--- title: "Configuration File" description: "Configure Pangolin using the config.yml file with detailed settings for all components" --- The `config.yml` file controls all aspects of your Pangolin deployment, including server settings, domain configuration, email setup, and security options. This file is mounted at `config/config.yml` in your Docker container. ## Setting up your `config.yml` To get started, create a basic configuration file with the essential settings: Minimal Pangolin configuration: ```yaml title="config.yml" app: dashboard_url: "http://pangolin.example.com" domains: domain1: base_domain: "pangolin.example.com" cert_resolver: "letsencrypt" server: secret: "your-strong-secret" gerbil: base_endpoint: "pangolin.example.com" flags: require_email_verification: false disable_signup_without_invite: true disable_user_create_org: true ``` Generate a strong secret for `server.secret`. Use at least 32 characters with a mix of letters, numbers, and special characters. ## Reference This section contains the complete reference for all configuration options in `config.yml`. ### Application Settings Core application configuration including dashboard URL, logging, and general settings. The URL where your Pangolin dashboard is hosted. **Examples**: `https://example.com`, `https://pangolin.example.com` This URL is used for generating links, redirects, and authentication flows. You can run Pangolin on a subdomain or root domain. The logging level for the application. **Options**: `debug`, `info`, `warn`, `error` **Default**: `info` Whether to save logs to files in the `config/logs/` directory. **Default**: `false` When enabled, logs rotate automatically: - Max file size: 20MB - Max files: 7 days Whether to log failed authentication attempts for security monitoring. **Default**: `false` ### Server Configuration Server ports, networking, and authentication settings. The port for the front-end API that handles external requests. **Example**: `3000` The port for the internal private-facing API. **Example**: `3001` The port for the frontend server (Next.js). **Example**: `3002` The port for the integration API (optional). **Example**: `3003` The hostname of the Pangolin container for internal communication. **Example**: `pangolin` If using Docker Compose, this should match your container name. The name of the session cookie for storing authentication tokens. **Example**: `p_session_token` **Default**: `p_session_token` Query parameter name for passing access tokens in requests. **Example**: `p_token` **Default**: `p_token` HTTP headers for passing access tokens in requests. Header name for access token ID. **Example**: `P-Access-Token-Id` Header name for access token. **Example**: `P-Access-Token` Query parameter for session request tokens. **Example**: `p_session_request` **Default**: `p_session_request` Cross-Origin Resource Sharing (CORS) configuration. Allowed origins for cross-origin requests. **Example**: `["https://pangolin.example.com"]` Allowed HTTP methods for CORS requests. **Example**: `["GET", "POST", "PUT", "DELETE", "PATCH"]` Allowed HTTP headers in CORS requests. **Example**: `["X-CSRF-Token", "Content-Type"]` Whether to allow credentials in CORS requests. **Default**: `true` Number of proxy headers to trust for client IP detection. **Example**: `1` **Default**: `1` Use `1` if running behind a single reverse proxy like Traefik. Dashboard session duration in hours. **Example**: `720` (30 days) **Default**: `720` Resource session duration in hours. **Example**: `720` (30 days) **Default**: `720` Secret key for encrypting sensitive data. **Environment Variable**: `SERVER_SECRET` **Minimum Length**: 8 characters **Example**: `"d28@a2b.2HFTe2bMtZHGneNYgQFKT2X4vm4HuXUXBcq6aVyNZjdGt6Dx-_A@9b3y"` Generate a strong, random secret. This is used for encrypting sensitive data and should be kept secure. ### Domain Configuration Domain settings for SSL certificates and routing. At least one domain must be configured. Domain configuration with a unique key of your choice. The base domain for this configuration. **Example**: `example.com` The Traefik certificate resolver name. **Example**: `letsencrypt` This must match the certificate resolver name in your Traefik configuration. Whether to prefer wildcard certificates for this domain. **Example**: `true` Useful for domains with many subdomains to reduce certificate management overhead. ### Traefik Integration Traefik reverse proxy configuration settings. The Traefik entrypoint name for HTTP traffic. **Example**: `web` Must match the entrypoint name in your Traefik configuration. The Traefik entrypoint name for HTTPS traffic. **Example**: `websecure` Must match the entrypoint name in your Traefik configuration. The default certificate resolver for domains created through the UI. **Example**: `letsencrypt` This only applies to domains created through the Pangolin dashboard. Whether to prefer wildcard certificates for UI-created domains. **Example**: `true` This only applies to domains created through the Pangolin dashboard. Additional Traefik middlewares to apply to resource routers. **Example**: `["middleware1", "middleware2"]` These middlewares must be defined in your Traefik dynamic configuration. ### Gerbil Tunnel Controller Gerbil tunnel controller settings for WireGuard tunneling. Domain name included in WireGuard configuration for tunnel connections. **Example**: `pangolin.example.com` Starting port for WireGuard tunnels. **Example**: `51820` Whether to assign unique subdomains to Gerbil exit nodes. **Default**: `false` Keep this set to `false` for most deployments. IP address CIDR range for Gerbil exit node subnets. **Example**: `10.0.0.0/8` Block size for Gerbil exit node CIDR ranges. **Example**: `24` Block size for site CIDR ranges connected to Gerbil. **Example**: `26` ### Rate Limiting Rate limiting configuration for API requests. Global rate limit settings for all external API requests. Time window for rate limiting in minutes. **Example**: `1` Maximum number of requests allowed in the time window. **Example**: `100` ### Email Configuration SMTP settings for sending transactional emails. SMTP server hostname. **Example**: `smtp.gmail.com` SMTP server port. **Example**: `587` (TLS) or `465` (SSL) SMTP username. **Example**: `no-reply@example.com` SMTP password. **Environment Variable**: `EMAIL_SMTP_PASS` Whether to use secure connection (SSL/TLS). **Default**: `false` Enable this when using port 465 (SSL). From address for sent emails. **Example**: `no-reply@example.com` Usually the same as `smtp_user`. Whether to fail on invalid server certificates. **Default**: `true` ### Feature Flags Feature flags to control application behavior. Whether to require email verification for new users. **Default**: `false` Only enable this if you have email configuration set up. Whether to disable public user registration. **Default**: `false` Users can still sign up with valid invites when enabled. Whether to prevent users from creating organizations. **Default**: `false` Server admins can always create organizations. Whether to allow raw TCP/UDP resource creation. **Default**: `true` If set to `false`, users will only be able to create http/https resources. Whether to enable the integration API. **Default**: `false` ### Database Configuration PostgreSQL database configuration (optional). PostgreSQL connection string. **Example**: `postgresql://user:password@host:port/database` See [PostgreSQL documentation](../database/postgres) for setup instructions. ## Environment Variables Some configuration values can be set using environment variables for enhanced security: **Variable**: `SERVER_SECRET` **Config**: `server.secret` Use this to avoid hardcoding secrets in your config file. **Variable**: `EMAIL_SMTP_PASS` **Config**: `email.smtp_pass` Keep SMTP passwords secure using environment variables.