pangolin_mirror/docs-v2
1
0
Fork 0
mirror of https://github.com/fosrl/docs-v2.git synced 2026-02-07 21:46:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Continuing to update docs for 1.15.0

Browse Source
This commit is contained in:
Owen
2026-01-22 18:19:16 -08:00
parent 1e8820f110
commit 6c44067e2b
10 changed files with 296 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs.json
View File

@@ -151,6 +151,7 @@
"group": "Advanced Configuration",
"pages": [
"self-host/advanced/config-file",
"self-host/advanced/private-config-file",
"self-host/advanced/wild-card-domains",
"self-host/advanced/cloudflare-proxy",
"self-host/advanced/without-tunneling",

BIN
images/cf_websocket_box.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

24
manage/identity-providers/add-an-idp.mdx
View File

@@ -26,6 +26,24 @@ Here is an example using Microsoft Azure Entra ID as SSO for Pangolin:
<img src="/images/create-idp.png" />
</Frame>
## Identity Provider Types
### Organization Identity Providers
Organization identity providers are configured per organization and only apply to that specific organization. Each org can have its own identity providers, allowing for authentication methods based on the organization's needs.
<Note>
In Pangolin Enterprise you must enable `use_org_only_idp` in the [private config file](/self-host/advanced/private-config-file#param-use-org-only-idp) `privateConfig.yml`.
</Note>
### Global Identity Providers
Global identity providers are managed at the server level and not the individual organization. They can apply to all or some organizations on the server. This means you must define policies per organization to map users to specific organizations and roles within those organizations.
<Tip>
Global identity providers are the only supported method in Pangolin Community.
</Tip>
## Supported Identity Providers
### OAuth2/OIDC
@@ -40,7 +58,7 @@ This can be used to connect to any external identity provider that supports the
### Google
<Note>
Google IdP is only available in Pangolin Cloud.
Google IdP is only available in Pangolin Cloud or Pangolin Enterprise with org identity providers. See above to enable.
</Note>
Easily set up Google Workspace authentication for your organization. Users can sign in with their Google accounts and access Pangolin resources using their existing Google credentials. Perfect for organizations already using Google Workspace for email, calendar, and other services.
@@ -48,7 +66,7 @@ Easily set up Google Workspace authentication for your organization. Users can s
### Azure Entra ID
<Note>
Azure Entra ID IdP is only available in Pangolin Cloud.
Azure Entra ID IdP is only available in Pangolin Cloud or Pangolin Enterprise with org identity providers. See above to enable.
</Note>
Integrate with Microsoft's enterprise identity platform to allow users to authenticate using their Azure Active Directory accounts. Ideal for organizations using Microsoft 365 or other Azure services, providing seamless single sign-on across your Microsoft ecosystem.
@@ -56,7 +74,7 @@ Integrate with Microsoft's enterprise identity platform to allow users to authen
## How to Add an Identity Provider
<Note>
In the CE and EE, identity providers are created and managed via the Server Admin UI rather than the organization settings.
When using global IDPs, identity providers are created and managed via the Server Admin UI rather than the organization settings.
</Note>
<Steps>

4
manage/identity-providers/auto-provisioning.mdx
View File

@@ -71,9 +71,7 @@ contains(groups, 'admin') && 'Admin' || 'Member'
This example will return the string "Admin". If the user is not a member of the "admin" group, it will return "Member".
## Community Edition
In the Community Edition, identity providers are managed at the server level and not the individual organization. This means you must define policies per organization to map users to specific organizations and roles within those organizations.
## Global Identity Providers
After you create an IdP, on the edit page, you can manage organization policies via the "Organization Policies" tab. You can set default (fallback) policies, or define them on a per org basis.

8
manage/identity-providers/azure.mdx
View File

@@ -3,6 +3,10 @@ title: "Azure Entra ID"
description: "Configure Azure Entra ID Single Sign-On"
---
<Note>
Azure SSO is only available on Pangolin Cloud and Enterprise deployments. In enterprise, you must enable `use_org_only_idp` in your [private config file](/self-host/advanced/private-config-file) `privateConfig.yml`.
</Note>
The following steps will integrate Microsoft SSO using the built in Azure Entra ID identity provider in Pangolin.
<iframe
@@ -58,6 +62,6 @@ In the OAuth2/OIDC Configuration, you'll need the following fields:
When you're done, click "Create Identity Provider". Then, copy the Redirect URL in the "General" tab as you will now need this for your app registration.
## Returning to Google Developers Console
## Returning to Azure
Lastly, you'll need to return to your app registration in order to add the redirect URI created by Pangolin. On the "Overview" tab, click "Add a Redirect URI". The click "Add a platform", and select "Web". Here, you can add the redirect URL from Pangolin and click "Configure". Your configuration should now be complete. You'll now need to add an external user to Pangolin, or if you have "Auto Provision Users" enabled, you can now log in using Google SSO.
Lastly, you'll need to return to your app registration in order to add the redirect URI created by Pangolin. On the "Overview" tab, click "Add a Redirect URI". The click "Add a platform", and select "Web". Here, you can add the redirect URL from Pangolin and click "Configure". Your configuration should now be complete. You'll now need to add an external user to Pangolin, or if you have "Auto Provision Users" enabled, you can now log in using Azure SSO.

4
manage/identity-providers/google.mdx
View File

@@ -3,6 +3,10 @@ title: "Google"
description: "Configure Google Single Sign-On"
---
<Note>
Google SSO is only available on Pangolin Cloud and Enterprise deployments. In enterprise, you must enable `use_org_only_idp` in your [private config file](/self-host/advanced/private-config-file#param-use-org-only-idp) `privateConfig.yml`.
</Note>
The following steps will integrate Google SSO using the built in Google identity provider in Pangolin.
<iframe

8
self-host/advanced/cloudflare-proxy.mdx
View File

@@ -131,3 +131,11 @@ server:
</Warning>
After making these changes, restart both Traefik and Pangolin for the configuration to take effect.
### Troubleshooting
If websockets are not connecting like from newt or clients, ensure that websockets are enabled in Cloudflare:
<Frame>
<img src="/images/cf_websocket_box.png" width="600" centered/>
</Frame>

12
self-host/advanced/config-file.mdx
View File

@@ -34,6 +34,9 @@ flags:
<Warning>
Generate a strong secret for `server.secret`. Use at least 32 characters with a mix of letters, numbers, and special characters.
If you need to CHANGE the server secret after the server has been started you must use the `pangctl rotate-server-secret` command to re-encrypt sensitive data. [Follow docs here](/self-host/advanced/container-cli-tool#rotate-server-secret).
</Warning>
## Reference
@@ -262,6 +265,9 @@ This section contains the complete reference for all configuration options in `c
<Warning>
Generate a strong, random secret. This is used for encrypting sensitive data and should be kept secure.
If you need to CHANGE the server secret after the server has been started you must use the `pangctl rotate-server-secret` command to re-encrypt sensitive data. [Follow docs here](/self-host/advanced/container-cli-tool#rotate-server-secret).
</Warning>
</ResponseField>
@@ -711,6 +717,12 @@ This section contains the complete reference for all configuration options in `c
</Note>
</ResponseField>
<ResponseField name="disable_product_help_banners" type="boolean">
Whether to disable product help banners in the UI at the top of screens.
**Default**: `false`
</ResponseField>
<ResponseField name="disable_config_managed_domains" type="boolean">
Whether to disable domains managed through the configuration file.

37
self-host/advanced/container-cli-tool.mdx
View File

@@ -81,3 +81,40 @@ This command performs a critical operation that affects all encrypted data in yo
- After rotation, you must restart the server for the new secret to take effect
- Using `--force` with an incorrect old secret will cause the rotation to fail or corrupt encrypted data
</Warning>
## Clear License Keys
Clear all license keys from the database:
```bash
docker exec -it pangolin pangctl clear-license-keys
```
<Warning>
This command permanently deletes all license keys from the database. This action cannot be undone.
</Warning>
## Delete Client
Delete a client and all associated data (OLMs, current fingerprint, userClients, approvals). Snapshots are preserved.
```bash
docker exec -it pangolin pangctl delete-client --orgId "org-123" --niceId "client-identifier"
```
### Options
- `--orgId` (required): The organization ID
- `--niceId` (required): The client niceId (identifier)
<Warning>
This command permanently deletes the client and its associated data:
- All OLMs (One-time Login Mechanisms) associated with the client
- Current fingerprint entries
- Approval records
- UserClient associations
**Note:** Snapshots are preserved and will not be deleted.
This action cannot be undone. Ensure you have backups if needed.
</Warning>

206
self-host/advanced/private-config-file.mdx Normal file
View File

@@ -0,0 +1,206 @@
---
title: "Private Configuration File"
description: "Configure advanced Pangolin settings using the privateConfig.yml file for enterprise features"
---
The `privateConfig.yml` file provides advanced configuration options for enterprise deployments. This file is mounted at `config/privateConfig.yml` in your Docker container.
<Note>
The private configuration file is only used on enterprise deployments. If you're using Pangolin Community, refer to the [main configuration file documentation](/self-host/advanced/config-file) instead. The private config file is not required.
</Note>
## Setting up your `privateConfig.yml`
Here's a basic example with common settings:
```yaml title="private-config.yml"
flags:
use_org_only_idp: false
branding:
app_name: "My Company Portal"
hide_auth_layout_footer: false
```
## Reference
This section contains the complete reference for all configuration options in `private-config.yml`.
### Application Settings
<ResponseField name="app" type="object">
Regional and base domain configuration for multi-region deployments.
<Expandable title="properties">
<ResponseField name="region" type="string" default="default">
The region identifier for this Pangolin instance. Used for multi-region deployments.
```yaml
app:
region: "us-east-1"
```
</ResponseField>
</Expandable>
</ResponseField>
### Server Configuration
<ResponseField name="server" type="object">
Advanced server configuration including encryption keys and API integrations.
<Expandable title="properties">
<ResponseField name="encryption_key_path" type="string" default="./config/encryption.pem" required>
Path to the RSA private key used for encrypting sensitive data. Must be at least 8 characters long. THIS IS ONLY USED WITH pangolin_dns FEATURE FLAG ENABLED AND REQUIRES EXTERNAL COMPONENTS.
```yaml
server:
encryption_key_path: "./config/encryption.pem"
```
<Warning>
The `encryption_key_path` must point to a valid RSA key file. Generate one using:
```bash
openssl genrsa -out encryption.pem 4096
```
Keep this key secure and backed up - it encrypts sensitive data in your database.
</Warning>
</ResponseField>
</Expandable>
</ResponseField>
### Redis Configuration
<ResponseField name="redis" type="object">
Redis connection settings for caching, sessions, and rate limiting. Useful for clustering Pangolin nodes.
<Expandable title="properties">
<ResponseField name="host" type="string" required>
Redis server hostname or IP address.
```yaml
redis:
host: "redis.example.com"
```
</ResponseField>
<ResponseField name="port" type="number" required>
Redis server port (1-65535).
```yaml
redis:
port: 6379
```
</ResponseField>
<ResponseField name="password" type="string">
Redis authentication password.
```yaml
redis:
password: "your-secure-password"
```
</ResponseField>
<ResponseField name="db" type="number" default="0">
Redis database number (0-15 typically).
```yaml
redis:
db: 0
```
</ResponseField>
<ResponseField name="replicas" type="array">
Array of read replica configurations for high-availability deployments.
```yaml
redis:
host: "redis-primary"
port: 6379
replicas:
- host: "redis-replica-1"
port: 6379
password: "replica-password"
db: 0
- host: "redis-replica-2"
port: 6379
password: "replica-password"
db: 0
```
<Expandable title="replica properties">
<ResponseField name="host" type="string" required>
Replica server hostname.
</ResponseField>
<ResponseField name="port" type="number" required>
Replica server port.
</ResponseField>
<ResponseField name="password" type="string">
Replica authentication password.
</ResponseField>
<ResponseField name="db" type="number" default="0">
Database number on replica.
</ResponseField>
</Expandable>
</ResponseField>
</Expandable>
</ResponseField>
### Gerbil Tunnel Configuration
<ResponseField name="gerbil" type="object">
Configuration for the Gerbil tunnel exit node integration.
<Expandable title="properties">
<ResponseField name="local_exit_node_reachable_at" type="string" default="http://gerbil:3004">
URL where the local Gerbil exit node can be reached by Pangolin. Useful when clustering multiple pangolin nodes. Overrides the value stored in the database. Useful when using Docker and address the local gerbil container using the host's address.
```yaml
gerbil:
local_exit_node_reachable_at: "http://gerbil:3004"
```
</ResponseField>
</Expandable>
</ResponseField>
### Feature Flags
<ResponseField name="flags" type="object">
Feature toggles for advanced functionality.
<Expandable title="properties">
<ResponseField name="use_org_only_idp" type="boolean" default="false">
Restrict identity provider (IdP) authentication to organization-level only.
```yaml
flags:
use_org_only_idp: true
```
</ResponseField>
<ResponseField name="enable_redis" type="boolean" default="false">
Enable Redis for caching and session management. Requires `redis` configuration.
```yaml
flags:
enable_redis: true
```
</ResponseField>
<ResponseField name="use_pangolin_dns" type="boolean" default="false">
Use Pangolin DNS servers for client connections instead of external DNS servers for DNS delegation and CNAME setups. Used for clustering Pangolin nodes. REQUIRES EXTERNAL COMPONENTS. PLEASE CONTACT SUPPORT TO OBTAIN ACCESS BEFORE ENABLING.
```yaml
flags:
use_pangolin_dns: true
```
</ResponseField>
</Expandable>
</ResponseField>
### Branding Configuration
Please refer to the [branding configuration documentation](/manage/branding).