Pomerium Demo 0.25.1 via Docker refusing connection

ogreyard · March 17, 2024, 8:24pm

Hi there. Simply trying the demo quickstart app. No luck so far.
Hope anybody can help.

What happened?

tried the quickstart guide via docker-compose.
Started successfully, however gives “ERR_NAME_NOT_RESOLVED”.
When I try “localhost”, I get “ERR_CONNECTION_REFUSED”.

What did you expect to happen?

I was expecting to see a webpage as shown in the demo.

How’d it happen?

Followed demo with docker compose up

What’s your environment like?

Pomerium version (retrieve with pomerium --version): 0.25.1
Server Operating System/Architecture/Cloud: macOS on Macbook Air M1

What’s your config.yaml?

# See detailed configuration settings: https://www.pomerium.com/docs/reference/

#####################################################################
# If self-hosting, use the localhost authenticate service URL below #
# and remove the hosted URL.                                        #
#####################################################################
# authenticate_service_url: https://authenticate.localhost.pomerium.io

authenticate_service_url: https://authenticate.pomerium.app

####################################################################################
# If self-hosting, you must configure an identity provider.                        #
# See identity provider settings: https://www.pomerium.com/docs/identity-providers/#
####################################################################################

# https://pomerium.com/reference/#routes
routes:
  - from: https://verify.localhost.pomerium.io
    to: http://verify:8000
    policy:
      - allow:
          or:
            - email:
                is: user@example.com
    pass_identity_headers: true

What did you see in the logs?

...
pomerium-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","config_change_id":"6d6e3897-be34-4904-b9f6-3f024c7a8205","time":"2024-03-17T20:04:28Z","message":"metrics: http server disabled"}
pomerium-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"time":"2024-03-17T20:04:28Z","message":"controlplane: building discovery resources"}
pomerium-pomerium-1  | {"level":"info","config_file_source":"/pomerium/config.yaml","bootstrap":true,"cluster-count":8,"listener-count":3,"route-configuration-count":1,"time":"2024-03-17T20:04:28Z","message":"controlplane: built discovery resources"}
pomerium-pomerium-1  | {"level":"info","service":"envoy","upstream-cluster":"","method":"GET","authority":"localhost","path":"/","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36","referer":"","forwarded-for":"172.18.0.1","request-id":"3aa2c83b-0408-431b-bc79-270872dbe968","duration":2.809833,"size":0,"response-code":404,"response-code-details":"route_not_found","time":"2024-03-17T20:05:16Z","message":"http-request"}
pomerium-pomerium-1  | {"level":"info","service":"envoy","name":"main","time":"2024-03-17T20:06:21Z","message":"shutting down parent after drain"}
pomerium-pomerium-1  | {"level":"info","service":"envoy","upstream-cluster":"","method":"GET","authority":"localhost","path":"/","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36","referer":"","forwarded-for":"172.18.0.1","request-id":"18a74fdc-01e8-4b9b-8201-b3f7da949257","duration":2.805625,"size":0,"response-code":404,"response-code-details":"route_not_found","time":"2024-03-17T20:07:32Z","message":"http-request"}

Additional context

denis · March 17, 2024, 9:52pm

ERR_NAME_NOT_RESOLVED indicates Chrome cannot resolve the IP address for verify.localhost.pomerium.io. There is likely something with your DNS settings that prevents it - could be a range of things - i.e. some kind of anti-virus software may not like that it’s pointing to localhost (127.0.0.1). Try doing nslookup verify.localhost.pomerium.io in your command line.

You cannot do the https://localhost because your route is for verify.localhost.pomerium.io (you may see the 404 in the access log).

Which is a bit puzzling as if you see ERR_CONNECTION_REFUSED it means your browser cannot establish a connection to localhost at port 443, and nothing should be in your pomerium access log.

One other thing you could try is do curl -kv https://localhost/.well-known/pomerium/jwks.json the response should look like

< HTTP/2 200 
< accept-ranges: bytes
< cache-control: max-age=60
< content-length: 236
< content-type: application/json
< etag: "fd9dd93e5f272476"
< vary: Accept-Encoding,Origin
< date: Sun, 17 Mar 2024 23:47:50 GMT
< x-envoy-upstream-service-time: 0
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< server: envoy
< x-request-id: 71cbb5fc-f60e-44d8-84c4-67804591cc41
< 
* Connection #0 to host localhost left intact
{"keys":[{"use":"sig","kty":"EC","kid":"8057fbca45f871d272a664e23dff55183eaca76392ccf2ba7385feb304766bf5","crv":"P-256","alg":"ES256","x":"IKtZ0-EaE35Oxm-1m6Og7c49PCB6ajrQuTM0GzCm_qc","y":"gJw4T83xJsRjZoeQXJkAVKDLNEs45PA5mSU9qxp07io"}]}

ogreyard · March 23, 2024, 12:45pm

Hi Denis,

thanks for looking into it.
Indeed the pomerium.io nslookup fails.

I then changed the FROM to https://localhost and get the following output when executing
curl -kv https://localhost/.well-known/pomerium/jwks.json

*   Trying [::1]:443...
* Connected to localhost (::1) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: O=Pomerium
*  start date: Dec  1 00:00:00 2022 GMT
*  expire date: Dec  1 00:00:00 2050 GMT
*  issuer: O=Pomerium; CN=Pomerium PSK CA
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://localhost/.well-known/pomerium/jwks.json
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: localhost]
* [HTTP/2] [1] [:path: /.well-known/pomerium/jwks.json]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET /.well-known/pomerium/jwks.json HTTP/2
> Host: localhost
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/2 200 
< accept-ranges: bytes
< cache-control: max-age=60
< content-length: 13
< content-type: application/json
< etag: "f18df205c6b62eae"
< vary: Accept-Encoding,Origin
< date: Sat, 23 Mar 2024 12:38:53 GMT
< x-envoy-upstream-service-time: 6
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< server: envoy
< x-request-id: ac412a89-656d-4319-ac91-d53e6e944afc
< 
* Connection #0 to host localhost left intact
{"keys":null}%

ogreyard · March 25, 2024, 12:38pm

working now after restart. Thanks.

Topic		Replies	Views
Pomerium is not working in Docker, Windows 11 Support docker	4	525	June 2, 2023
Pomerium / nginx with google Support	11	364	December 20, 2021
Pomerium Verify Identity Verification Failed Support	2	253	October 17, 2022
"authenticate_service_url" and upstream routes with the same URL no longer working in 0.16.1 Support	2	322	January 27, 2022
Ignore Self-Signed Upstream TLS Cert Support docker	2	472	September 2, 2023