowed OAuth Scopes | Email, OpenID, Profile |
 

@@ -72,7 +72,7 @@ While researching, we'd like you to refrain from:
 - Social engineering or phishing of Pomerium employees or contractors
 - Any attacks against Pomerium's physical property or data centers
 
-We may revise these guidelines from time to time. The most current version of the guidelines will be available at <https://pomerium.com/docs/community/security>.
+We may revise these guidelines from time to time. The most current version of the guidelines will be available at [https://pomerium.com/docs/community/security](https://pomerium.com/docs/community/security).
 
 Though we accept PGP-encrypted email, please only use it for critical security reports.
 

@@ -5,6 +5,9 @@ description: Configure Timeouts settings in Pomerium.
 keywords: [websocket connections, spdy, route timeout, route idle timeout]
 ---
 
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
 # Timeouts Settings
 
 This reference covers all of Pomerium's **Timeouts Settings**:

@@ -81,6 +81,7 @@ const CustomFormFooter = ({status, message, onValidated}) => {
               height: 48,
               border: 'none',
               borderRadius: '25px',
+              cursor: 'pointer',
             }}
             className="top-0 right-0 bottom-0 w-12 flex hover:text-purple"
             onClick={submit}>
-Original file line number
+Diff line change
@@ Expand Up / @@ -43,7 +43,7 @@ Here are some of the expectations we have of contributors: @@
     ## Docs
-    Pomerium's documentation is available at <https://www.pomerium.io/docs>. If you find a typo, feel a section could be better described, or have an idea for a totally new application or section, don't hesitate to make a pull request change. There are few ways you can do this.
+    Pomerium's documentation is available at [https://www.pomerium.io/docs](https://www.pomerium.io/docs). If you find a typo, feel a section could be better described, or have an idea for a totally new application or section, don't hesitate to make a pull request change. There are few ways you can do this.
     ### Simple edits
@@ Expand Down @@