pangolin_mirror/docs-v2
1
0
Fork 0
mirror of https://github.com/fosrl/docs-v2.git synced 2026-02-08 05:56:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add some docs about geoblocking

Browse Source
This commit is contained in:
Owen
2025-08-27 15:22:47 -07:00
parent 2fd241d0d4
commit 8e2a02d57d
6 changed files with 109 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs.json
View File

@@ -45,6 +45,7 @@
]
},
"manage/healthchecks-failover",
"manage/geoblocking",
{
"group": "Clients",
"pages": [
@@ -56,7 +57,7 @@
{
"group": "Access Control",
"pages": [
"manage/access-control/bypass-rules",
"manage/access-control/rules",
"manage/access-control/forwarded-headers"
]
},

BIN
images/country_rules.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

20
manage/access-control/bypass-rules.mdx → manage/access-control/rules.mdx
View File

@@ -1,5 +1,5 @@
---
title: "Bypass Rules"
title: "Rules"
description: "Configure rules to allow or deny access to resources without authentication"
---
@@ -13,6 +13,10 @@ Rules allow you to either "allow" and bypass the Pangolin auth system (no pin, l
<Card title="Deny Rules" icon="x">
Completely reject requests that match the rule. Useful for blocking admin paths or sensitive endpoints.
</Card>
<Card title="Pass to Auth" icon="x">
Pass requests that match the rule to the next stage for user to authenticate with SSO, password, or pin. Useful for enforcing auth on specific paths while allowing others.
</Card>
</CardGroup>
## Types of Rules
@@ -53,6 +57,20 @@ Path match rules allow URL patterns defined with plain text and wildcards (`*`)
- **Validation:**
Each pattern segment must correspond to a URL segment, and wildcards match zero or more characters within that segment. A pattern like `/blog*` only matches the first segment, so URLs with extra segments require additional placeholders (e.g., `/blog*/*`).
### Country
<Note>
Geo blocking is only available for targets created with managed nodes or in the cloud because we need to host services to resolve IP addresses and evolve it quickly as network change.
Fully self hosted users can install a [Traefik plugin](/self-host/community-guides/geoblock) for geo blocking support.
</Note>
Country match rules allow you to specify allowed or denied countries for requests based on their IP address. This is useful for geo-restrictions or compliance with regional regulations.
We use a IP database to geolocate the IP address but this is not always accurate. We try to keep it updated, but there may be cases where the location is incorrect.
Select the "ALL" option to match all countries for allowing or denying access.
### CIDR
CIDR (Classless Inter-Domain Routing) notation specifies IP address ranges using an IP address and a network prefix length. The format is [IP address]/[prefix length].

84
manage/geoblocking.mdx Normal file
View File

@@ -0,0 +1,84 @@
---
title: "Geo Blocking"
description: "Configure geo blocking to restrict access based on geographic location"
---
<Note>
Geo blocking is only available for targets created with managed nodes or in the cloud because we need to host services to resolve IP addresses and evolve it quickly as network change.
Fully self hosted users can install a [Traefik plugin](/self-host/community-guides/geoblock) for geo blocking support.
</Note>
## Benefits of Geo Blocking
Geo blocking provides several important security and compliance advantages:
### Security Benefits
- **Reduce Attack Surface**: Block access from regions with high levels of malicious activity or where you don't expect legitimate users
- **Prevent Unauthorized Access**: Limit exposure to threat actors operating from specific geographic locations
- **Compliance Requirements**: Meet regulatory requirements that restrict data access based on geographic location
- **Resource Protection**: Prevent unnecessary load on your services from regions where you don't operate
## Implementing Geo Blocking with Bypass Rules
Geo blocking in Pangolin is implemented using [bypass rules](access-control/bypass-rules) with country-based matching. You can create rules that either allow or deny access based on the visitor's country.
<Frame caption="Screenshot of resources rules from the Pangolin Dashboard.">
<img src="/images/country_rules.png" alt="Pangolin Dashboard"/>
</Frame>
### Setting Up Geo Blocking Rules
1. Navigate to your target resource and select the **Rules** tab
2. Create a new rule and select **Country** as the match type
3. Choose your rule action:
- **Allow**: Bypass authentication for users from specific countries
- **Deny**: Block all access from specific countries
- **Pass to Auth**: Let users from specific countries proceed to authentication
### Common Geo Blocking Patterns
#### Allow Only Specific Countries
Create a "Deny" rule that blocks all countries except those you want to allow:
1. Create a **Deny** rule
2. Select **Country** match type
3. Choose "ALL" to match all countries
4. Add priority: 100 (lower priority)
Then create specific allow rules for your approved countries:
1. Create **Allow** rules for each approved country
2. Set higher priority (e.g., 10, 20, 30) so they process first
#### Block Specific High-Risk Countries
Create targeted deny rules for specific countries while allowing all others:
1. Create **Deny** rules for each country you want to block
2. Select the specific countries from the dropdown
3. Set appropriate priorities
#### Regional Access Control
Combine geo blocking with other rule types for sophisticated access control:
1. **Path + Country**: Block admin paths (`/admin/*`) from all countries except your headquarters
2. **IP + Country**: Allow specific IPs from restricted countries (for VPN users or partners)
3. **CIDR + Country**: Combine network-based and geography-based restrictions
### Best Practices
<Warning>
IP geolocation is not always 100% accurate. Users with VPNs, proxies, or mobile networks may appear to be from different countries than expected.
</Warning>
### Rule Priority Example
```
Priority 1: Allow - Country: United States
Priority 2: Allow - Country: Canada
Priority 3: Allow - Country: United Kingdom
Priority 4: Deny - Country: ALL
```
This configuration allows access only from the US, Canada, and UK while blocking all other countries.

2
manage/integration-api.mdx
View File

@@ -6,7 +6,7 @@ description: "Learn how to use Pangolin's REST API to automate and script operat
The API is REST-based and supports many operations available through the web interface. Authentication uses Bearer tokens, and you can create multiple API keys with specific permissions for different use cases.
<Info>
For Pangolin self-hosted, the integration API must be enabled. Check out [the documentation](../self-host/advanced/integration-api) for how to enable the integration API.
For Pangolin self-hosted, the integration API must be enabled. Check out [the documentation](/self-host/advanced/integration-api) for how to enable the integration API.
</Info>
## Authentication

6
manage/managed.mdx
View File

@@ -8,7 +8,7 @@ description: "More reliable and low-maintenance self-hosted Pangolin server with
With this option, you still run your own Pangolin node — your tunnels, SSL termination, and traffic all stay on your server. The difference is that management and monitoring are handled through our cloud dashboard, which unlocks a number of significant benefits.
<Tip>
You can deploy a managed Pangolin node in seconds [using the installer](../self-host/quick-install-managed).
You can deploy a managed Pangolin node in seconds [using the installer](/self-host/quick-install-managed).
</Tip>
## How It Works
@@ -58,10 +58,10 @@ We're planning to add more analytics, alerting, and management tools to make you
## Getting Started
<Tip>
You can deploy a managed Pangolin node in seconds [using the installer](../self-host/quick-install-managed).
You can deploy a managed Pangolin node in seconds [using the installer](/self-host/quick-install-managed).
</Tip>
Ready to convert your existing self-hosted node to managed? Learn how in our [conversion guide](../self-host/convert-managed).
Ready to convert your existing self-hosted node to managed? Learn how in our [conversion guide](/self-host/convert-managed).
<Note>
For detailed information about how nodes work and their advantages, see our [nodes](/manage/nodes) documentation.