Exec pomerium-cli proxy got 421 error

Support
1

What happened?

i try use:pomerium-cli proxy --listen :22345 --proxy-domain example.com
but i got a error: ERR Failed to run TCP tunnel error=“invalid http response code: 421”

the proxy log:
{“level”:“info”,“service”:“envoy”,“upstream-cluster”:“”,“method”:“CONNECT”,“authority”:“nginx-example.com:80”,“path”:“”,“user-agent”:“Go-http-client/1.1”,“referer”:“”,“forwarded-for”:“10.244.0.0”,“request-id”:“12568ed3-3848-402f-9c00-314a50236c62”,“duration”:0.183781,“size”:0,“response-code”:421,“response-code-details”:“route_not_found”,“time”:“2022-06-22T19:56:22Z”,“message”:“http-request”}

What did you expect to happen?

How’d it happen?

  1. pomerium-cli proxy --listen :22345 --proxy-domain example.com
  2. export HTTPS_PROXY=http://127.0.0.1:22345
  3. curl https://example.com
    4.saw error: ERR Failed to run TCP tunnel error=“invalid http response code: 421”

What’s your environment like?

  • Pomerium version (retrieve with pomerium --version):
  • Server Operating System/Architecture/Cloud:

What’s your config.yaml?

config:
rootDomain: trust.secchinatele.com
existingCASecret: pomerium-tls

insecure: true

generateTLS: false # On by default, disabled when cert-manager or another solution is in place.

The policy block isn’t required when using the Pomerium Ingress Controller, as routes are defined

by the addition of Ingress Resources.

routes:
- from: https://example.com
to: http://nginx-app-svc:80
pass_identity_headers: true
policy:
- allow:
or:
- domain:
is: example.com

# Paste your configs here
# Be sure to scrub any sensitive values

What did you see in the logs?

{“level”:“info”,“service”:“envoy”,“upstream-cluster”:“”,“method”:“CONNECT”,“authority”:“nginx-example.com:80”,“path”:“”,“user-agent”:“Go-http-client/1.1”,“referer”:“”,“forwarded-for”:“10.244.0.0”,“request-id”:“12568ed3-3848-402f-9c00-314a50236c62”,“duration”:0.183781,“size”:0,“response-code”:421,“response-code-details”:“route_not_found”,“time”:“2022-06-22T19:56:22Z”,“message”:“http-request”}

# Paste your logs here.
# Be sure to scrub any sensitive values

Additional context

Add any other context about the problem here.

2

Hi! The Pomerium CLI tool is only required (and only works) with TCP routes. That is to say, you only need if if you wanna tunnel and SSH, RDP, VNC, MySQl… etc connection through Pomerium.

For the route you provided, you should be able to just go to your example.com domain in the from field in your browser, and you’d be brought to your IdPs sign-in page.

3

thank for your help!
i can exec pomerium-cli tcp command
but exec pomerium-cli proxy allways got error
can you tell me how to use pomerium-cli proxy command?
about this info is too few