Using Pomerium as a reverse proxy

Last updated:

|Edit this page

On this page

Note: The following self-hosted proxy isn't provided by PostHog, so we can't take responsibility for it! If unsure, we recommend using our managed reverse proxy.

Note: If you are using the EU cloud then use eu instead of us in all domains (e.g. us.i.posthog.com -> eu.i.posthog.com)

Pomerium is an identity-aware proxy that can be used to securely proxy traffic to PostHog. This guide will show you how to configure Pomerium as a reverse proxy for PostHog.

Set up with Pomerium Zero

The assumption is you've already set up Pomerium Zero.

1. Create an Optional Allow All Policy

  1. Log in to Pomerium Zero.
  2. Click on Manage -> Policies in the side bar.
  3. Click the New Policy button to create a new policy.

new policy button

  1. Name the policy allow all or something similar.
  2. Set the Policy Enforcement field to Optional.
  3. In the Overrides section, enable Public Access.
  4. Click the Save Policy button to save the policy.
  5. The allow all policy has been created.

Pomerium Zero create new policy form

2. Create the main PostHog Route

  1. Click on the New Route button to create a new route.
  2. Select Custom Route from the list of route types.

Pomerium Zero create routes button with options for guided routes and a custom route

  1. Name the Route PostHog
  2. Set the From field to, e.g. https://e.some-name.pomerium.app
  3. Set the To field to https://us.i.posthog.com.
  4. In the Policies drop down, select the allow all policy created so the analytics will run for everyone.
  5. Click the Save Route button to save the route.

Pomerium Zero create route form with settings for the main PostHog route

3. Create the PostHog Assets Route

  1. Click on the New Route button to create a new route.
  2. Select Custom Route from the list of route types.
  3. Name the Route PostHog Assets
  4. Set the From field to, e.g. https://e.some-name.pomerium.app
  5. Set the To field to https://us-assets.i.posthog.com.
  6. In the Policies drop down, select the allow all policy created so the analytics will run for everyone.
  7. Click on the Path Matching link in the edit route side bar.
  8. Set the Prefix field to /static.

Pomerium Zero create route form with settings for the PostHog assets route configuration for path matching set to /static

  1. Click the Save Route button to save the route

Pomerium Zero create route form with settings for the PostHog assets route configuration

Pomerium Zero is now configured to proxy PostHog.

Set up with Pomerium Core

Assuming Pomerium Core is set up, open your config.yaml to configure Pomerium to proxy requests to PostHog by adding the following routes to your Pomerium config file:

YAML
routes:
  - from: https://e.some-name.pomerium.app
    to: https://us.i.posthog.com
    policy:
      - allow:
          or:
            - public: true
    name: "PostHog"


  - from: https://e.some-name.pomerium.app
    to: https://us-assets.i.posthog.com
    prefix: "/static"
    policy:
      - allow:
          or:
            - public: true
    name: "PostHog Assets"


# rest of your configuration

Use the Pomerium URL in your PostHog initialization

Once everything is configured, set the the API host to e.g. https://e.some-name.pomerium.app in your PostHog initialization like this:

JavaScript
posthog.init('<ph_project_api_key>',
  {
    api_host: 'https://e.some-name.pomerium.app',
  }
)

Questions? Ask Max AI.

It's easier than reading through 573 docs articles.

Community questions

Was this page useful?

Next article

Using Remix API routes as a reverse proxy

If you are using Remix, you can use API routes to set up a reverse proxy. Create a file ingest.$.tsx in the routes folder. In this file, set up code to match requests to a custom route, set a new host header, change the URL to point to PostHog, and rewrite the response. Once done, configure the PostHog client to send requests via your rewrite.

Read next article