Skip to main content

From

Summary

From is the externally accessible URL for the proxied request.

Specifying tcp+https for the scheme enables TCP proxying support for the route. You may map more than one port through the same hostname by specifying a different :port in the URL.

How to configure

The URL must contain a scheme and hostname and cannot contain a path.

danger

Only secure schemes (https and tcp+https) are supported.

YAML/JSON settingTypeSchemesUsage
fromURLhttps, tcp+httpsrequired

Examples

routes:
- from: https://verify.corp.example.com
- to: https://example.com

# TCP
routes:
- from: tcp+https://ssh.corp.example.com:22
- to: tcp://example.com:22

Wildcard From Routes

caution

Kubernetes: Wildcard From Routes in Kubernetes are unofficially supported because Pomerium's implementation behaves differently than what Kubernetes defines in their documentation. See Wildcard Hostnames for more information.

Wildcard From Routes supports the use of a wildcard asterisk (*) placed anywhere within the domain name portion of a from URL.

Defining a from route with * will point any matching routes to the defined To route. This eliminates the need to define multiple near-identical routes in your configuration. (Autocert will be disabled for hosts that use Wildcard From Routes.)

For example:

# Before:
routes:
- from: https://a.example.com
to: https://example.com
- from: https://b.example.com
to: https://example.com
- from: https://c.example.com
to: https://example.com
- from: https://d.example.com
to: https://example.com
- from: https://e.example.com
to: https://example.com

# After
routes:
- from: https://*.example.com
to: https://example.com

# Or

routes:
- from: tcp+https://*.example.com:22
to: tcp://example.com:22

Wildcard processing behavior

Pomerium processes routes in the order they are defined in the configuration file. However, routes which don't contain wildcards (*) may take precedence over routes which do contain wildcards.

For example, given the routes below, if you send a request to foo.example.com, Pomerium would redirect the request to 1.example.com.

If you send a request to bar.example.com (a non-wildcard route), Pomerium would redirect the request to 2.example.com.

routes:
- from: https://*.example.com
to: http://1.example.com
- from: https://bar.example.com
to: http://2.example.com