diff --git a/docs.json b/docs.json
index 6fcc451..a3302fd 100644
--- a/docs.json
+++ b/docs.json
@@ -46,8 +46,9 @@
"pages": [
"manage/resources/public/authentication",
"manage/resources/public/targets",
- "manage/healthchecks-failover",
- "manage/resources/public/raw-resources"
+ "manage/resources/public/raw-resources",
+ "manage/resources/public/maintenance",
+ "manage/resources/public/healthchecks-failover"
]
},
{
@@ -282,6 +283,10 @@
{
"source": "/manage/resources/tcp-udp-resources",
"destination": "/manage/resources/public/raw-resources"
+ },
+ {
+ "source": "manage/healthchecks-failover",
+ "destination": "manage/resources/public/healthchecks-failover"
}
],
"seo": {
diff --git a/images/maintenance_page.png b/images/maintenance_page.png
new file mode 100644
index 0000000..549fd3e
Binary files /dev/null and b/images/maintenance_page.png differ
diff --git a/manage/blueprints.mdx b/manage/blueprints.mdx
index cc8892f..bffdd42 100644
--- a/manage/blueprints.mdx
+++ b/manage/blueprints.mdx
@@ -21,6 +21,10 @@ Pangolin supports two blueprint formats:
1. **YAML Configuration Files**: Standalone configuration files
2. **Docker Labels**: Configuration embedded in Docker Compose files
+
+Some features in this documentation are marked with **(EE)**, indicating they are available only in the Enterprise Edition of Pangolin.
+
+
## YAML Configuration Format
YAML config can be applied using Docker labels, API, from a Newt site, or in the UI. _Application through a CLI tool is planned._
@@ -83,7 +87,7 @@ public-resources:
match: ip
value: 1.1.1.1
- action: deny
- match: cidr
+ match: cidr
value: 2.2.2.2/32
- action: pass
match: path
@@ -104,7 +108,7 @@ public-resources:
protocol: tcp
proxy-port: 3000
targets:
- - site: lively-yosemite-toad
+ - site: lively-yosemite-toad
hostname: localhost
port: 3000
```
@@ -159,6 +163,35 @@ public-resources:
When using targets-only resources, the `name` and `protocol` fields are not required. All other resource-level validations are skipped for these simplified configurations.
+### Maintenance Page Configuration **(EE)**
+
+
+This is an Enterprise Edition (EE) feature only. It allows you to display a maintenance page for a public resource when it's under maintenance or when targets are unhealthy.
+
+
+```yaml
+public-resources:
+ production-app:
+ name: Production Application
+ protocol: http
+ full-domain: app.example.com
+ maintenance:
+ enabled: true
+ type: forced
+ title: Scheduled Maintenance
+ message: We are performing system upgrades to improve performance. The service will be back online shortly.
+ estimated-time: 2 hours
+ targets:
+ - site: my-site
+ hostname: app-server
+ method: https
+ port: 443
+```
+
+**Maintenance Types:**
+- **`forced`**: Always displays the maintenance page regardless of target health status
+- **`automatic`**: Displays the maintenance page only when all targets are unhealthy or the sites are offline
+
### Private Resources
Private resources define proxied resources accessible when connected via an client:
@@ -258,7 +291,7 @@ networks:
name: pangolin_default
```
-This will create a resource that looks like the following:
+This will create a resource that looks like the following:
@@ -295,6 +328,7 @@ This will create a resource that looks like the following:
| `headers` | array | No | Custom headers to add to requests | Each header requires `name` and `value` (min 1 char each) |
| `rules` | array | No | Access control rules | See Rules section below |
| `auth` | object | HTTP only | Authentication configuration | See Authentication section below |
+| `maintenance` | object | No | Maintenance page configuration **(EE)** | Enterprise Edition only. See Maintenance Configuration section below |
| `targets` | array | Yes | Target endpoints for the resource | See Targets section below |
### Target Configuration
@@ -374,6 +408,45 @@ Not allowed on TCP/UDP resources.
| `whitelist-users` | array | No | Whitelisted user emails | Must be valid email addresses |
| `auto-login-idp` | number | No | Automatic login identity provider ID | Must be a positive integer |
+### Maintenance Configuration **(EE)**
+
+
+This is an Enterprise Edition (EE) feature only. It allows you to display a maintenance page for a public resource.
+
+
+The `maintenance` object can be added to any public resource to display a maintenance page to users:
+
+```yaml
+public-resources:
+ my-service:
+ name: My Service
+ protocol: http
+ full-domain: service.example.com
+ maintenance:
+ enabled: true
+ type: automatic
+ title: Scheduled Maintenance
+ message: We are performing scheduled maintenance. Service will resume shortly.
+ estimated-time: 2 hours
+ targets:
+ - site: my-site
+ hostname: backend-server
+ method: https
+ port: 8443
+```
+
+| Property | Type | Required | Description | Constraints |
+|----------|------|----------|-------------|-------------|
+| `enabled` | boolean | No | Whether the maintenance page is enabled | Defaults to `false` |
+| `type` | string | No | Maintenance type (`forced` or `automatic`) | `forced` always shows maintenance page; `automatic` shows only when all targets are unhealthy or sites offline |
+| `title` | string | No | Title text for the maintenance page | Maximum 255 characters, can be null |
+| `message` | string | No | Message text explaining the maintenance | Maximum 2000 characters, can be null |
+| `estimated-time` | string | No | Estimated time for maintenance completion | Maximum 100 characters, can be null |
+
+**Maintenance Types:**
+- **`forced`**: Always displays the maintenance page regardless of target health status
+- **`automatic`**: Displays the maintenance page only when all targets are unhealthy
+
### Rules Configuration
| Property | Type | Required | Description | Constraints |
@@ -450,4 +523,4 @@ For private resources in `host` mode, the destination must be a valid IP address
For private resources in `cidr` mode, the destination must be a valid CIDR notation (e.g., 10.0.0.0/24).
### "Admin role cannot be included in roles"
-The `Admin` role is reserved and cannot be included in the `roles` array for private resource configuration.
\ No newline at end of file
+The `Admin` role is reserved and cannot be included in the `roles` array for private resource configuration.
diff --git a/manage/clients/configure-client.mdx b/manage/clients/configure-client.mdx
index c908687..b8ac5e3 100644
--- a/manage/clients/configure-client.mdx
+++ b/manage/clients/configure-client.mdx
@@ -21,15 +21,15 @@ Refer to the [documentation in the official repository](https://github.com/fosrl
Olm ID generated by Pangolin to identify the client.
-
+
**Example**: `31frd0uzbjvp721`
A unique secret used to authenticate the client ID with the websocket.
-
+
**Example**: `h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6`
-
+
Keep this secret private and secure. It's used for authentication.
@@ -37,7 +37,7 @@ Refer to the [documentation in the official repository](https://github.com/fosrl
The endpoint where both Gerbil and Pangolin reside for websocket connections.
-
+
**Example**: `https://pangolin.example.com`
@@ -51,81 +51,87 @@ Refer to the [documentation in the official repository](https://github.com/fosrl
MTU for the internal WireGuard interface.
-
+
**Default**: `1280`
DNS server to use to resolve the endpoint.
-
+
**Default**: `8.8.8.8`
Upstream DNS server(s), comma-separated.
-
+
**Default**: `8.8.8.8:53`
The log level to use for Olm output.
-
+
**Options**: `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`
-
+
**Default**: `INFO`
Interval for pinging the server.
-
+
**Default**: `3s`
Timeout for each ping.
-
+
**Default**: `5s`
Name of the WireGuard interface.
-
+
**Default**: `olm`
Enable API server for receiving connection requests.
-
+
**Default**: `false`
HTTP server address (e.g., ':9452').
-
+
**Default**: `:9452`
Unix socket path (or named pipe on Windows).
-
+
**Default**: `/var/run/olm.sock` (Linux/macOS) or `olm` (Windows)
Disable hole punching.
-
+
**Default**: `false`
Override system DNS settings.
-
+
+ **Default**: `false`
+
+
+
+ Force connectivity to the upstream DNS server to go via the tunnel to a resource.
+
**Default**: `false`
Disable relay connections.
-
+
**Default**: `false`
@@ -159,87 +165,87 @@ When both environment variables and CLI arguments are provided, CLI arguments ta
MTU for the internal WireGuard interface (equivalent to `--mtu`)
-
+
**Default**: `1280`
DNS server to use to resolve the endpoint (equivalent to `--dns`)
-
+
**Default**: `8.8.8.8`
Upstream DNS server(s), comma-separated (equivalent to `--upstream-dns`)
-
+
**Default**: `8.8.8.8:53`
Log level (equivalent to `--log-level`)
-
+
**Default**: `INFO`
Interval for pinging the server (equivalent to `--ping-interval`)
-
+
**Default**: `3s`
Timeout for each ping (equivalent to `--ping-timeout`)
-
+
**Default**: `5s`
Name of the WireGuard interface (equivalent to `--interface`)
-
+
**Default**: `olm`
Enable API server for receiving connection requests (equivalent to `--enable-api`)
-
+
Set to "true" to enable
-
+
**Default**: `false`
HTTP server address (equivalent to `--http-addr`)
-
+
**Default**: `:9452`
Unix socket path or Windows named pipe (equivalent to `--socket-path`)
-
+
**Default**: `/var/run/olm.sock` (Linux/macOS) or `olm` (Windows)
Disable hole punching (equivalent to `--disable-holepunch`)
-
+
Set to "true" to disable
-
+
**Default**: `false`
Override system DNS settings (equivalent to `--override-dns`)
-
+
Set to "true" to enable
-
+
**Default**: `false`
Disable relay connections (equivalent to `--disable-relay`)
-
+
Set to "true" to disable
-
+
**Default**: `false`
@@ -249,7 +255,7 @@ When both environment variables and CLI arguments are provided, CLI arguments ta
### Loading secrets from files
-You can use `CONFIG_FILE` to define a location of a config file to store the credentials between runs.
+You can use `CONFIG_FILE` to define a location of a config file to store the credentials between runs.
```
$ cat ~/.config/olm-client/config.json
@@ -276,9 +282,9 @@ $ cat ~/.config/olm-client/config.json
}
```
-This file is also written to when olm first starts up. So you do not need to run every time with --id and secret if you have run it once!
+This file is also written to when olm first starts up. So you do not need to run every time with --id and secret if you have run it once!
-Default locations:
+Default locations:
- **macOS**: `~/Library/Application Support/olm-client/config.json`
- **Windows**: `%PROGRAMDATA%\olm\olm-client\config.json`
@@ -286,4 +292,4 @@ Default locations:
### API
-Olm can be started with a HTTP or socket API to configure and manage it. See the [API documentation](https://github.com/fosrl/olm/blob/main/API.md) for more details.
\ No newline at end of file
+Olm can be started with a HTTP or socket API to configure and manage it. See the [API documentation](https://github.com/fosrl/olm/blob/main/API.md) for more details.
diff --git a/manage/resources/private/alias.mdx b/manage/resources/private/alias.mdx
index d34d91b..90e816b 100644
--- a/manage/resources/private/alias.mdx
+++ b/manage/resources/private/alias.mdx
@@ -3,7 +3,7 @@ title: "Aliases"
description: "Set a friendly alias hostname that resolves to a host"
---
-Aliases provide a secondary, user-friendly address for any of your Resources, allowing users to access the Resource using this alternate name in addition to the original address.
+Aliases provide a secondary, user-friendly address for any of your Resources, allowing users to access the Resource using this alternate name in addition to the original address.
For instance, a router with the address `10.0.0.1` could be assigned the alias `router.internal`, and users could connect using either. Aliases are accessible to anyone who has access to the Resource, and they are exclusively accessible when connected with a Pangolin client, meaning they function without requiring any external DNS record setup. Furthermore, aliases are protocol agnostic, which means they will work with any network protocol, essentially acting as a pseudo-A record for an address that is only functional within the Pangolin environment.
@@ -15,9 +15,17 @@ A alias can only be created for a Resource that is a single host (IP or FQDN). A
Since aliases cannot be single-label domains, you must avoid using domain names that do not contain a dot (e.g., `pangolin`). A domain like `pangolin.net`, which includes a dot, is acceptable. Instead of a single-label domain, you should consider using a subdomain of a domain you control, such as `router.mywebsite.com`, or an existing private/internal domain name, like `router.internal` or `router.corp`.
+### Wildcards
+
+Wildcards allow you to define aliases that match multiple hostnames using special characters in the FQDN. For example, in an alias like `*.host-0?.autoco.internal`, the asterisk `*` matches any sequence of characters (including none), and the question mark `?` matches exactly one character.
+
+If you use a wildcard such as `*.proxy.internal`, it will match any hostname that ends with `.proxy.internal` and has something before the dot—such as `host.proxy.internal`, `longerhost.proxy.internal`, or even `sub.host.proxy.internal`. However, the wildcard will not match the base domain itself (`autoco.internal` without anything before the dot).
+
## Custom Upstream DNS
-Aliases work by overriding the DNS of your computer running the client so that all DNS requests are sent to the Pangolin client for resolution. The dns server on your computer is typically `100.96.128.1` which will forward request to an upstream server. By default, we use `9.9.9.9`, but this upstream address can be configured using [the flag](/manage/clients/configure-client) in the CLI / Olm or in the client settings.
+Aliases work by overriding the DNS of your computer running the client so that all DNS requests are sent to the Pangolin client for resolution. The dns server on your computer is typically `100.96.128.1` (the first address inside of your utility subnet on the org) when connected to the tunnel which will forward request to an upstream server. By default, we use `9.9.9.9`, but this upstream address can be configured using [the flag](/manage/clients/configure-client) in the CLI / Olm or in the client settings.
+
+**If you are attempting to set an upstream DNS server that is only accessible via the tunnel, ensure that you create a resource and check the tunnel DNS option in the client configuration settings or use the --tunnel-dns flag.** Otherwise, connectivity to the server may fail when connected to the tunnel.
## Disable Aliases
diff --git a/manage/resources/private/destinations.mdx b/manage/resources/private/destinations.mdx
index b67cbc4..56e9122 100644
--- a/manage/resources/private/destinations.mdx
+++ b/manage/resources/private/destinations.mdx
@@ -26,9 +26,9 @@ Pangolin smooths away overlapping networks and arbitrarily chooses a single site
It is recommended that you create overlapping resources only if absolutely required. If you do, use [Aliases](/manage/resources/private/alias) to explicitly defined which host should be used for a given FQDN or IP address and use the alias to connect.
-## Why is ICMP Pinging Not Working?
+## ICMP End to End?
-Because Newt sites are proxying traffic out of the secure tunnel, ICMP needs to be handled specially just like UDP and TCP. Right now, ICMP **is not supported** through the Pangolin client. If you need to ping hosts on the remote network, consider using TCP or UDP-based tools like `hping3` or `nping` as alternatives. We plan to add ICMP support in a future release.
+Pangolin supports testing connectivity to Resources using ICMP ping requests. However, it's important to note that while the Pangolin client can send ICMP echo requests to the destination, **the actual ping request is captured and replayed from the Newt binary to the actually destination**. This means that requests are not end to end but are still an effective way to test connectivity to a resource.
## Unicast Only?
diff --git a/manage/healthchecks-failover.mdx b/manage/resources/public/healthchecks-failover.mdx
similarity index 100%
rename from manage/healthchecks-failover.mdx
rename to manage/resources/public/healthchecks-failover.mdx
diff --git a/manage/resources/public/maintenance.mdx b/manage/resources/public/maintenance.mdx
new file mode 100644
index 0000000..2fc4e38
--- /dev/null
+++ b/manage/resources/public/maintenance.mdx
@@ -0,0 +1,38 @@
+---
+title: "Maintenance Page"
+description: "Show a maintenance page to users when a resources is down for maintenance or targets are unhealthy"
+---
+
+
+Maintenance pages are only available in Enterprise Edition.
+
+
+Pangolin can display a customizable maintenance page to users when a resource is undergoing maintenance or when all targets are unhealthy. This ensures users are informed about the downtime and provides a better user experience.
+
+
+ 
+
+
+## Configuration
+
+Title: The main title text displayed on the maintenance page.
+
+Message: A descriptive message informing users about the maintenance status.
+
+Estimated completion time: Optionally provide an estimated time for when the resource will be back online.
+
+## Enabling Maintenance Page
+
+To enable the maintenance page for a resource, navigate to the general resource settings in the Pangolin dashboard. Under the "Maintenance Page" section, you can customize the title, message, and estimated completion time. This can also be set using Blueprints.
+
+## When is the Maintenance Page Shown?
+
+There are two modes that control when the page is shown:
+
+#### Forced
+
+In forced mode, the maintenance page is displayed to all users regardless of the health status of the resource targets. This is useful for planned maintenance windows.
+
+#### Automatic
+
+In automatic mode, the maintenance page is shown only when all targets associated with the resource are unhealthy or all of the sites are offline. This is useful for unplanned outages and can be used to inform the user that the resource is temporarily unavailable by customizing the above settings.
diff --git a/self-host/advanced/config-file.mdx b/self-host/advanced/config-file.mdx
index 7d802c1..1b22786 100644
--- a/self-host/advanced/config-file.mdx
+++ b/self-host/advanced/config-file.mdx
@@ -429,7 +429,7 @@ This section contains the complete reference for all configuration options in `c
**Default**: `false`
- When enabled, uses file-based dynamic configuration instead of API-based updates.
+ When enabled, uses file-based dynamic configuration instead of API-based updates.
@@ -461,6 +461,12 @@ This section contains the complete reference for all configuration options in `c
**Example**: `51820`
+
+ Starting port for client WireGuard relay and hole punch port.
+
+ **Example**: `21820`
+
+
Whether to assign unique subdomains to Gerbil exit nodes.
@@ -823,6 +829,6 @@ Some configuration values can be set using environment variables for enhanced se
| Name | Variable | Config |
|------|----------|--------|
-| Server Secret | `SERVER_SECRET` | `server.secret` |
+| Server Secret | `SERVER_SECRET` | `server.secret` |
| Email Password | `EMAIL_SMTP_PASS` | `email.smtp_pass` |
| PostgreSQL Connection String | `POSTGRES_CONNECTION_STRING` | `postgres.connection_string` |