github/pangolin
1
1
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-04-05 17:01:57 +02:00
Code Issues 85 Packages Projects Releases Wiki Activity

Bypass Rules work only with Path and not IP or IP Range #1476

New Issue
Closed
opened 2026-04-05 19:30:12 +02:00 by MrUnknownDE · 0 comments
MrUnknownDE commented 2026-04-05 19:30:12 +02:00
Owner
Copy Link

Originally created by @dpurnam on 5/17/2025

Thank you very much for such a great thing.

I've been testing Pangolin in an attempt to shift away from Cloudflare Tunnels.

Using the Target Rules based on IP Address (IPv4 or IPv6 - single or ranges) does not work.

However, the Target Rules based on path (for ex. /api/*) works fine on the same target, but this is a lot less secure than those based on IP addresses.

Debug logs:
2025-05-17T10:59:20.437Z [debug]: Verify session: Badger sent {"sessions":{},"originalRequestURL":"https://certs.example.com/","scheme":"","host":"certs.example.com","path":"/","method":"GET","tls":true,"requestIp":"[<correct-public-ipv6-host2>]:51002","headers":{"Accept":"*/*","User-Agent":"curl/7.88.1","X-Forwarded-Host":"certs.example.com","X-Forwarded-Port":"443","X-Forwarded-Proto":"https","X-Forwarded-Server":"amdvpn","X-Real-Ip":"<correct-public-ipv6-host2>"}} 2025-05-17T10:59:20.440Z [debug]: No more auth to check, resource not allowed 2025-05-17T10:59:20.440Z [debug]: {"data":{"valid":false,"redirectUrl":"https://pangolin.example.org/auth/resource/10?redirect=https%3A%2F%2Fcerts.example.com%2F"},"success":true,"error":false,"message":"Access denied","status":200} 2025-05-17T10:59:23.995Z [debug]: Verify session: Badger sent {"sessions":{},"originalRequestURL":"https://certs.example.com/","scheme":"","host":"certs.example.com","path":"/","method":"GET","tls":true,"requestIp":"[<correct-public-ipv6-host1>]:45430","headers":{"Accept":"*/*","User-Agent":"curl/7.88.1","X-Forwarded-Host":"certs.example.com","X-Forwarded-Port":"443","X-Forwarded-Proto":"https","X-Forwarded-Server":"amdvpn","X-Real-Ip":"<correct-public-ipv6-host1>"}} 2025-05-17T10:59:23.996Z [debug]: No more auth to check, resource not allowed 2025-05-17T10:59:23.996Z [debug]: {"data":{"valid":false,"redirectUrl":"https://pangolin.domain.com/auth/resource/10?redirect=https%3A%2F%2Fcerts.example.com%2F"},"success":true,"error":false,"message":"Access denied","status":200}

I did not use the installer but a manual docker compose and using HOST docker network_mode because using user mode pangolin network kept causing DNS 53 errors.

#networks:
#  default:
#    driver: bridge
#    name: pangolin
services:
  pangolin:
    image: fosrl/pangolin:latest
    container_name: pangolin
    network_mode: host
    restart: unless-stopped
    volumes:
      - ./config:/app/config
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"]
      interval: "3s"
      timeout: "3s"
      retries: 15

  gerbil:
    image: fosrl/gerbil:latest
    container_name: gerbil
    network_mode: host
    restart: unless-stopped
    depends_on:
      pangolin:
        condition: service_healthy
    command:
      - --reachableAt=http://gerbil:3003
      - --generateAndSaveKeyTo=/var/config/key
      - --remoteConfig=http://pangolin:3001/api/v1/gerbil/get-config
      - --reportBandwidthTo=http://pangolin:3001/api/v1/gerbil/receive-bandwidth
    volumes:
      - ./config/:/var/config
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
#    ports:
#      - 41820:41820/udp
#      - 443:443/tcp # Port for traefik because of the network_mode
#      - 80:80 # Port for traefik because of the network_mode
#      - 443:443/udp # HTTP3/QUIC

  traefik:
    image: traefik:latest #v3.3.3
    container_name: traefik
    restart: unless-stopped
#    network_mode: host
    network_mode: service:gerbil # Ports appear on the gerbil service
    depends_on:
      pangolin:
        condition: service_healthy
    command:
      - --configFile=/etc/traefik/traefik_config.yml
    # Add the environment variables for your DNS provider.
    environment:
      CLOUDFLARE_DNS_API_TOKEN: "MyToken"

    volumes:
      - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
      - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
      #- ./config/traefik/rules:/rules # Non-functional/Breaking mount point from Middleware Manager container

gerbil section in config.yml

gerbil:
  start_port: 41820
#  base_endpoint: "localhost"
  use_subdomain: true
  base_endpoint: "pangolin.domain.com"
#  use_subdomain: false
  block_size: 24
  site_block_size: 30
  subnet_group: 100.89.137.0/20

I feel it's some wrong configuration somewhere, I'm unable to figure out.

*Originally created by @dpurnam on 5/17/2025* Thank you very much for such a great thing. I've been testing Pangolin in an attempt to shift away from Cloudflare Tunnels. Using the Target Rules **based on IP Address** (IPv4 or IPv6 - single or ranges) does not work. However, the Target Rules based **on path** (for ex. /api/*) works fine on the same target, but this is _a lot less secure_ than those based on IP addresses. Debug logs: `2025-05-17T10:59:20.437Z [debug]: Verify session: Badger sent {"sessions":{},"originalRequestURL":"https://certs.example.com/","scheme":"","host":"certs.example.com","path":"/","method":"GET","tls":true,"requestIp":"[<correct-public-ipv6-host2>]:51002","headers":{"Accept":"*/*","User-Agent":"curl/7.88.1","X-Forwarded-Host":"certs.example.com","X-Forwarded-Port":"443","X-Forwarded-Proto":"https","X-Forwarded-Server":"amdvpn","X-Real-Ip":"<correct-public-ipv6-host2>"}} 2025-05-17T10:59:20.440Z [debug]: No more auth to check, resource not allowed 2025-05-17T10:59:20.440Z [debug]: {"data":{"valid":false,"redirectUrl":"https://pangolin.example.org/auth/resource/10?redirect=https%3A%2F%2Fcerts.example.com%2F"},"success":true,"error":false,"message":"Access denied","status":200} 2025-05-17T10:59:23.995Z [debug]: Verify session: Badger sent {"sessions":{},"originalRequestURL":"https://certs.example.com/","scheme":"","host":"certs.example.com","path":"/","method":"GET","tls":true,"requestIp":"[<correct-public-ipv6-host1>]:45430","headers":{"Accept":"*/*","User-Agent":"curl/7.88.1","X-Forwarded-Host":"certs.example.com","X-Forwarded-Port":"443","X-Forwarded-Proto":"https","X-Forwarded-Server":"amdvpn","X-Real-Ip":"<correct-public-ipv6-host1>"}} 2025-05-17T10:59:23.996Z [debug]: No more auth to check, resource not allowed 2025-05-17T10:59:23.996Z [debug]: {"data":{"valid":false,"redirectUrl":"https://pangolin.domain.com/auth/resource/10?redirect=https%3A%2F%2Fcerts.example.com%2F"},"success":true,"error":false,"message":"Access denied","status":200} ` I did not use the installer but a manual docker compose and using HOST docker network_mode because using user mode pangolin network kept causing DNS 53 errors. ``` #networks: # default: # driver: bridge # name: pangolin services: pangolin: image: fosrl/pangolin:latest container_name: pangolin network_mode: host restart: unless-stopped volumes: - ./config:/app/config healthcheck: test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"] interval: "3s" timeout: "3s" retries: 15 gerbil: image: fosrl/gerbil:latest container_name: gerbil network_mode: host restart: unless-stopped depends_on: pangolin: condition: service_healthy command: - --reachableAt=http://gerbil:3003 - --generateAndSaveKeyTo=/var/config/key - --remoteConfig=http://pangolin:3001/api/v1/gerbil/get-config - --reportBandwidthTo=http://pangolin:3001/api/v1/gerbil/receive-bandwidth volumes: - ./config/:/var/config cap_add: - NET_ADMIN - SYS_MODULE # ports: # - 41820:41820/udp # - 443:443/tcp # Port for traefik because of the network_mode # - 80:80 # Port for traefik because of the network_mode # - 443:443/udp # HTTP3/QUIC traefik: image: traefik:latest #v3.3.3 container_name: traefik restart: unless-stopped # network_mode: host network_mode: service:gerbil # Ports appear on the gerbil service depends_on: pangolin: condition: service_healthy command: - --configFile=/etc/traefik/traefik_config.yml # Add the environment variables for your DNS provider. environment: CLOUDFLARE_DNS_API_TOKEN: "MyToken" volumes: - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates #- ./config/traefik/rules:/rules # Non-functional/Breaking mount point from Middleware Manager container ``` gerbil section in config.yml ``` gerbil: start_port: 41820 # base_endpoint: "localhost" use_subdomain: true base_endpoint: "pangolin.domain.com" # use_subdomain: false block_size: 24 site_block_size: 30 subnet_group: 100.89.137.0/20 ``` I feel it's some wrong configuration somewhere, I'm unable to figure out.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Improvement
Improvement
Improvement
Improvement
Look Into
Security
Security
api
api
authentication
authentication
authentication
authentication
authentication
authentication
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
config
config
config
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
docker
docker
docker
docker
docker
documentation
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
go
go
go
go
go
go
go
go
go
go
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
networking
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
question
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
ui
ui
ui
ui
ui
ui
wontfix
No Label bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating potential bug potential bug potential bug potential bug potential bug potential bug potential bug potential bug potential bug potential bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
MrUnknownDE
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github/pangolin#1476
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?