pomerium / pomerium / 24369764509

52%

Build Type

push

github

Committed by web-flow

Commit Message

feat: add unix socket support for target resources (#6259)

## Summary

Add support for unix:// and unix+https:// URL schemes to route to Unix
domain sockets as upstream destinations.

## Related issues

- #6246

## User Explanation

Pomerium currently only supports TCP/UDP host-based upstreams. Many
services (Docker, PostgreSQL, Redis, Nginx, etc.) expose Unix domain
sockets as an alternative to network ports.

Benefits:

1. Direct socket access - Route to Unix sockets like
unix:///var/run/docker.sock without needing a network port, reducing
attack surface and latency.
2. TLS support - The unix+https:// scheme enables TLS-encrypted
connections to Unix socket services that support HTTPS over Unix sockets
(e.g., nginx with proxy_protocol).
3. Protocol auto-detection - unix:// uses HTTP/1.1, while unix+https://
leverages existing ALPN-based protocol detection (HTTP/1.1 or HTTP/2).
4. Security - Unix sockets can use filesystem permissions for access
control instead of network-level restrictions.
5. Consistent with existing patterns - Follows the same scheme mixing
rules as TCP/UDP upstreams.

Example use case:
```
routes:
  - from: https://secure.internal.example.com
    to: unix+https:///run/nginx-tls.sock
```

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review

Coverage Stats

25 of 40 new or added lines in 6 files covered. (62.5%)

33 existing lines in 13 files now uncovered.

35134 of 77301 relevant lines covered (45.45%)

114.08 hits per line