diff --git a/manage/access-control/approvals.mdx b/manage/access-control/approvals.mdx index 63425b1..bf39c73 100644 --- a/manage/access-control/approvals.mdx +++ b/manage/access-control/approvals.mdx @@ -18,13 +18,13 @@ By default, any client configured with valid credentials can connect to an organ When device approvals are enabled, the first time a user connects a new device to the organization, the device will be marked as "Pending Approval." An administrator must then review and approve the device in the management console before it can access organization resources. - + Device marked pending approval in the Pangolin dashboard All approvals can also be managed from a central page as they stream in to allow admins to approve or deny devices quickly. - + Approvals page listing pending devices in the Pangolin dashboard ## Enabling Device Approvals diff --git a/manage/access-control/create-user.mdx b/manage/access-control/create-user.mdx index 46f20e3..76583a8 100644 --- a/manage/access-control/create-user.mdx +++ b/manage/access-control/create-user.mdx @@ -18,7 +18,7 @@ Because the global user exists and a per‑organization user exists, a user invi When removing a user from an organization, their account still exists. To completely delete their account, visit the server admin panel as the server admin and delete the global user in the users table. - + Users table in the Pangolin dashboard ### Internal Users diff --git a/manage/access-control/links.mdx b/manage/access-control/links.mdx index c34a79b..d183aa3 100644 --- a/manage/access-control/links.mdx +++ b/manage/access-control/links.mdx @@ -45,7 +45,7 @@ This is why the two URLs often look different: - The **Access Token Usage** examples use the resource URL directly. - + Access token usage examples for a shareable link ### Query Parameter diff --git a/manage/access-control/login-page.mdx b/manage/access-control/login-page.mdx index c750dad..3c8f445 100644 --- a/manage/access-control/login-page.mdx +++ b/manage/access-control/login-page.mdx @@ -29,7 +29,7 @@ Custom organization authentication pages let you serve the login page at your ow - Direct access to the Pangolin management dashboard - + Organization login page with multiple login methods ## Configuration @@ -43,5 +43,5 @@ You need to add a custom domain to your organization first. Free domains (`*.tun - + Domain picker for the auth page in Pangolin settings diff --git a/manage/analytics/access.mdx b/manage/analytics/access.mdx index 75f140a..6f445eb 100644 --- a/manage/analytics/access.mdx +++ b/manage/analytics/access.mdx @@ -26,7 +26,7 @@ Authentication logs capture authentication events when users or API keys attempt - Analyzing user agent and device information - + Authentication logs table in the Pangolin dashboard Make sure to enable authentication logs in the org settings diff --git a/manage/analytics/action.mdx b/manage/analytics/action.mdx index a01ecd0..e8f6bbe 100644 --- a/manage/analytics/action.mdx +++ b/manage/analytics/action.mdx @@ -26,7 +26,7 @@ Admin Action logs capture administrative events and configuration changes perfor - Meeting security and compliance requirements - + Admin action logs table in the Pangolin dashboard Make sure to enable access logs in the org settings diff --git a/manage/analytics/request.mdx b/manage/analytics/request.mdx index 4ea7f3e..af8a1a0 100644 --- a/manage/analytics/request.mdx +++ b/manage/analytics/request.mdx @@ -23,7 +23,7 @@ HTTPS Request logs capture every HTTPS request that passes through a reverse pro - Troubleshooting connectivity and routing issues - + HTTPS request logs table in the Pangolin dashboard ## HTTPS Request Log Fields diff --git a/manage/analytics/streaming.mdx b/manage/analytics/streaming.mdx index 50a0ac7..70bb996 100644 --- a/manage/analytics/streaming.mdx +++ b/manage/analytics/streaming.mdx @@ -22,7 +22,7 @@ Open **Organization → Logs & Analytics → Streaming** to add destinations and You choose which categories each destination receives. Only log types enabled for your organization can be streamed. - + Log type selection for a streaming destination ## Destination types @@ -30,7 +30,7 @@ You choose which categories each destination receives. Only log types enabled fo Each destination type has its own configuration and payload behavior. Select **Add destination** and pick a delivery method. - + Add destination dialog in the Pangolin dashboard diff --git a/manage/analytics/streaming/http.mdx b/manage/analytics/streaming/http.mdx index 8ca4e27..4292831 100644 --- a/manage/analytics/streaming/http.mdx +++ b/manage/analytics/streaming/http.mdx @@ -36,7 +36,7 @@ On the **Settings** tab, set a display name, the endpoint URL, and authenticatio | Custom header | A single header name and value (for example an API key header) | - + HTTP destination settings with URL and authentication options All delivery uses **POST**. Requests time out after 30 seconds. @@ -46,7 +46,7 @@ All delivery uses **POST**. Requests time out after 30 seconds. On the **Headers** tab, add optional static headers sent with every request, for example a vendor-specific API key or a non-default `Content-Type`. When you do not override it, Pangolin sends `Content-Type: application/json` (or `application/x-ndjson` when using the NDJSON payload format). - + Headers tab for adding static HTTP headers ## Default payload (template off) @@ -83,7 +83,7 @@ Some columns are stored as JSON strings in the database (`headers`, `query`, and On the **Body** tab, enable **Custom body template** and provide a JSON template string. Pangolin performs simple placeholder substitution, **not** a full templating language like Handlebars. - + Body tab with custom body template editor ### Template variables diff --git a/manage/analytics/streaming/s3.mdx b/manage/analytics/streaming/s3.mdx index 39f6967..077aa12 100644 --- a/manage/analytics/streaming/s3.mdx +++ b/manage/analytics/streaming/s3.mdx @@ -38,7 +38,7 @@ Configure: Pangolin uses static access keys only. There is no IAM role, instance profile, or OIDC picker in the UI. - + S3 destination settings with credentials, region, and bucket Uploads time out after 60 seconds per object. @@ -56,7 +56,7 @@ Uploads time out after 60 seconds per object. | **CSV** | RFC-4180 CSV with a header row; see [CSV format](#csv-format) | - + Format tab with file format and gzip options ## Logs tab @@ -64,7 +64,7 @@ Uploads time out after 60 seconds per object. Choose which log categories are uploaded. Each enabled type is written to its own key prefix (`request/`, `action/`, etc.). Only log types enabled for your organization can be streamed. - + Logs tab for selecting streamed log types ## Object key layout diff --git a/manage/blueprints.mdx b/manage/blueprints.mdx index 2b3f9f8..0783096 100644 --- a/manage/blueprints.mdx +++ b/manage/blueprints.mdx @@ -68,7 +68,7 @@ Use container labels when the resource definition should live inside your Compos Paste YAML into **Settings > Blueprints** in the Pangolin dashboard. - + Blueprint creation page in the Pangolin dashboard diff --git a/manage/identity-providers/add-an-idp.mdx b/manage/identity-providers/add-an-idp.mdx index 344120d..d7ccd64 100644 --- a/manage/identity-providers/add-an-idp.mdx +++ b/manage/identity-providers/add-an-idp.mdx @@ -22,7 +22,7 @@ Here is an example using Microsoft Azure Entra ID as SSO for Pangolin: - + Identity provider creation form in the Pangolin dashboard ## Identity Provider Types diff --git a/manage/identity-providers/auto-provisioning.mdx b/manage/identity-providers/auto-provisioning.mdx index ea02376..9e33792 100644 --- a/manage/identity-providers/auto-provisioning.mdx +++ b/manage/identity-providers/auto-provisioning.mdx @@ -16,7 +16,7 @@ You will be able to programmatically decide the roles and organizations for new Toggle the "Auth Provision Users" switch when creating or editing an identity provider. - + Auto provision users setting in the Pangolin dashboard ## What if Auto Provisioning is Disabled? @@ -24,7 +24,7 @@ Toggle the "Auth Provision Users" switch when creating or editing an identity pr If auto provision is disabled, organization admins will need to manually create the user accounts and select the role for each user. When creating a user, you can select the identity provider that the user will be associated with. A user will not be able to log in using the identity provider if a user is not pre-provisioned in the system. - + Creating an identity provider user in the Pangolin dashboard ## Role Mappings @@ -40,7 +40,7 @@ When you configure role mappings in auto provisioning settings, you use one of t Fixed roles is the simplest option. Every user who signs in through the identity provider receives the same set of roles. The roles you select must already exist in Pangolin, and you must choose them by their exact names in that organization. Use this when you do not need dynamic mapping and a single role assignment for everyone is enough. You can still change roles on individual users after they have been auto-provisioned. This is the easiest way to get started. - + Fixed roles mapping option in the Pangolin dashboard ### Role Mapping: Mapping Builder @@ -50,7 +50,7 @@ The mapping builder lets you map roles from your identity provider to Pangolin r First, choose the claim in the OIDC token where roles or groups are provided such as `groups`. Then define a one-to-one mapping for each role: on one side, the role or group ID from the identity provider; on the other, the Pangolin role name that already exists in the organization. The Pangolin side must match that role’s name exactly (same spelling, spacing, and casing). - + Role mapping builder in the Pangolin dashboard ### Role Mapping: Raw Expression @@ -63,7 +63,7 @@ The expression is evaluated against the token from the identity provider on each - If no matching role is found for the resolved names, the user is not added to the organization. - + Raw expression role mapping in the Pangolin dashboard #### Raw Expression Example: JMESPath role selection diff --git a/manage/identity-providers/azure.mdx b/manage/identity-providers/azure.mdx index 73e0917..741fedd 100644 --- a/manage/identity-providers/azure.mdx +++ b/manage/identity-providers/azure.mdx @@ -42,7 +42,7 @@ We will revisit the **Authorised redirect URIs** field later, as we do not have In Pangolin, go to "Identity Providers" and click "Add Identity Provider". Select the Azure Entra ID provider option. - + Azure Entra ID identity provider setup in the Pangolin dashboard In the OAuth2/OIDC Configuration, you'll need the following fields: diff --git a/manage/identity-providers/google.mdx b/manage/identity-providers/google.mdx index 07c0d8e..27d68df 100644 --- a/manage/identity-providers/google.mdx +++ b/manage/identity-providers/google.mdx @@ -51,7 +51,7 @@ After hitting "Create", you will be able to see the "Client ID" and "Client secr In Pangolin, go to "Identity Providers" and click "Add Identity Provider". Select the Google provider option. - + Google identity provider setup in the Pangolin dashboard In the "Google Configuration", you'll need the following fields: diff --git a/manage/identity-providers/openid-connect.mdx b/manage/identity-providers/openid-connect.mdx index aee9318..25bde14 100644 --- a/manage/identity-providers/openid-connect.mdx +++ b/manage/identity-providers/openid-connect.mdx @@ -16,7 +16,7 @@ This identity provider follows the OpenID Connect protocol. This means that it c In Pangolin, go to "Identity Providers" and click "Add Identity Provider". Select the OAuth2/OIDC provider option. - + Pangolin dashboard form for adding an OAuth2/OIDC identity provider In the OAuth2/OIDC Configuration, you'll need the following fields: diff --git a/manage/remote-node/backhaul.mdx b/manage/remote-node/backhaul.mdx index f14623e..9896c83 100644 --- a/manage/remote-node/backhaul.mdx +++ b/manage/remote-node/backhaul.mdx @@ -194,7 +194,7 @@ This section uses AWS as an example, but the same steps apply to any VPC-style n The node is acting as a concentrator for the whole network, not just serving its own ports, so its security group must accept all traffic from the VPC's CIDR. Otherwise the security group blocks the inbound traffic it's meant to forward. - + AWS security group inbound rule allowing all VPC traffic @@ -202,7 +202,7 @@ This section uses AWS as an example, but the same steps apply to any VPC-style n Add a route in the VPC's route table for the WireGuard overlay subnet assigned to your node (shown as the node's **Address** on its page in the [Pangolin dashboard](https://app.pangolin.net)), targeting the node's instance or network interface. This tells the rest of the VPC to send anything destined for the Pangolin overlay — other sites and clients — to the node. - + AWS route table entry routing the overlay subnet to the node @@ -210,11 +210,11 @@ This section uses AWS as an example, but the same steps apply to any VPC-style n By default, AWS drops any packet where an instance isn't the source or destination, which would silently break a node that's forwarding traffic on behalf of others. Disable the source/destination check on the node's instance so it's allowed to route traffic that isn't addressed to itself. - + AWS instance menu option to change source/destination check - + AWS dialog checkbox disabling the source/destination check @@ -224,7 +224,7 @@ This section uses AWS as an example, but the same steps apply to any VPC-style n You can also set **Preference Labels** on the node and apply matching labels to sites, which enforces that those sites connect through this remote node specifically. This is useful once you have more than one node or point of presence and want particular sites to always backhaul through this one. - + Pangolin dashboard remote subnets setting with VPC CIDR added diff --git a/manage/remote-node/understanding-nodes.mdx b/manage/remote-node/understanding-nodes.mdx index 7d5a28e..8119dfc 100644 --- a/manage/remote-node/understanding-nodes.mdx +++ b/manage/remote-node/understanding-nodes.mdx @@ -29,7 +29,7 @@ Think of different nodes as the "front doors" to your applications - users conne - **Failover**: If you have multiple nodes, the control plane will failover between them. If one node becomes unavailable, traffic can optionally fail over to our cloud infrastructure or other nodes until you restore service. - + Diagram of high availability failover across remote nodes ## Some Benefits diff --git a/manage/sites/install-site.mdx b/manage/sites/install-site.mdx index ae241d9..dc3a635 100644 --- a/manage/sites/install-site.mdx +++ b/manage/sites/install-site.mdx @@ -291,13 +291,13 @@ Download the correct version of the router app for your device from the [GitHub To install the router app, log into your Advantech router and navigate to the Router Apps section. Upload the downloaded `.tgz` file and follow the prompts to install. - + Advantech router UI showing Newt router app installation After installation, click on the router app link at the top of the page to configure the app with your Newt credentials from Pangolin. Once you have entered the credentials, save and start the app. The router will now be connected to your Pangolin site and you can manage it like any other Newt site in the dashboard. - + Advantech router UI showing Newt credential configuration A complete config file is located at `/etc/newt/settings` on the router. You can edit this file directly to change credentials or add additional configuration options. After making changes, restart the router app to apply the new configuration. An example settings file can be found at: https://github.com/fosrl/newt/blob/main/packages/advantech/merge/etc/defaults diff --git a/self-host/advanced/cloudflare-proxy.mdx b/self-host/advanced/cloudflare-proxy.mdx index 874b3b5..ee36cc1 100644 --- a/self-host/advanced/cloudflare-proxy.mdx +++ b/self-host/advanced/cloudflare-proxy.mdx @@ -143,5 +143,5 @@ After making these changes, restart both Traefik and Pangolin for the configurat If websockets are not connecting like from newt or clients, ensure that websockets are enabled in Cloudflare: - + Cloudflare dashboard WebSockets setting toggled on \ No newline at end of file