Merge branch 'main' of github.com:fosrl/docs-v2

2026-03-02 08:46:45 +00:00 · 2026-02-27 18:08:58 -08:00
parent 5666805324 3d215693b1
commit df1fc4b92d
15 changed files with 121 additions and 22 deletions
--- a/docs.json
+++ b/docs.json
@@ -91,6 +91,7 @@
                                    "manage/access-control/rules",
                                    "manage/access-control/forwarded-headers",
                                    "manage/access-control/login-page",
                                    "manage/ssh",
                                    "manage/geoblocking",
                                    "manage/asnblocking",
                                    "manage/access-control/mfa",
--- a/manage/access-control/approvals.mdx
+++ b/manage/access-control/approvals.mdx
@@ -10,7 +10,7 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
 <Note>
-	Only available in Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition).
+	Only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) and [Enterprise Edition](/self-host/enterprise-edition).
 </Note>
 By default, any client configured with valid credentials can connect to an organization. To enhance security, you can enable device approvals, which require each new device to be manually approved by an administrator before it can connect.
--- a/manage/access-control/login-page.mdx
+++ b/manage/access-control/login-page.mdx
@@ -10,7 +10,7 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
 <Note>
-Custom auth pages are only available in Pangolin Cloud.
+Custom auth pages are only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup).
 </Note>
 Custom organization authentication pages let you serve the login page at your own domain instead of the default `app.pangolin.net`. This provides better user experience and brand consistency.
--- a/manage/clients/configure-client.mdx
+++ b/manage/clients/configure-client.mdx
@@ -47,6 +47,60 @@ This is the DNS server that will be used if Override DNS is enabled or DNS Over
 This is a fallback DNS server that the system can use if the primary server is unavailable. Ordering and priority of the server is not guaranteed, but it provides redundancy for DNS resolution. Not used when override DNS (aliases) are disabled.
 ## Windows Client (Advanced)
 On Windows, you can centrally preconfigure the Pangolin GUI client by editing the JSON config at `%LOCALAPPDATA%\Pangolin\pangolin.json` before the user signs in (for example, `C:\Users\USER\AppData\Local\Pangolin\pangolin.json`). This is useful for system administrators who want to enforce consistent DNS behavior and login flows across many machines without relying on end users to choose the right options. In particular, `defaultServerURL` and `authPath` let you direct users straight to the correct server and, if needed, a specific organization-branded login page on every launch.
 <ResponseField name="Config" type="object">
  JSON configuration for the Windows Pangolin client stored in `pangolin.json`.
  <Expandable title="Config">
    <ResponseField name="dnsOverride" type="boolean">
      When true, matches the **Enable Aliases (Override DNS)** preference and lets the client take over DNS resolution for Pangolin resources.
    </ResponseField>
    <ResponseField name="dnsTunnel" type="boolean">
      When true, matches the **DNS Over Tunnel** preference and sends DNS queries through the Pangolin tunnel.
    </ResponseField>
    <ResponseField name="primaryDNS" type="string">
      Primary upstream DNS server used when override/tunnel DNS is enabled.
    </ResponseField>
    <ResponseField name="secondaryDNS" type="string">
      Optional secondary upstream DNS server used as a fallback when the primary is unavailable.
    </ResponseField>
    <ResponseField name="defaultServerURL" type="string">
      When set, skips the deployment option screen during login; all login flows start directly with this server URL.
    </ResponseField>
    <ResponseField name="authPath" type="string">
      Optional path appended to the server URL for authentication, for example `/auth/org/my-org` to always send users to a specific organization or branded login page. Most deployments should leave this unset.
    </ResponseField>
    <ResponseField name="userSettingsDisabled" type="boolean">
      When true, hides and disables the settings form in the GUI so users cannot change these values themselves.
    </ResponseField>
  </Expandable>
 </ResponseField>
 As a system administrator, you can script placing this file into `%LOCALAPPDATA%\Pangolin\pangolin.json` to preconfigure user installations and automate rollouts.
 <Tip>
 For enterprise customers, contact us if you need a custom MSI installer with baked-in configuration; we can maintain custom installers as an add-on to your enterprise license.
 </Tip>
 ### Windows client log level
 To configure the log level for the Windows client system-wide, edit `%ProgramData%\Pangolin\pangolin.json`. For example:
 ```json
 { "logLevel": "debug" }
 ```
 The default log level is `info`.
 ## Android Battery Optimization
 To ensure Pangolin functions correctly in the background on Android devices, it's recommended to disable battery optimization for the app. This prevents the operating system from restricting its background activities, which could lead to disconnections.
--- a/manage/clients/fingerprinting.mdx
+++ b/manage/clients/fingerprinting.mdx
@@ -33,7 +33,7 @@ The following device attributes are collected on each device when available:
 ## Available Posture Checks
 <Note>
-	Posture checks are only collected on Pangolin Cloud and self-hosted [Enterprise Edition](/self-host/enterprise-edition).
+	Posture checks are only collected on [Pangolin Cloud](https://app.pangolin.net/auth/signup) and self-hosted [Enterprise Edition](/self-host/enterprise-edition).
 </Note>
 Posture checks are also collected on each platform; this is device state that
--- a/manage/clients/install-client.mdx
+++ b/manage/clients/install-client.mdx
@@ -113,23 +113,29 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
   Tap the Connect button to establish a VPN connection. On the first connection, you may be prompted to allow the VPN connection.
-## Pangolin CLI (Linux)
+## Pangolin CLI (Linux, macOS, Windows)
-Pangolin CLI is the recommended way to run a client using a command line interface on Mac or Linux. Support for Windows is coming soon.
+Pangolin CLI is the recommended way to run a client using a command line interface on Mac and Linux.
 Pangolin CLI can run on Windows, but the CLI VPN functionality is not supported. You can still use Pangolin CLI on Windows for SSH alongside the Windows GUI client.
 Pangolin CLI supports running as user device with authentication or a machine client.
-### Quick Install (Recommended)
+
 ### Quick Install (Recommended) — Linux and macOS
 Use this command to automatically install Pangolin CLI. It detects your system architecture automatically and always pulls the latest version, adding `pangolin` to your PATH:
 ```bash
 curl -fsSL https://static.pangolin.net/get-cli.sh | bash
 ```
 ### Windows
 Go to [GitHub releases](https://github.com/fosrl/cli/releases) and download the latest **MSI installer** or **EXE** for Windows.
 ### Manual Download
-Binaries for Linux and macOS are available in the [GitHub releases](https://github.com/fosrl/cli/releases) for ARM and AMD64 (x86_64) architectures.
+Binaries for all platforms are available in the [GitHub releases](https://github.com/fosrl/cli/releases) for ARM and AMD64 (x86_64) architectures.
 Download and install manually:
--- a/manage/domains.mdx
+++ b/manage/domains.mdx
@@ -32,7 +32,7 @@ More about self-hosted DNS and networking can be found in the [DNS & Networking
 ### Domain Delegation (NS Records)
-<Note>Cloud & [Enterprise Edition](/self-host/enterprise-edition) Only</Note>
+<Note>[Pangolin Cloud](https://app.pangolin.net/auth/signup) & [Enterprise Edition](/self-host/enterprise-edition) Only</Note>
 Gives Pangolin full DNS control over your domain.
@@ -44,7 +44,7 @@ Domain delegation is ideal when you want Pangolin to manage your entire domain a
 ### Single Domain (CNAME Records)
-<Note>Cloud & [Enterprise Edition](/self-host/enterprise-edition) Only</Note>
+<Note>[Pangolin Cloud](https://app.pangolin.net/auth/signup) & [Enterprise Edition](/self-host/enterprise-edition) Only</Note>
 Single domain is limited to the exact domain you specify.
--- a/manage/identity-providers/add-an-idp.mdx
+++ b/manage/identity-providers/add-an-idp.mdx
@@ -39,7 +39,7 @@ Here is an example using Microsoft Azure Entra ID as SSO for Pangolin:
 Organization identity providers are configured per organization and only apply to that specific organization. Each org can have its own identity providers, allowing for authentication methods based on the organization's needs.
 <Note>
-	Available in Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition). For [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in the [private config file](/self-host/advanced/private-config-file#param-identity-provider-mode) `privateConfig.yml`.
+	Available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) and [Enterprise Edition](/self-host/enterprise-edition). For [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in the [private config file](/self-host/advanced/private-config-file#param-identity-provider-mode) `privateConfig.yml`.
 </Note>
 ### Global Identity Providers
@@ -64,7 +64,7 @@ This can be used to connect to any external identity provider that supports the
 ### Google
 <Note>
-Google IdP is only available in Pangolin Cloud or self-hosted [Enterprise Edition](/self-host/enterprise-edition) with organization identity providers. See above to enable.
+Google IdP is only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) or self-hosted [Enterprise Edition](/self-host/enterprise-edition) with organization identity providers. See above to enable.
 </Note>
 Easily set up Google Workspace authentication for your organization. Users can sign in with their Google accounts and access Pangolin resources using their existing Google credentials. Perfect for organizations already using Google Workspace for email, calendar, and other services.
@@ -72,7 +72,7 @@ Easily set up Google Workspace authentication for your organization. Users can s
 ### Azure Entra ID
 <Note>
-Azure Entra ID IdP is only available in Pangolin Cloud or self-hosted [Enterprise Edition](/self-host/enterprise-edition) with organization identity providers. See above to enable.
+Azure Entra ID IdP is only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) or self-hosted [Enterprise Edition](/self-host/enterprise-edition) with organization identity providers. See above to enable.
 </Note>
 Integrate with Microsoft's enterprise identity platform to allow users to authenticate using their Azure Active Directory accounts. Ideal for organizations using Microsoft 365 or other Azure services, providing seamless single sign-on across your Microsoft ecosystem.
--- a/manage/identity-providers/azure.mdx
+++ b/manage/identity-providers/azure.mdx
@@ -10,7 +10,7 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
 <Note>
-Azure SSO is only available on Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in your [private config file](/self-host/advanced/private-config-file) `privateConfig.yml`.
+Azure SSO is only available on [Pangolin Cloud](https://app.pangolin.net/auth/signup) and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in your [private config file](/self-host/advanced/private-config-file) `privateConfig.yml`.
 </Note>
 The following steps will integrate Microsoft SSO using the built in Azure Entra ID identity provider in Pangolin.
--- a/manage/identity-providers/google.mdx
+++ b/manage/identity-providers/google.mdx
@@ -10,7 +10,7 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
 <Note>
-Google SSO is only available on Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in your [private config file](/self-host/advanced/private-config-file#param-use-org-only-idp) `privateConfig.yml`.
+Google SSO is only available on [Pangolin Cloud](https://app.pangolin.net/auth/signup) and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in your [private config file](/self-host/advanced/private-config-file#param-use-org-only-idp) `privateConfig.yml`.
 </Note>
 The following steps will integrate Google SSO using the built in Google identity provider in Pangolin.
--- a/manage/integration-api.mdx
+++ b/manage/integration-api.mdx
@@ -54,7 +54,7 @@ Organization API keys are created by organization admins and have limited scope
 ### Root API Keys
-Root API keys have some extra permissions and can execute operations across orgs. They are only available in the Community Edition of Pangolin:
+Root API keys have some extra permissions and can execute operations across orgs. They are only available in the fully self-hosted editions of Pangolin:
 <Warning>
 Root API keys have elevated permissions and should be used carefully. Only create them when you need server-wide access.
--- a/manage/remote-node/understanding-nodes.mdx
+++ b/manage/remote-node/understanding-nodes.mdx
@@ -10,7 +10,7 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
 <Note>
-	Remote Nodes are available in Pangolin Cloud and self-hosted [Enterprise Edition](/self-host/enterprise-edition).
+	Remote Nodes are available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) and self-hosted [Enterprise Edition](/self-host/enterprise-edition).
 </Note>
 Remote nodes, you run your own Pangolin node - your tunnels, SSL termination, and traffic all stay on your server and use your bandwidth. The difference is that management and monitoring are handled through our cloud or your central self-hosted [Enterprise Edition](/self-host/enterprise-edition) server. The node just handles terminating Wireguard tunnels, serving HTTP(S) traffic, and routing relayed client connections - it is essentially a remote networking hub.
--- a/manage/ssh.mdx
+++ b/manage/ssh.mdx
@@ -7,14 +7,24 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
 <PangolinCloudTocCta />
 <Note>
 Only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) and [Enterprise Edition](/self-host/enterprise-edition).
 </Note>
 ## Overview
 Pangolin includes a built-in SSH client so you can connect to remote servers and manage them directly from the terminal. You use your existing Pangolin identity—no separate SSH keys to create or copy. Pangolin generates and signs temporary access keys, pushes them to the remote server, and creates or updates your user account there. All of this happens automatically when you start a connection.
 You can SSH into any Pangolin site or private resource. Two components handle SSH on the server side:
- **Newt (site connector)** — Runs as a daemon and handles SSH for the host it runs on.
+<CardGroup cols={2}>
- **Auth daemon** — Handles SSH for other servers on the same network. It can run inside Newt or as a separate process on another machine (for example, a bastion Newt plus auth daemons on other hosts).
+  <Card title="Newt (site connector)" icon="plug" href="#option-1-newt-as-the-auth-daemon-same-host">
    Runs as a daemon and handles SSH for the host it runs on. Use this when the machine you want to SSH into is the same server running Newt.
  </Card>
  <Card title="Auth daemon" icon="server" href="#option-2-external-auth-daemon-ssh-on-another-server-that-doesn%E2%80%99t-run-newt">
    Handles SSH for other servers on the same network. Run the auth daemon on each target host; Newt on a bastion proxies connections to them.
  </Card>
 </CardGroup>
 You connect using the Pangolin CLI as the SSH client. The tunnel can be provided by the CLI or by another Pangolin client (e.g. the macOS app); you can run the GUI for the tunnel and use the CLI only for SSH if you prefer.
@@ -175,6 +185,8 @@ On every host that should accept Pangolin SSH (and is not running Newt), run the
 sudo pangolin auth-daemon --pre-shared-key <pre-shared-key>
 ```
 To use a non-default port, add `--port <port>` and set the same port in the resource’s SSH settings in the dashboard.
 #### Run as a systemd service
 Create a systemd unit so the auth daemon runs on boot:
@@ -193,7 +205,7 @@ User=root
 WantedBy=multi-user.target
 ```
-Replace `<pre-shared-key>` with the same value used on Newt. Then:
+Replace `<pre-shared-key>` with the same value used on Newt. If you use a custom port (set in the resource’s SSH settings), add `--port <port>` to `ExecStart`. Then:
 ```bash
 sudo systemctl daemon-reload
@@ -212,9 +224,13 @@ On each of these hosts, configure the SSH server as in [Configure the SSH server
 ### Step 4: Ensure network connectivity
- **Newt → auth daemon:** Newt must be able to reach **TCP port 22123** on each server running the auth daemon (used for HTTPS between Newt and the auth daemon).
+- **Newt → auth daemon:** Newt must be able to reach the auth daemon port on each target server (default **TCP 22123**; configurable in the resource’s SSH settings and via the auth daemon’s `--port` flag).
 - **Clients → SSH:** Port **22** must be open for SSH to each target server (from wherever your users connect—often only within your private network).
 <Note>
 To change the auth daemon port from the default 22123, configure the port in the resource’s SSH settings in Pangolin and pass the same port with `--port` when starting the auth daemon.
 </Note>
 <Warning>
 These ports do not need to be exposed to the public internet. They only need to be reachable within the network where Newt and the target servers live.
 </Warning>
@@ -280,4 +296,6 @@ Pangolin derives the remote username from your Pangolin identity (the part befor
 ### How does Newt communicate with the external auth daemon?
-Newt talks to the auth daemon over **HTTPS** on **TCP 22123**. When you SSH into a server that uses the external auth daemon, Newt calls the auth daemon on that host to create or update your user and resolve principals. Port 22123 only needs to be open between Newt and the auth daemon hosts on your internal network; it should not be exposed to the internet.
+Newt talks to the auth daemon over **HTTPS**. **TCP 22123** is used by default. When you SSH into a server that uses the external auth daemon, Newt calls the auth daemon on that host to create or update your user and resolve principals. Port 22123 only needs to be open between Newt and the auth daemon hosts on your internal network; it should not be exposed to the internet.
 To use a different port, set the port in the resource’s SSH settings in the Pangolin dashboard and pass the same port to the auth daemon with the `--port` flag (e.g. `pangolin auth-daemon --pre-shared-key <key> --port 22124`). Newt and the auth daemon must use the same port.
--- a/self-host/advanced/container-cli-tool.mdx
+++ b/self-host/advanced/container-cli-tool.mdx
@@ -124,3 +124,21 @@ This command permanently deletes the client and its associated data:
 This action cannot be undone. Ensure you have backups if needed.
 </Warning>
 ## Generate Org CA Keys
 Generate an SSH CA public/private key pair for an organization and store them in the database. The private key is encrypted with the server secret.
 ```bash
 docker exec -it pangolin pangctl generate-org-ca-keys --orgId "org-123"
 ```
 ### Options
 - `--orgId` (required): The organization ID
 - `--secret` (optional): Server secret used to encrypt the CA private key. If omitted, the secret is read from the config file (`config.yml` or `config.yaml` in the config directory).
 - `--force` (optional, default: `false`): Overwrite existing CA keys for the organization if they already exist
 <Warning>
 If the organization already has CA keys, the command fails unless you pass `--force`. Using `--force` overwrites the existing keys; ensure you have a backup or understand the impact before overwriting.
 </Warning>
--- a/self-host/advanced/wild-card-domains.mdx
+++ b/self-host/advanced/wild-card-domains.mdx
@@ -255,6 +255,8 @@ Traefik supports most DNS providers. You can find a full list of supported provi
  - Check API token permissions and scope
  - Ensure DNS propagation has completed
  - Review provider-specific configuration
  - If your DNS provider has a firewall in place, ensure it allows incoming DNS traffic (typically UDP on port **53**). Adding an ingress rule to permit such traffic may help resolve the issue, especially if the firewall is stateless.
 </Accordion>
 <Accordion title="Old certificates still being used">
@@ -262,4 +264,4 @@ Traefik supports most DNS providers. You can find a full list of supported provi
  **Solution**: Delete the `acme.json` file to force new certificate generation.
 </Accordion>
-</AccordionGroup>
+</AccordionGroup>