Run ToolJet with Docker
Run Pomerium with Docker Compose to secure your ToolJet application.
What is ToolJet?
ToolJet is a self-hosted, low-code platform that helps you build and deploy internal developer tools.
Why use Pomerium with ToolJet?
Pomerium can secure ToolJet by applying policy to your routes that only grants access to ToolJet to certain users.
ToolJet provides its own RBAC-based permissions and several user authentication flows, so proxied requests will require users to sign in twice.
Before you begin
To complete this guide, you need:
Set up Pomerium
- Core
- Enterprise
Create a config.yaml
file and add the following code:
authenticate_service_url: https://authenticate.localhost.pomerium.io
idp_provider: github
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME
# Update the signing key: https://www.pomerium.com/docs/reference/signing-key
signing_key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSURRemVZWDZyT2tuemFnTjRJVTYxaEtRc3pzY1EvRllmbzZPcXhWd2YvdGZvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFc1V0V2psYXZ3eHprSU9DVUNDeFVnTDJza2NjL3QxSTFmQXlxUDgrMWw5YU1CWDlzdm1pYgpRajJxcWFUbUJZZWhuQzhmak5LODZmVXhpc3d1SXN5bnp3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
routes:
- from: https://verify.localhost.pomerium.io
to: http://verify:8000
policy:
- allow:
or:
- email:
is: user@example.com
pass_identity_headers: true
- from: https://tooljet.localhost.pomerium.io
to: http://tooljet:80
host_rewrite_header: true
policy:
- allow:
or:
- email:
is: user@example.com
Next, you need to:
- Update the IdP configuration variables with your own (See the GitHub guide for more information)
- Replace user@example.com with the email associated with your IdP
- Generate a signing key
To generate a signing key, use the commands below:
# Generates a P-256 (ES256) signing key
openssl ecparam -genkey -name prime256v1 -noout -out ec_private.pem
# Prints the base64 encoded value of the signing key
cat ec_private.pem | base64
Add the base64-encoded signing key to the signing_key
variable in your config.yaml
file.
Add Pomerium services to Docker Compose
Update docker-compose.yaml
with the following configuration:
networks:
main: {}
services:
pomerium:
image: cr.pomerium.com/pomerium/pomerium:latest
volumes:
## Mount your config file: https://www.pomerium.com/docs/reference/
- ./config.yaml:/pomerium/config.yaml:ro
ports:
- 443:443
## A network alias is only required when using `localhost.pomerium.io`
networks:
main:
aliases:
- authenticate.localhost.pomerium.io
## https://verify.localhost.pomerium.io --> Pomerium --> http://verify
verify:
networks:
main: {}
image: cr.pomerium.com/pomerium/verify:latest
expose:
- 8000
tooljet:
networks:
main: {}
tty: true
stdin_open: true
image: tooljet/tooljet-ce:latest
restart: always
env_file: .env
ports:
- 80:80
depends_on:
- postgres
environment:
SERVE_CLIENT: "true"
PORT: "80"
command: npm run start:prod
postgres:
networks:
main: {}
image: postgres:13
restart: always
ports:
- 5432:5432
volumes:
- postgres:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=postgres
volumes:
postgres:
driver: local
driver_opts:
o: bind
type: none
device: ${PWD}/postgres_data
certs:
logs:
fallbackcerts:
This configuration also includes the Docker image to run ToolJet.
Set up ToolJet
In the root folder of your project, create a folder called postgres_data
to run ToolJet's in-built PostgreSQL database:
mkdir postgres_data
Add a .env
file pre-populated with ToolJet's environment variables:
curl -LO https://raw.githubusercontent.com/ToolJet/ToolJet/main/deploy/docker/.env.example
mv .env.example .env
In your .env
file, make the following changes:
- Update
LOCKBOX_MASTER_KEY
andSECRET_KEY_BASE
following ToolJet's environment variable docs - Replace
TOOLJET_HOSTNAME
with your Pomerium external route URL instead
For example:
TOOLJET_HOSTNAME=https://tooljet.localhost.pomerium.io
Keep the default values for the database configuration and the other environment variables.
Run ToolJet
Run docker compose up
to run your Pomerium and ToolJet containers.
In your terminal, wait until ToolJet is in a ready state:
In your browser, go to the external ToolJet URL to set up your workspace.
Pomerium Enterprise
This guide assumes you can access the Enterprise Console.
The Docker Compose configuration in the Enterprise portion of this guide uses same implementation as the Enterprise Quickstart.
The Enterprise Console configuration in this guide consists of three files:
config.yaml
console-config.yaml
docker-compose.yaml
In your config.yaml
file, add the following code:
idp_provider: REPLACE_ME
idp_provider_url: REPLACE_ME
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME
signing_key: REPLACE_ME
routes:
- from: https://verify.localhost.pomerium.io
to: http://verify:8000
pass_identity_headers: true
policy:
- allows:
or:
- email:
is: user@example.com
- from: https://console.localhost.pomerium.io
to: http://pomerium_console:8701
pass_identity_headers: true
policy:
- allows:
or:
- email:
is: user@example.com
Next, you need to:
- Update the IdP configuration variables with your own (See the GitHub guide for more information)
- Replace user@example.com with the email associated with your IdP
- Generate a signing key
To generate a signing key, use the commands below:
# Generates a P-256 (ES256) signing key
openssl ecparam -genkey -name prime256v1 -noout -out ec_private.pem
# Prints the base64 encoded value of the signing key
cat ec_private.pem | base64
Add the base64-encoded signing key to the signing_key
variable in your config.yaml
file.
Add Console services to Docker Compose
Update your docker-compose.yaml
file with the following configuration:
networks:
main: {}
services:
pomerium:
image: cr.pomerium.com/pomerium/pomerium:v0.21.1
volumes:
- ./config.yaml:/pomerium/config.yaml:ro
ports:
- 443:443
networks:
main:
aliases:
- authenticate.localhost.pomerium.io
environment:
- AUTHENTICATE_SERVICE_URL=https://authenticate.localhost.pomerium.io
- COOKIE_SECRET=j9jZgysWVxCs3uqbmw9a2LxWwz1ZPLKQZ8v20eoDT8Y=
- SHARED_SECRET=mxGl062SqkrbQKvqG9R2jqHqxq1Oi1BNj2AAeZHNq7c=
- DATABROKER_STORAGE_TYPE=postgres
- DATABROKER_STORAGE_CONNECTION_STRING=postgresql://postgres:postgres@database/postgres?sslmode=disable
pomerium_console:
networks:
main:
depends_on:
database:
condition: service_healthy
pomerium:
condition: service_started
image: docker.cloudsmith.io/pomerium/enterprise/pomerium-console:v0.21.0
command:
- 'serve'
- '--config'
- '/pomerium/console-config.yaml'
expose:
- 8701
- 9090
environment:
- AUDIENCE=console.localhost.pomerium.io
- DATABASE_ENCRYPTION_KEY=tXBj4gGDj45m8cW7ehhcy5lRuxsEeNl0X/nnsN5YJPw=
- DATABROKER_SERVICE_URL=http://pomerium:5443
- SHARED_SECRET=mxGl062SqkrbQKvqG9R2jqHqxq1Oi1BNj2AAeZHNq7c=
- DATABASE_URL=postgresql://postgres:postgres@database/postgres?sslmode=disable
- PROMETHEUS_LISTEN_ADDR=:9090
- PROMETHEUS_DATA_DIR=/data
- SIGNING_KEY=REPLACE_ME
volumes:
- metrics:/data:rw
- ./console-config.yaml:/pomerium/console-config.yaml:ro
database:
networks:
main: {}
image: postgres:latest
restart: always
healthcheck:
test: ['CMD-SHELL', 'pg_isready -d postgres -U postgres']
interval: 5s
timeout: 5s
retries: 5
start_period: 30s
environment:
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=postgres
- POSTGRES_DB=postgres
expose:
- 5432
volumes:
- pgdata:/var/lib/postgresql/data
verify:
networks:
main: {}
image: cr.pomerium.com/pomerium/verify:latest
expose:
- 8000
restart: always
tooljet:
networks:
main: {}
tty: true
stdin_open: true
image: tooljet/tooljet-ce:latest
restart: always
env_file: .env
ports:
- 80:80
- 8082:8082
depends_on:
- postgres
environment:
SERVE_CLIENT: "true"
PORT: "80"
command: npm run start:prod
postgres:
networks:
main: {}
image: postgres:13
restart: always
ports:
- 5433:5432
volumes:
- postgres:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=postgres
volumes:
pgdata:
metrics:
postgres:
driver: local
driver_opts:
o: bind
type: none
device: ${PWD}/postgres_data
certs:
logs:
fallbackcerts:
Add the signing key you generated in config.yaml
to the SIGNING_KEY
environment variable.
Add the following configuration settings to console-config.yaml
and replace the values with your own:
administrators: admin@example.com
license_key: YOUR_LICENSE_KEY
Set up ToolJet
In the root of your project, create a folder called postgres_data
to run ToolJet's in-built PostgreSQL database:
mkdir postgres_data
Add a .env
file pre-populated with ToolJet's environment variables:
curl -LO https://raw.githubusercontent.com/ToolJet/ToolJet/main/deploy/docker/.env.example
mv .env.example .env
In your .env
file, make the following changes:
- Update
LOCKBOX_MASTER_KEY
andSECRET_KEY_BASE
following ToolJet's environment variable docs. - Replace
TOOLJET_HOSTNAME
with your Pomerium external route URL instead.
For example:
TOOLJET_HOSTNAME=https://tooljet.localhost.pomerium.io
Keep the default values for the database configuration and the other environment variables.
Build a route and policy
Run docker compose up
and go to your Console dashboard.
In your Enterprise Console, create a policy:
- Name your policy (for example, tooljet), then select the Builder tab
- Select ADD ALLOW BLOCK, then select the + icon to add an OR operator
- In the Criteria field, select Email
- In the Value field, enter the email address associated with your IdP
Save your policy.
Create an external route to access ToolJet:
- Name your route and enter the external route in the from: field
- Enter the scheme and hostname in the to: field
- In the Policies field, select the policy you built for ToolJet
- Select Pass Identity Headers
Configure your route to rewrite the host header:
- Select Headers from the sidebar
- In the Host Headers dropdown, select Rewrite to Header
- In the Host Rewrite to Header field, enter the external route without the protocol
Save your route.
Access ToolJet from Console
In your terminal, wait until ToolJet is in a ready state:
In your browser, go to the external ToolJet URL to set up your workspace.
Set up ToolJet workspace
Set up your admin account:
Set up your workspace:
Skip the prompts asking for your company information.
You should now be in your ToolJet dashboard.
Invite a user
To invite a user:
- Select Workspace settings (the Gear icon)
- In the Users & Permissions window, select Invite new user
- Enter their details and select Create User
- Copy their invite link
Open the link in a new tab:
Create a password and accept the invite to log in to the workspace.
From here, you can sign in as an admin and create apps within a workspace, create new workspaces, build apps within a given workspace, and configure workplace permissions to manage access and privileges for users and groups within ToolJet.