Add Pomerium passthrough for git HTTP protocol and Forgejo API

Allows git push/pull and Docker registry token exchange to bypass Pomerium browser auth - Forgejo handles authentication natively for these endpoints. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-08 18:13:21 -04:00 · 2026-04-08 18:13:21 -04:00 · f29a8833de
commit f29a8833de
parent 0dee133377
1 changed files with 18 additions and 1 deletions
--- a/pomerium-allinone.yaml
+++ b/pomerium-allinone.yaml
@ -83,7 +83,24 @@ spec:
              preserve_host_header: true
              allow_public_unauthenticated_access: true

-            # Forgejo Git - requires authentication
+            # Forgejo Git HTTP protocol (push/pull - Forgejo handles auth)
+            - from: https://git.nge6.com
+              to: http://forgejo-http.forgejo.svc.cluster.local:3000
+              regex: /.+/info/refs
+              preserve_host_header: true
+              allow_public_unauthenticated_access: true
+            - from: https://git.nge6.com
+              to: http://forgejo-http.forgejo.svc.cluster.local:3000
+              regex: /.+/git-upload-pack
+              preserve_host_header: true
+              allow_public_unauthenticated_access: true
+            - from: https://git.nge6.com
+              to: http://forgejo-http.forgejo.svc.cluster.local:3000
+              regex: /.+/git-receive-pack
+              preserve_host_header: true
+              allow_public_unauthenticated_access: true
+
+            # Forgejo Git web UI - requires authentication
            - from: https://git.nge6.com
              to: http://forgejo-http.forgejo.svc.cluster.local:3000
              preserve_host_header: true