From 5c16e4e37625032aaa29f6f0cf16fcc6691d58af Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 10 Mar 2026 11:38:27 -0700 Subject: [PATCH] Move rules --- docs.json | 1 + manage/access-control/rules.mdx | 58 +------------------------ self-host/community-guides/rules.mdx | 65 ++++++++++++++++++++++++++++ 3 files changed, 68 insertions(+), 56 deletions(-) create mode 100644 self-host/community-guides/rules.mdx diff --git a/docs.json b/docs.json index e273677..6fe199b 100644 --- a/docs.json +++ b/docs.json @@ -181,6 +181,7 @@ "group": "Community Guides", "pages": [ "self-host/community-guides/overview", + "self-host/community-guides/rules", "self-host/community-guides/remove-geoblock-plugin", "self-host/community-guides/crowdsec", "self-host/community-guides/metrics", diff --git a/manage/access-control/rules.mdx b/manage/access-control/rules.mdx index 76dc9ef..61747e1 100644 --- a/manage/access-control/rules.mdx +++ b/manage/access-control/rules.mdx @@ -96,60 +96,6 @@ Pretty simple: you can match on simply an IP address like your home IP to bypass - `34.45.245.64` - `192.168.1.1` -## Rules for Specific Apps +### Community Contributed Rules -This table compiles paths that need to be allowed for various apps to work with Pangolin authentication. - -| App | Required Bypass Rules | -| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **Media Management** | | -| Radarr | `/api/*` | -| Sonarr | `/api/*` | -| Lidarr | `/api/*` | -| **Media Servers** | | -| Jellyfin (iOS) | `/system/info/public` | -| Jellyfin (Roku) | `/System/Info/Public`
`/Users/AuthenticateByName`
`/Users/Public`
`/QuickConnect/Initiate`
`/QuickConnect/Connect`
`/Users/AuthenticateWithQuickConnect` | -| Audiobookshelf | Audiobookshelf also supports `/audiobookshelf` by default. Each rule should also be applied to this path.
`/api/*`
`/login`
`/auth/*`
`/feed/*`
`/socket.io/`
`/status`
`/logout`
`/ping`
`/public/*`
The following is needed for public shares and is optional for clients:
`/share/*`
`/_nuxt/*.js`
`/_nuxt/fonts/*` | -| **Management & Monitoring** | | -| Tautulli | `/api/*` | -| Harbour | `/api/*` | -| Hoarder App | `/api/*` | -| Uptime Kuma Manager | `/api/*`
`/socket.io/*` | -| Beszel | `/api/beszel/agent-connect` | -| MeshCentral | `/api/*`
`/meshrelay.ashx`
`/agent.ashx` | -| **Security & Privacy** | | -| AdGuard Home | `/api/*` | -| Ente Auth | `*api*` | -| Vaultwarden/Bitwarden | `/api/*`
`/identity/*`
`/wl/*`
Always Deny - Path - `/admin/*` | -| **Cloud & Sync** | | -| Nextcloud | `/` (Main interface)
`/index.php` (Core handler)
`/remote.php` (Remote access)
`/status.php` (Status checks)
`/ocs` (Collaboration Services API)
`/apps` (Applications)
`/remote.php/webdav` (WebDAV endpoint)
`/remote.php/dav` (CalDAV/CardDAV)
`/remote.php/caldav` (Calendar sync)
`/remote.php/carddav` (Contacts sync)
`/ocs/v1.php` (API endpoints)
`/ocs/v2.php` (API v2 endpoints)
`/login` (Authentication)
`/.well-known/*` (Service discovery)
`/.well-known/webfinger` (WebFinger protocol)
`/s/*` (Shared files/folders) | -| Onlyoffice | `/cache/*`
`*/CommandService.ashx`
`*/converter/*`
`*/doc/*`
`*/downloadas/*`
`/downloadfile/*`
`*/fonts/*`
`/healthcheck`
`/methodology/*`
`*/plugins.json`
`*/sdkjs/*`
`*/sdkjs-plugins/*`
`*/themes.json`
`*/web-apps/*` -| **Photo Management** | | -| Ente Photos | `*api*` | -| Immich | `/api/*`
`/.well-known/immich` | -| **File Management** | | -| Filebrowser | `/static/*`
`/share/*`
`/api/public/dl/*`
`/api/public/share/*` | -| **Notes & Knowledge Management** | | -| Joplin Notes Server | `/api/*`
`/shares/*`
`/css/*`
`/images/*`
Always Deny - Path - `/login/*` (optional) | -| Erugo | `/api/*`
`/shares/*`
`/build/*`
`/get-logo` | -| Memos | `/api/*`
`/assets/*`
`/explore*`
`/memos.api.v1.*`
`/auth/callback*`
`/auth`
`/site.webmanifest`
`/logo.webp`
`/full-logo.webp`
`/android-chrome-192x192.png` | -| Linkding | `/api/*`
`/bookmarks/*`
Always Deny - Path - `/admin/*` | -| **Communication** | | -| Matrix/Synapse (Clients) | `/_matrix/*`
`/_synapse/client/*` | -| Matrix/Synapse (Federation) | `/_matrix/*` | -| **Notifications** | | -| Gotify | `/version`
`/message`
`/application`
`/client`
`/stream`
`/plugin`
`/health` | -| **Home Automation** | | -| Home Assistant | `/api/*`
`/auth/*`
`/frontend_latest/*`
`/lovelace/*`
`/static/*`
`/hacsfiles/*`
`/local/*`
`/manifest.json`
`/sw-modern.js` | -| n8n | `/webhook-test/*/webhook`
`/webhook/*/webhook` | -| **Project Management** | | -| Jetbrains Youtrack | `/api/*`
`/hub/api/*`
| -| **Genealogy** | | -| Gramps Web | `/api/*` -| **Analytics** | | -| Liwan | `/script.js`
`/api/send` | -| Umami | `/script.js`
`/api/send` | - - -These rules are examples and may need to be adjusted based on your specific app configuration and version. - +Some common bypass paths for common self hosted apps can be found [in the community contributed rules](/self-host/community-guides/rules). \ No newline at end of file diff --git a/self-host/community-guides/rules.mdx b/self-host/community-guides/rules.mdx new file mode 100644 index 0000000..7726e33 --- /dev/null +++ b/self-host/community-guides/rules.mdx @@ -0,0 +1,65 @@ +--- +title: "Bypass Rules" +description: "Community bypass rules for common self hosted apps" +--- + +import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx"; + + + +This table compiles paths that need to be allowed for various apps to work with Pangolin authentication. + +| App | Required Bypass Rules | +| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Media Management** | | +| Radarr | `/api/*` | +| Sonarr | `/api/*` | +| Lidarr | `/api/*` | +| **Media Servers** | | +| Jellyfin (iOS) | `/system/info/public` | +| Jellyfin (Roku) | `/System/Info/Public`
`/Users/AuthenticateByName`
`/Users/Public`
`/QuickConnect/Initiate`
`/QuickConnect/Connect`
`/Users/AuthenticateWithQuickConnect` | +| Audiobookshelf | Audiobookshelf also supports `/audiobookshelf` by default. Each rule should also be applied to this path.
`/api/*`
`/login`
`/auth/*`
`/feed/*`
`/socket.io/`
`/status`
`/logout`
`/ping`
`/public/*`
The following is needed for public shares and is optional for clients:
`/share/*`
`/_nuxt/*.js`
`/_nuxt/fonts/*` | +| **Management & Monitoring** | | +| Tautulli | `/api/*` | +| Harbour | `/api/*` | +| Hoarder App | `/api/*` | +| Uptime Kuma Manager | `/api/*`
`/socket.io/*` | +| Beszel | `/api/beszel/agent-connect` | +| MeshCentral | `/api/*`
`/meshrelay.ashx`
`/agent.ashx` | +| **Security & Privacy** | | +| AdGuard Home | `/api/*` | +| Ente Auth | `*api*` | +| Vaultwarden/Bitwarden | `/api/*`
`/identity/*`
`/wl/*`
Always Deny - Path - `/admin/*` | +| **Cloud & Sync** | | +| Nextcloud | `/` (Main interface)
`/index.php` (Core handler)
`/remote.php` (Remote access)
`/status.php` (Status checks)
`/ocs` (Collaboration Services API)
`/apps` (Applications)
`/remote.php/webdav` (WebDAV endpoint)
`/remote.php/dav` (CalDAV/CardDAV)
`/remote.php/caldav` (Calendar sync)
`/remote.php/carddav` (Contacts sync)
`/ocs/v1.php` (API endpoints)
`/ocs/v2.php` (API v2 endpoints)
`/login` (Authentication)
`/.well-known/*` (Service discovery)
`/.well-known/webfinger` (WebFinger protocol)
`/s/*` (Shared files/folders) | +| Onlyoffice | `/cache/*`
`*/CommandService.ashx`
`*/converter/*`
`*/doc/*`
`*/downloadas/*`
`/downloadfile/*`
`*/fonts/*`
`/healthcheck`
`/methodology/*`
`*/plugins.json`
`*/sdkjs/*`
`*/sdkjs-plugins/*`
`*/themes.json`
`*/web-apps/*` | +| **Photo Management** | | +| Ente Photos | `*api*` | +| Immich | `/api/*`
`/.well-known/immich` | +| **File Management** | | +| Filebrowser | `/static/*`
`/share/*`
`/api/public/dl/*`
`/api/public/share/*` | +| **Notes & Knowledge Management** | | +| Joplin Notes Server | `/api/*`
`/shares/*`
`/css/*`
`/images/*`
Always Deny - Path - `/login/*` (optional) | +| Erugo | `/api/*`
`/shares/*`
`/build/*`
`/get-logo` | +| Memos | `/api/*`
`/assets/*`
`/explore*`
`/memos.api.v1.*`
`/auth/callback*`
`/auth`
`/site.webmanifest`
`/logo.webp`
`/full-logo.webp`
`/android-chrome-192x192.png` | +| Linkding | `/api/*`
`/bookmarks/*`
Always Deny - Path - `/admin/*` | +| **Communication** | | +| Matrix/Synapse (Clients) | `/_matrix/*`
`/_synapse/client/*` | +| Matrix/Synapse (Federation) | `/_matrix/*` | +| **Notifications** | | +| Gotify | `/version`
`/message`
`/application`
`/client`
`/stream`
`/plugin`
`/health` | +| **Home Automation** | | +| Home Assistant | `/api/*`
`/auth/*`
`/frontend_latest/*`
`/lovelace/*`
`/static/*`
`/hacsfiles/*`
`/local/*`
`/manifest.json`
`/sw-modern.js` | +| n8n | `/webhook-test/*/webhook`
`/webhook/*/webhook` | +| **Project Management** | | +| Jetbrains Youtrack | `/api/*`
`/hub/api/*`
| +| **Genealogy** | | +| Gramps Web | `/api/*` | +| **Analytics** | | +| Liwan | `/script.js`
`/api/send` | +| Umami | `/script.js`
`/api/send` | + + + These rules are examples and may need to be adjusted based on your specific + app configuration and version. +