My understanding is that v0.21 introduced a new requirement that the proxy needs to be able to make HTTP requests to the authenticate service (to fetch the HPKE public key). This can potentially cause problems in a few scenarios (the "hairpin NAT" problem, or if TLS is terminated by another reverse proxy in front of Pomerium, or possibly some other Docker networking setups that I don't understand very well).
We should probably call out this issue in the Upgrading guide.
What's the resolution?
Add a section describing the new requirement, with examples of common issues. I think most issues can be fixed by setting authenticate_internal_service_url appropriately, but this may require some further research.
Page: https://www.pomerium.com/docs/deploy/core/upgrading
What's incorrect or missing
My understanding is that v0.21 introduced a new requirement that the proxy needs to be able to make HTTP requests to the authenticate service (to fetch the HPKE public key). This can potentially cause problems in a few scenarios (the "hairpin NAT" problem, or if TLS is terminated by another reverse proxy in front of Pomerium, or possibly some other Docker networking setups that I don't understand very well).
I think this is the common issue behind:
We should probably call out this issue in the Upgrading guide.
What's the resolution?
Add a section describing the new requirement, with examples of common issues. I think most issues can be fixed by setting
authenticate_internal_service_url
appropriately, but this may require some further research.