Deployment architecture

What happened?

I want to implement Pomerium in our infrastructure to protect some critical services.

We have several clusters with multiple services in each other. I need to create layer of protection with keycloak auth.

Currently our services use domain names in a way of
Keycloak is in

I started with one service example. My current config for pomerium is

autocert: false
address: :80
cookie_secret: xxxx
shared_secret: yyyy

idp_provider: "oidc"
idp_provider_url: ""
idp_client_id: xxxx
idp_client_secret: "zzzz"

insecure_server: true

  - from:
    to: http://private_ip:8080

With such a config I got a /.pomerium on home page and any other route is targeting to private service. I’ve spent time debugging this problem and found a reason in source code. It’s similar to Infinite redirect at /.pomerium endpoint after navigating to proxied application · Issue #3364 · pomerium/pomerium · GitHub - same domain to auth and app.

I can try create a new domain and target it to IP of that cluster and try on that service. It probably will work.

Hovewer I don’t understand how to scale that setup to multiple clusters.
Should I create a sidecar container with pomerium to each service and one global verifyer? Or one per cluster? Can I just silently work without a global verifier?

Current possible service map to IP: - IP1 - IP2 - IP1 - IP3 - IP4
1 Like


  • I’m not sure I understand what exactly is not working with /.pomerium special path.
  • verify application is merely a reference example and is not a mandatory part of Pomerium installation
  • I’m not sure why do you need insecure_server: true and "address:80` in your config. Pomerium is normally supposed to handle TLS traffic, with HTTP-only mode reserved for some exotic (and in general non-recommended) deployment scenarios.

WRT to multi-cluster operation, current recommended deployment is to run Pomerium 0.18+ with Postgres backend in the all-in-one mode (i.e. you do not need to split into proxy, databroker, authorize and authenticate). Pomerium caches the data it receives from the database, thus the latency between individual Pomerium instance and the database do not contribute to the request latency. You may run Pomerium instance per cluster, or if all clusters are in the same region, just run one instance serving all of them.

Ideally I want to build such a flow:

  1. A request goes to domain name with any path.
  2. If it is logged in the Keycloak then proxy to a protected application with the same path
  3. If it is not logged - redirect to Keycloak (

With config above I had a redirect to /.pomerium/ on a root request. On any other path I had a proxied response.

In github issue above it is said: You have a route and authenticate service on the same domain.

I guess this is the code

TLS is offloaded before applications.

That config planned to be a sidecar container to every app deployed in a cluster.

So it is not working as I expected, it requires additional domain name for every app. This does not look good.

You mention a multi-cluster operation, how can it works with different regions? different domain name for every region?