Overview
Pomerium is an open-source identity-aware access proxy that adds authentication and authorization in front of any internal web application. It integrates with identity providers (Google, Okta, Azure AD, GitHub, etc.) via OAuth2/OIDC and enforces policy-based access control before traffic reaches upstream services. Originally a successor to the deprecated oauth2_proxy, it supports context-aware policies based on user identity, groups, and device state. Deploys as a single Go binary or via Docker/Kubernetes with official Helm charts.
Where it falls short of Heroku
- No application deployment or hosting capabilities; purely an access proxy layer
- Policy configuration via YAML can be complex; lacks a full-featured web UI in the open-source edition
- Device posture checking and some enterprise features require the commercial Pomerium Zero/Enterprise tier
- Setup complexity is significantly higher than simpler tools like Nginx Proxy Manager for basic use cases
We list the gaps honestly so you can decide if the trade-off is worth owning your data.
Tags
Claim this listing to keep it accurate, add a deploy template, or feature it on relevant pages.
Embed the Pomerium difficulty badge in your README — it links back here.
[](https://openreplace.com/pomerium)Similar open-source projects
Other self-hostable tools in the same space worth comparing.
Automatic HTTPS web server and reverse proxy with zero config TLS
Cloud-native HTTP reverse proxy and load balancer for microservices
Self-hostable Heroku/Netlify alternative for apps, databases, and services
Modern Linux server and web-app management panel with app store deploys