FEAT: Supporting non-standard ports

[venkatamutyala]

Is your feature request related to a problem? Please describe.

Yes.

A clear and concise description of what the problem is.

It seems like pomerium can only support standard ports 80 and 443. If i do example.com:8443 it'll give me a 404.

Describe the solution you'd like

I'd like to be able to specify 8443 or another non-standard port

Describe alternatives you've considered

This works in curl but i don't think i can easily recreate this in a popular browser (ex. chrome):

curl --header 'Host: example.com' https://example.com:9096

Explain any additional use-cases

I'd like to keep port 80/443 for apps that use ingress-nginx ingress controller and i'd like to avoid having to get a second ipv4 address just to use pomerium

Additional context Related:

• https://github.com/pomerium/pomerium/issues/3808
• https://github.com/pomerium/pomerium/issues/959

[calebdoxsey]

@venkatamutyala you can have Pomerium listen on a different port using the address option. Does this fix your issue?

[venkatamutyala]

Thanks @calebdoxsey. It looks like it's not customizable in kubernetes. Is that accurate? I'm currently using your kustomize deployment method. Do i just need to shove that environment variable into the container some how?

[calebdoxsey]

Hi @venkatamutyala

I think you can adjust the LoadBalancer service:

apiVersion: v1
kind: Service
metadata:
  name: pomerium-proxy
spec:
  type: LoadBalancer
  ports:
    - port: 443
      targetPort: https
      protocol: TCP
      name: https
    - name: http
      targetPort: http
      protocol: TCP
      port: 80

Changing 443 to 8443 would mean incoming URLs would come on example.com:8443 and then the route should match.

[venkatamutyala]

I appreciate the help. I just tried implementing this using port 9096 and i am still getting a route_not_found error:

[venkatamutyala]

I also tried updating the deployment of the pomerium ingress container to have the env variable ADDRESS = 9096 and same issue

[calebdoxsey]

In Kubernetes Pomerium runs on port 8443. The behavior you're seeing doesn't make sense to me. I will attempt to reproduce this setup.

[calebdoxsey]

Ok I see the issue. Ingress rules do not support port numbers in the host field. Pomerium requires non-443 routes to have the port number in their from field. This is an incompatibility between ingress definitions and what Pomerium supports.

[calebdoxsey]

I have moved this issue to the ingress controller repository.

[venkatamutyala]

Thanks.

[calebdoxsey]

Related: https://github.com/pomerium/pomerium/issues/4460

Adding an option to ignore the port for matching would fix this issue as well.

[kenjenkins]

Yes, let's investigate the feasibility of adding a config option to ignore the port.