"authenticate_service_url" and upstream routes with the same URL no longer working in 0.16.1

What happened?

When updating from 0.15.8 to 0.16.1 today, I noticed using the same DNS / URL for “authenticate_service_url” and upstream routes is no longer working.
I’m using pomerium to add authentication to a dockerized app running on the same Server.

What did you expect to happen?

Before 0.16.1, I’ve been using “https://appname.mydomain.com/oauth2/callback” as redirect URL in the IDP and “https://appname.mydomain.com/app” to access the actual app.
After 0.16.1, I’m getting " route not found " for the route that uses the same url as configured in " authenticate_service_url ".

How’d it happen?

  1. Updated from 0.15.8 to 0.16.1
  2. Tried to access my upstream app
  3. Got 404 Route not found message in Browser

What’s your environment like?

  • Pomerium version 0.16.1
  • docker-compose based deployment on a Ubuntu Instanc

What’s your config.yaml?

# See detailed configuration settings : https://www.pomerium.io/docs/reference/reference/
# this is the domain the identity provider will callback after a user authenticates

authenticate_service_url: https://appname.mydomain.com

  Cache-Control: no-cache

# certificate settings:  https://www.pomerium.io/docs/reference/certificates.html
# SSL is terminated on Loadbalancer Level
insecure_server: true

# IDP (cognito) settings
idp_provider: oidc
idp_provider_url: https://cognito-idp.region.amazonaws.com/pool
idp_client_id: xxxxxx
idp_client_secret: xxxxxx
idp_scopes: "openid,email"
jwt_claims_headers: "cognito:groups"

signing_key: yyyyyyy
cookie_secret: zzzzzzz

# custom logout url
signout_redirect_url: https://my.signout.url

# https://www.pomerium.io/configuration/#policy
  - from: https://appname.mydomain.com
    to: my.upstream.url
    allow_websockets: true
    tls_skip_verify: true
    pass_identity_headers: true
        - myGroup

What did you see in the logs?

# Paste your logs here.
# Be sure to scrub any sensitive values

Additional context

Adding a 2nd DNS record pointing to the same server and using this new URL as “authenticate_service_url” seems to work fine in a Sandbox i just created.Is there a way to configure the latest version to work with only one DNS record? Just wanted to clarify before initiating DNS changes.

Hi @svKr! This is an interesting use case. Normally, the authenticate service is on one subdomain domain (ie auth.example.com) and each service is on it’s own separate one (service.example.com). You can do this without making a new DNS record for each domain by creating a CNAME record for *.example.com that points to the A record for example.com.

Alternately, you can use a subdomain space. That is to say, make a CNAME for *.something.example.com and set your Pomerium config to use that sub-subdomain space.

The config you were using with a single domain was something that shouldn’t have worked, but did anyway.

Thanks for the quick clarification Alex.
Will change the records accordingly.

1 Like