v0.2.1

v0.2.1

SECURITY

• Fixes vulnerabilities fixed in Go 1.12.8 including CVE-2019-9512, CVE-2019-9514 and CVE-2019-14809.

v0.2.0

New

Telemetry [GH-35]

• Tracing [GH-230] aka distributed tracing, provides insight into the full lifecycles, aka traces, of requests to the system, allowing you to pinpoint failures and performance issues.

  • Add Jaeger support. [GH-230]

• Metrics provide quantitative information about processes running inside the system, including counters, gauges, and histograms.

  • Add informational metrics. [GH-227]

  • GRPC Metrics Implementation. [GH-218]

    • Additional GRPC server metrics and request sizes
    • Improved GRPC metrics implementation internals
    • The GRPC method label is now 'grpc_method' and GRPC status is now grpc_client_status and grpc_server_status

  • HTTP Metrics Implementation. [GH-220]

    • Support HTTP request sizes on client and server side of proxy
    • Improved HTTP metrics implementation internals
    • The HTTP method label is now http_method, and HTTP status label is now http_status

Changed

• GRPC version upgraded to v1.22 [GH-219]
• Add support for large cookie sessions by chunking. [GH-211]
• Prefer curve X25519 to P256 for TLS connections. [GH-233]
• Pomerium and its services will gracefully shutdown on interrupt signal. [GH-230]
• Google now prompts the user to select a user account (by adding select_account to the sign in url). This allows a user who has multiple accounts at the authorization server to select amongst the multiple accounts that they may have current sessions for.

FIXED

• Fixed potential race condition when signing requests. [GH-240]

v0.1.0

PLEASE REVIEW THE UPGRADE GUIDE BEFORE UPDATING!

v0.1.0

NEW

• Add programmatic authentication support. [GH-177]
• Add Prometheus format metrics endpoint. [GH-35]
• Add policy setting to enable self-signed certificate support. [GH-179]
• Add policy setting to skip tls certificate verification. [GH-179]

CHANGED

• Policy to and from settings must be set to valid HTTP URLs including schemes and hostnames (e.g. http.corp.domain.example should now be https://http.corp.domain.example).
• Proxy's sign out handler {}/.pomerium/sign_out now accepts an optional redirect_uri parameter which can be used to specify a custom redirect page, so long as it is under the same top-level domain. [GH-183]
• Policy configuration can now be empty at startup. [GH-190]
• Websocket support is now set per-route instead of globally. [GH-204]
• Pomerium will error if a session cookie is over 4096 bytes, instead of failing silently. [GH-212]

FIXED

• Fixed HEADERS environment variable parsing. [GH-188]
• Fixed Azure group lookups. [GH-190]
• If a session is too large (over 4096 bytes) Pomerium will no longer fail silently. [GH-211]
• Internal URLs like dashboard now start auth process to login a user if no session is found. [GH-205].
• When set,CookieDomain lets a user set the scope of the user session. CSRF cookies will still always be scoped at the individual route level. [GH-181]

v0.0.5

PLEASE REVIEW THE UPGRADE GUIDE BEFORE UPDATING!

v0.0.5

NEW

• Add ability to detect changes and reload policy configuration files. [GH-150]
• Add user dashboard containing information about the current user's session. [GH-123]
• Add functionality allowing users to initiate manual refresh of their session. This is helpful when a user's access control details are updated but their session hasn't updated yet. To prevent abuse, manual refresh is gated by a cooldown (REFRESH_COOLDOWN) which defaults to five minutes. [GH-73]
• Add Administrator (super user) account support (ADMINISTRATORS). [GH-110]
• Add feature that allows Administrators to impersonate / sign-in as another user from the user dashboard. [GH-110]
• Add docker images and builds for ARM. [GH-95]
• Add support for public, unauthenticated routes. [GH-129]

CHANGED

• Add Request ID to error pages. [GH-144]
• Refactor configuration handling to use spf13/viper bringing a variety of additional supported storage formats.[GH-115]
• Changed config AUTHENTICATE_INTERNAL_URL to be a URL containing both a valid hostname and schema. [GH-153]
• User state is now maintained and scoped at the domain level vs at the route level. [GH-128]
• Error pages contain a link to sign out from the current user session. [GH-100]
• Removed LifetimeDeadline from sessions.SessionState.
• Removed favicon specific request handling. [GH-131]
• Headers are now configurable via the HEADERS configuration variable. [GH-108]
• Refactored proxy and authenticate services to share the same session state cookie. [GH-131]
• Removed instances of extraneous session state saves. [GH-131]
• Changed default behavior when no session is found. Users are now redirected to login instead of being shown an error page.[GH-131]
• Updated routes such that all http handlers are now wrapped with a standard set of middleware. Headers, request id, loggers, and health checks middleware are now applied to all routes including 4xx and 5xx responses. [GH-116]
• Changed docker images to be built from distroless. This fixed an issue with nsswitch [GH-97], includes ca-certificates and limits the attack surface area of our images. [GH-101]
• Changed HTTP to HTTPS redirect server to be user configurable via HTTP_REDIRECT_ADDR. [GH-103]
• Content-Security-Policy hash updated to match new UI assets.

FIXED

• Fixed websocket support. [GH-151]
• Fixed an issue where policy and routes were being pre-processed incorrectly. [GH-132]
• Fixed an issue where golint was not being found in our docker image. [GH-121]

Since 0.0.4

This page contains the list of deprecations and important or breaking changes for pomerium v0.0.4 compared to v0.0.5. Please read it carefully.

Breaking: POLICY_FILE removed

Usage of the POLICY_FILE envvar is no longer supported. Support for file based policy configuration has been shifted into the new unified config file.

Important: Configuration file support added

• Pomerium now supports an optional -config flag. This flag specifies a file from which to read all configuration options. It supports yaml, json, toml and properties formats.

• All options which can be specified via MY_SETTING style envvars can now be specified within your configuration file as key/value. The key is generally the same as the envvar name, but lower cased. See Reference Documentation for exact names.

• Options precedence is environmental variables > configuration file > defaults

• The options file supports a policy key, which contains policy in the same format as POLICY_FILE. To convert an existing policy.yaml into a config.yaml, just move your policy under a policy key.

  Old:

  - from: httpbin.corp.beyondperimeter.com
    to: http://httpbin
    allowed_domains:
      - pomerium.io
    cors_allow_preflight: true
    timeout: 30s

  New:

  policy:
    - from: httpbin.corp.beyondperimeter.com
      to: http://httpbin
      allowed_domains:
        - pomerium.io
      cors_allow_preflight: true
      timeout: 30s

Authenticate Internal Service Address

The configuration variable Authenticate Internal Service URL must now be a valid URL type and contain both a hostname and valid https schema.

v0.0.4

v0.0.4

CHANGED

• HTTP Strict Transport Security is included by default and set to one year. [GH-92]
• HTTP now redirects to HTTPS. [GH-92]
• Removed extraneous AUTHORIZE_INTERNAL_URL config option since authorization has no publica http handlers, only a gRPC service endpoint. [GH-93]
• Removed PROXY_ROOT_DOMAIN config option which is now inferred from AUTHENTICATE_SERVICE_URL. Only callback requests originating from a URL on the same sub-domain are permitted. [GH-83]
• Removed REDIRECT_URL config option which is now inferred from AUTHENTICATE_SERVICE_URL (e.g. https://$AUTHENTICATE_SERVICE_URL/oauth2/callback). [GH-83]

FIXED

• Fixed a bug in the Google provider implementation where the refresh_token. Updated the google implementation to use the new prompt=consent oauth2 parameters. Reported and fixed by @chemhack [GH-81]

DOCUMENTATION

• Added synology tutorial. [GH-96]
• Added certificates documentation. [GH-79]

v0.0.3

FEATURES:

• Authorization : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: allowed_users, allowed_groups, and allowed_domains. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details.

• Group Support : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the updated docs. A brief summary of the requirements for each IdP are as follows:

  • Google requires the Admin SDK to enabled, a service account with properly delegated access, and IDP_SERVICE_ACCOUNT to be set to the base64 encoded value of the service account's key file.
  • Okta requires a groups claim to be added to both the id_token and access_token. No additional API calls are made.
  • Microsoft Azure Active Directory requires the application be given an additional API permission, Directory.Read.All.
  • Onelogin requires the groups was supplied during authentication and that groups parameter has been mapped. Group membership is validated on refresh with the user-info api endpoint.

• WebSocket Support : With Go 1.12 pomerium automatically proxies WebSocket requests.

CHANGED:

• Add LOG_LEVEL config setting that allows for setting the desired minimum log level for an event to be logged. [GH-74]
• Changed POMERIUM_DEBUG config setting to just do console-pretty printing. No longer sets log level. [GH-74]
• Updated generate_wildcard_cert.sh to generate a elliptic curve 256 cert by default.
• Updated env.example to include a POLICY setting example.
• Added IDP_SERVICE_ACCOUNT to env.example .
• Removed PROXY_ROOT_DOMAIN settings which has been replaced by POLICY.
• Removed ALLOWED_DOMAINS settings which has been replaced by POLICY. Authorization is now handled by the authorization service and is defined in the policy configuration files.
• Removed ROUTES settings which has been replaced by POLICY.
• Add refresh endpoint ${url}/.pomerium/refresh which forces a token refresh and responds with the json result.
• Group membership added to proxy headers (x-pomerium-authenticated-user-groups) and (x-pomerium-jwt-assertion).
• Default Cookie lifetime (COOKIE_EXPIRE) changed from 7 days to 14 hours ~ roughly one business day.
• Moved identity (authenticate/providers) into its own internal identity package as third party identity providers are going to authorization details (group membership, user role, etc) in addition to just authentication attributes.
• Removed circuit breaker package. Calls that were previously wrapped with a circuit breaker fall under gRPC timeouts; which are gated by relatively short timeouts.
• Session expiration times are truncated at the second.
• Removed gitlab provider. We can't support groups until this gitlab bug is fixed.
• Request context is now maintained throughout request-flow via the context package enabling timeouts, request tracing, and cancellation.

FIXED:

• http.Server and httputil.NewSingleHostReverseProxy now uses pomerium's logging package instead of the standard library's built in one. [GH-58]

v0.0.2

v0.0.2