pangolin_mirror/docs-v2
1
0
Fork 0
mirror of https://github.com/fosrl/docs-v2.git synced 2026-02-08 05:56:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into 1.14.0

Browse Source
This commit is contained in:
miloschwartz
2025-12-21 16:17:43 -05:00
parent c52b68395c 7c02b91650
commit 2e33e669dd
10 changed files with 73 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs.json
View File

@@ -278,6 +278,10 @@
{
"source": "/community/:slug*",
"destination": "/self-host/:slug*"
},
{
"source": "/manage/resources/tcp-udp-resources",
"destination": "/manage/resources/public/raw-resources"
}
],
"seo": {

2
images/system-diagram.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 156 KiB

After

Width:  |  Height:  |  Size: 53 KiB

2
index.mdx
View File

@@ -20,7 +20,7 @@ Users access public resources through any web browser with authentication. Users
Learn about the fundamentals of Pangolin and how they work together to provide simple and secure remote access.
</Card>
<Card title="Pangolin vs. Reverse Proxy vs. VPN" icon="brain" href="/about/how-pangolin-works">
<Card title="Pangolin vs. Reverse Proxy vs. VPN" icon="book" href="/about/pangolin-vs-reverse-proxy-vs-vpn">
What are the similarities and differences between Pangolin and traditional reverse proxies and VPNs?
</Card>

2
manage/access-control/rules.mdx
View File

@@ -134,7 +134,7 @@ This table compiles paths that need to be allowed for various apps to work with
| **Notifications** | |
| Gotify | `/version`<br />`/message`<br />`/application`<br />`/client`<br />`/stream`<br />`/plugin`<br />`/health` |
| **Home Automation** | |
| Home Assistant | `/api/*`<br />`/auth/*`<br />`/frontend_latest/*`<br />`/lovelace*`<br />`/static/*`<br />`/hacsfiles/*`<br />`/local/*` |
| Home Assistant | `/api/*`<br />`/auth/*`<br />`/frontend_latest/*`<br />`/lovelace/*`<br />`/static/*`<br />`/hacsfiles/*`<br />`/local/*`<br />`/manifest.json`<br />`/sw-modern.js` |
| n8n | `/webhook-test/*/webhook`<br />`/webhook/*/webhook` |
| **Project Management** | |
| Jetbrains Youtrack | `/api/*`<br />`/hub/api/*`<br /> |

12
manage/blueprints.mdx
View File

@@ -49,7 +49,7 @@ YAML config can be applied using Docker labels, API, from a Newt site, or in the
You can also apply blueprints directly through the Pangolin API with an API key. [Take a look at the API documentation for more details.](https://api.pangolin.net/v1/docs/#/Organization/put_org__orgId__blueprint)
POST to `/org/{orgId}/blueprint` with a base64 encodes JSON body like the following:
PUT to `/org/{orgId}/blueprint` with a base64 encodes JSON body like the following:
```json
{
@@ -191,6 +191,10 @@ private-resources:
For containerized applications, you can define blueprints using Docker labels.
<Note>
Blueprints will **continuously apply** from changes in the docker stack, newt restarting, or when viewing the resource in the dashboard.
</Note>
### Enabling Docker Socket Access
To use Docker labels, enable the Docker socket when running Newt:
@@ -207,6 +211,10 @@ DOCKER_SOCKET=/var/run/docker.sock
### Docker Compose Example
<Note>
The compose file will be the source of truth, any edits through the resources dashboard will be **overwritten** by the blueprint labels defined in the compose stack.
</Note>
```yaml
services:
newt:
@@ -362,7 +370,7 @@ Not allowed on TCP/UDP resources.
| `basic-auth` | object | No | Basic authentication configuration | Requires `user` and `password` fields |
| `sso-enabled` | boolean | No | Enable SSO authentication | Defaults to `false` |
| `sso-roles` | array | No | Allowed SSO roles | Cannot include "Admin" role |
| `sso-users` | array | No | Allowed SSO user emails | Must be valid email addresses |
| `sso-users` | array | No | Allowed SSO usernames | Must be valid usernames |
| `whitelist-users` | array | No | Whitelisted user emails | Must be valid email addresses |
| `auto-login-idp` | number | No | Automatic login identity provider ID | Must be a positive integer |

7
manage/clients/install-client.mdx
View File

@@ -130,7 +130,7 @@ curl -fsSL https://static.pangolin.net/get-olm.sh | bash
#### Windows
If you would like to use Olm on Windows, wintun.dll is required. Please use latest installer from [GitHub releases](https://github.com/fosrl/olm/releases/latest).V
If you would like to use Olm on Windows, wintun.dll is required. Please use latest installer from [GitHub releases](https://github.com/fosrl/olm/releases/latest).
#### Manual Download
@@ -190,6 +190,8 @@ services:
container_name: olm
restart: unless-stopped
network_mode: host
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
environment:
@@ -207,6 +209,8 @@ services:
container_name: olm
restart: unless-stopped
network_mode: host
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
command:
@@ -218,6 +222,7 @@ services:
**Docker Configuration Notes:**
- `network_mode: host` brings the olm network interface to the host system, allowing the WireGuard tunnel to function properly
- `cap_add: - NET_ADMIN` is required to grant the container permission to manage network interfaces
- `devices: - /dev/net/tun:/dev/net/tun` is required to give the container access to the TUN device for creating WireGuard interfaces
### Windows Service

6
manage/clients/understanding-clients.mdx
View File

@@ -47,7 +47,7 @@ Examples include:
- **CICD**: Access remote resources like a database in an automated deployment pipeline.
- **Servers**: Provide a VPS with access to a resource running in a different network.
Though you may connect a server via a user account using a CLI client, we reccomend you specifically use a machine client.
Though you may connect a server via a user account using a CLI client, we recommend you specifically use a machine client.
Machine clients authenticate with an ID and secret string. These credentials are passed via arguments into one of the supported Pangolin CLI clients. They can be revoked and rotated.
@@ -61,7 +61,9 @@ Clients can relay traffic through a Pangolin server - through Gerbil specificall
### NAT Hole Punching
While functional, it does not always connect reliably and can fall back to relaying. We plan to work to improve the reliability over time by implementing more methods for those behind CGNAT or hard nats.
NAT hole punching establishes a direct peer-to-peer connection between the client and site, bypassing the need to route traffic through the Pangolin server. The server coordinates the initial connection by helping both peers discover each other's network addresses, allowing them to establish a direct tunnel through their respective NATs and firewalls.
If the site and client are unable to hole punch, they fall back to relaying through your Pangolin server.
Take a look at [some things you can do to improve reliability](/manage/sites/configure-site#nat-traversal-tweaks) if you are not getting reliable hole punching.

12
manage/sites/configure-site.mdx
View File

@@ -107,12 +107,6 @@ description: "Configure Newt for connecting to Pangolin sites"
**Default**: `false` (clients enabled)
</ResponseField>
<ResponseField name="native" type="boolean">
Use native WireGuard interface (requires WireGuard kernel module and Linux, must run as root).
**Default**: `false` (uses userspace netstack)
</ResponseField>
<ResponseField name="interface" type="string">
Name of the WireGuard interface.
@@ -277,12 +271,6 @@ When both environment variables and CLI arguments are provided, CLI arguments ta
**Default**: `false`
</ResponseField>
<ResponseField name="USE_NATIVE_INTERFACE" type="boolean">
Use native WireGuard interface (Linux only, equivalent to `--native`)
**Default**: `false`
</ResponseField>
<ResponseField name="INTERFACE" type="string">
Name of the WireGuard interface (equivalent to `--interface`)

34
self-host/advanced/cloudflare-proxy.mdx
View File

@@ -54,3 +54,37 @@ gerbil:
```
</Step>
</Steps>
### Getting the Real Client IP
Pangolin needs to know the original client IP address for features like rate limiting. When Cloudflare proxy is enabled, the API server sees Cloudflare's IP instead of the real client IP.
Cloudflare sets special headers with the real IP that need to be processed by Traefik before forwarding to Pangolin. Configure Traefik to parse these headers using a community plugin for Traefik: [Real IP from Cloudflare Proxy Tunnel](https://plugins.traefik.io/plugins/62e97498e2bf06d4675b9443/real-ip-from-cloudflare-proxy-tunnel).
Add the plugin to your Traefik configuration:
```yaml
experimental:
plugins:
cloudflarewarp:
moduleName: github.com/BetterCorp/cloudflarewarp
version: v1.3.0
entryPoints:
websecure:
address: ':443'
http:
middlewares:
- cloudflarewarp@file
```
This creates a middleware called `cloudflarewarp` and applies it to the `websecure` entrypoint.
Then set `trust_proxy: 2` in your Pangolin config file. This tells Pangolin to trust the second-level proxy (Traefik is proxy 1, Cloudflare is proxy 2):
1
```yaml
server:
trust_proxy: 2
```
After making these changes, restart both Traefik and Pangolin for the configuration to take effect.

9
self-host/manual/docker-compose.mdx
View File

@@ -144,8 +144,6 @@ services:
restart: unless-stopped
volumes:
- ./config:/app/config
- pangolin-data:/var/certificates
- pangolin-data:/var/dynamic
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"]
interval: "3s"
@@ -187,17 +185,12 @@ services:
volumes:
- ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
- ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
# Shared volume for certificates and dynamic config in file mode
- pangolin-data:/var/certificates:ro
- pangolin-data:/var/dynamic:ro
- ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs
networks:
default:
driver: bridge
name: pangolin
volumes:
pangolin-data:
```
## Traefik Static Configuration