mocode-software/meldestelle
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

docs: add new Access Control and Logs documentation pages

Browse Source 
- Documented Access Control features (e.g., Device Approvals, Password Rotation, 2FA, Custom Login Pages).
- Added detailed descriptions for Logs & Analytics (Access Logs, Request Logs, Action Logs).
- Included configuration instructions and feature-specific notes for Pangolin Cloud and Enterprise Edition.

Signed-off-by: Stefan Mogeritsch <stefan.mo.co@gmail.com>
This commit is contained in:
Stefan Mogeritsch
2026-03-11 11:24:24 +01:00
parent a70f132fd9
commit aa157e82f8
87 changed files with 13163 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/01_Architecture/Pangolin/Mange_Pangolin/Access_Control/ASN_Blocking.md
+130
View File
@@ -0,0 +1,130 @@
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt
> Use this file to discover all available pages before exploring further.
# ASN Blocking
> Configure ASN blocking to restrict access based on Autonomous System Numbers
<div id="pangolin-toc-cta" className="pangolin-toc-cta-source">
<Card title="Try free on Pangolin Cloud" icon="cloud" href="https://app.pangolin.net/auth/signup" arrow="true" cta="Sign up free">
Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
</Card>
</div>
<Note>
ASN blocking is available in Pangolin community! Protect your resources by blocking or allowing specific networks and service providers.
</Note>
## Benefits of ASN Blocking
ASN blocking provides several important security and operational advantages:
### Security Benefits
* **Block Malicious Networks**: Prevent access from autonomous systems known for hosting malicious activity, botnets, or
spam operations
* **Control Cloud Provider Access**: Restrict or allow access from specific cloud providers (AWS, Azure, GCP, etc.)
* **Block VPN/Proxy Services**: Deny access from commercial VPN and proxy service providers to prevent anonymous access
* **Datacenter Filtering**: Block traffic from datacenter networks while allowing residential ISPs
* **Compliance Requirements**: Meet regulatory requirements that restrict access from certain network types or providers
## Implementing ASN Blocking with Bypass Rules
ASN blocking in Pangolin is implemented using [bypass rules](/manage/access-control/rules) with ASN-based matching. You
can create rules that either allow or deny access based on the visitor's Autonomous System Number.
<Frame caption="Screenshot of ASN rules from the Pangolin Dashboard.">
<img src="https://mintcdn.com/fossorial/MMrfB9vCB5hFqH7u/images/asn_rules.png?fit=max&auto=format&n=MMrfB9vCB5hFqH7u&q=85&s=da5e921bf03e2489612a3675835fb72f" alt="Pangolin Dashboard" data-og-width="2097" width="2097" data-og-height="836" height="836" data-path="images/asn_rules.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/fossorial/MMrfB9vCB5hFqH7u/images/asn_rules.png?w=280&fit=max&auto=format&n=MMrfB9vCB5hFqH7u&q=85&s=f2e43d3574badc836984a4d3fc3aa724 280w, https://mintcdn.com/fossorial/MMrfB9vCB5hFqH7u/images/asn_rules.png?w=560&fit=max&auto=format&n=MMrfB9vCB5hFqH7u&q=85&s=fcc409e55ceb8816a1461d21a2cf4532 560w, https://mintcdn.com/fossorial/MMrfB9vCB5hFqH7u/images/asn_rules.png?w=840&fit=max&auto=format&n=MMrfB9vCB5hFqH7u&q=85&s=115e0ad84da45dc0912f414428ec1835 840w, https://mintcdn.com/fossorial/MMrfB9vCB5hFqH7u/images/asn_rules.png?w=1100&fit=max&auto=format&n=MMrfB9vCB5hFqH7u&q=85&s=f9235b8188e24cf86174006e1a20b980 1100w, https://mintcdn.com/fossorial/MMrfB9vCB5hFqH7u/images/asn_rules.png?w=1650&fit=max&auto=format&n=MMrfB9vCB5hFqH7u&q=85&s=03ed9f55d931a43fca4e7c2bfb538a69 1650w, https://mintcdn.com/fossorial/MMrfB9vCB5hFqH7u/images/asn_rules.png?w=2500&fit=max&auto=format&n=MMrfB9vCB5hFqH7u&q=85&s=78efcc70d2a2a1c1dd2b24eda7b6e552 2500w" />
</Frame>
### Setting Up ASN Blocking Rules
1. Navigate to your target resource and select the **Rules** tab
2. Create a new rule and select **ASN** as the match type
3. Choose an ASN from the dropdown of common providers, or manually enter a specific ASN number
4. Choose your rule action:
* **Allow**: Bypass authentication for users from specific ASNs
* **Deny**: Block all access from specific ASNs
* **Pass to Auth**: Let users from specific ASNs proceed to authentication
### Common ASNs
The dropdown includes many commonly-used ASNs such as:
* **Cloud Providers**: Amazon (AS16509), Google Cloud (AS15169), Microsoft Azure (AS8075), DigitalOcean (AS14061)
* **Major ISPs**: Comcast (AS7922), AT\&T (AS7018), Verizon (AS701), Deutsche Telekom (AS3320)
* **VPN/Proxy Services**: NordVPN (various), ExpressVPN (various), Mullvad (AS42831)
* **CDN Providers**: Cloudflare (AS13335), Fastly (AS54113), Akamai (various)
If the ASN you need isn't in the dropdown, you can manually enter the ASN number (e.g., AS12345 or just 12345).
### Common ASN Blocking Patterns
#### Block VPN and Proxy Services
Create deny rules for known VPN and proxy ASNs to prevent anonymous access:
1. Create **Deny** rules for each VPN/proxy provider ASN
2. Select ASNs from the dropdown or enter them manually
3. Set appropriate priorities
#### Block Datacenter Traffic
Block access from datacenter and hosting provider ASNs while allowing residential users:
1. Create **Deny** rules for major cloud and hosting provider ASNs
2. Include providers like AWS, GCP, Azure, DigitalOcean, etc.
3. This helps ensure only real users from residential ISPs can access your resources
#### Allow Only Specific Networks
Create a default deny rule and explicitly allow only approved ASNs:
1. Create a **Deny** rule matching all traffic with priority 100
2. Create **Allow** rules for specific approved ASNs with higher priority (e.g., 10, 20, 30)
#### Regional ISP Control
Allow access only from specific country ISPs while blocking others:
1. **Combine with Country Rules**: Use ASN rules to specify which ISPs are allowed
2. Create **Allow** rules for major residential ISPs in your target countries
3. Block datacenter and VPN ASNs that might circumvent country restrictions
### Best Practices
<Warning>
ASN blocking affects all users from that network. Be careful when blocking large ISPs or cloud providers, as legitimate users or your own infrastructure may be affected.
</Warning>
### Finding ASN Numbers
If you need to find the ASN for a specific network or provider:
1. Use online tools like [bgp.he.net](https://bgp.he.net/) or [ipinfo.io](https://ipinfo.io/)
2. Search by company name, IP address, or ASN number
3. Enter the ASN in the rule configuration (with or without the "AS" prefix)
### Rule Priority Example
```
Priority 1: Allow - ASN: AS7922 (Comcast)
Priority 2: Allow - ASN: AS7018 (AT&T)
Priority 3: Deny - ASN: AS13335 (Cloudflare - VPN)
Priority 4: Deny - ASN: AS16509 (Amazon - Datacenter)
```
This configuration allows access from residential users on Comcast and AT\&T while blocking Cloudflare's VPN service and
Amazon datacenters.
### Advanced Patterns
#### Block Bot Networks
Identify and block ASNs associated with automated bot traffic:
1. Monitor your access logs for suspicious ASNs
2. Create **Deny** rules for ASNs showing bot-like behavior
3. Regularly review and update your blocklist
docs/01_Architecture/Pangolin/Mange_Pangolin/Access_Control/Change_Password.md
+36
View File
@@ -0,0 +1,36 @@
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt
> Use this file to discover all available pages before exploring further.
# Change Password
> Change or reset your Pangolin account password
<div id="pangolin-toc-cta" className="pangolin-toc-cta-source">
<Card title="Try free on Pangolin Cloud" icon="cloud" href="https://app.pangolin.net/auth/signup" arrow="true" cta="Sign up free">
Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
</Card>
</div>
### Change Password
If you're already logged in, you can change your password by clicking your profile menu (top right) and selecting Change
Password. You will be required to confirm your old password and enter a new password.
<Tip>
If you want to require password changes at regular intervals for better security, check out the [password rotation documentation](/manage/access-control/password-rotation).
</Tip>
### Reset Password
If you forgot your password, you can use the reset password function. On the login page, select Forgot your password?.
This will ask for your username or email. A reset code will be sent to that email to complete the reset.
If you're selfhosting Pangolin, you will need an SMTP server configured to send emails. If you don't have one
configured, the server will log the reset code to the server logs for you to retrieve and use to reset the password.
### Force Reset Server Admin Password
For selfhosted Pangolin, if you need to force reset your server admin account password serverside, you can use the
internal CLI. [See more here](/self-host/advanced/container-cli-tool).
docs/01_Architecture/Pangolin/Mange_Pangolin/Access_Control/Create_User.md
+42
View File
@@ -0,0 +1,42 @@
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt
> Use this file to discover all available pages before exploring further.
# Create User
> Add internal or external users to your organization
<div id="pangolin-toc-cta" className="pangolin-toc-cta-source">
<Card title="Try free on Pangolin Cloud" icon="cloud" href="https://app.pangolin.net/auth/signup" arrow="true" cta="Sign up free">
Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
</Card>
</div>
Users can be added to organizations. When a user is added to Pangolin, there is a global user object and an
organizationspecific user object that links that user to the organization. This allows a user to exist in one or more
organizations.
<Tip>
Because the root user exists and a perorganization user exists, a user invited to an organization may be able to create a new organization. You can disable this functionality via a flag in the config file in selfhosted Pangolin. [Check out the config file documentation](/self-host/advanced/config-file#feature-flags).
</Tip>
When removing a user from an organization, their account still exists. To completely delete their account, visit the
server admin panel as the server admin and delete the global user in the users table.
### Internal Users
An internal user is an identity managed by Pangolin only. When adding the user, you will receive an invite link. The
user needs to use this link to either accept the invite, or create an account for the first time and accept the invite.
### External Users
An external user is an identity managed by an external identity provider. When creating an external user, you will need
to select an existing identity provider added to
Pangolin. [Check out the documentation on adding an IDP](/manage/identity-providers/add-an-idp).
An identity provider may have autoprovisioning enabled. This means new users who log in with the IDP are automatically
created and you do not need to manually create the
user. [Check out the autoprovisioning documentation](/manage/identity-providers/auto-provisioning).
Even if autoprovisioning is enabled, you can still manually create users.
docs/01_Architecture/Pangolin/Mange_Pangolin/Access_Control/Custom_Login_Page.md
+56
View File
@@ -0,0 +1,56 @@
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt
> Use this file to discover all available pages before exploring further.
# Custom Login Page
> Configure a custom authentication page URL for your organization
<div id="pangolin-toc-cta" className="pangolin-toc-cta-source">
<Card title="Try free on Pangolin Cloud" icon="cloud" href="https://app.pangolin.net/auth/signup" arrow="true" cta="Sign up free">
Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
</Card>
</div>
<Note>
Custom auth pages are only available in Pangolin Cloud.
</Note>
Custom organization authentication pages let you serve the login page at your own domain instead of the default
`app.pangolin.net`. This provides better user experience and brand consistency.
<iframe className="w-full aspect-video rounded-xl" src="https://www.youtube.com/embed/fD-NpigE4Vw?si=M5BBiqoKRWSZNGU1" title="YouTube video player" frameBorder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowFullScreen />
## Benefits
**For Resource Authentication:**
* Users are redirected to your custom domain for login
* Familiar domain builds trust and security awareness
* Consistent branding throughout the authentication flow
**For Identity Provider Integration:**
* Centralized login page for your organization
* Choose between multiple login methods (Google, Azure, etc.)
* Platform SSO: login once, access all Pangolin resources
* Direct access to the Pangolin management dashboard
<Frame>
<img src="https://mintcdn.com/fossorial/TjYzFtLIcUWNEXlf/images/org-auth-page.png?fit=max&auto=format&n=TjYzFtLIcUWNEXlf&q=85&s=20ebc6fbe15ec122eeca41274630eaeb" data-og-width="1512" width="1512" data-og-height="1072" height="1072" data-path="images/org-auth-page.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/fossorial/TjYzFtLIcUWNEXlf/images/org-auth-page.png?w=280&fit=max&auto=format&n=TjYzFtLIcUWNEXlf&q=85&s=9b6accb76b5ba85e7ed8972c5128912d 280w, https://mintcdn.com/fossorial/TjYzFtLIcUWNEXlf/images/org-auth-page.png?w=560&fit=max&auto=format&n=TjYzFtLIcUWNEXlf&q=85&s=d12bb0141618959cc0d8f6190e851bd6 560w, https://mintcdn.com/fossorial/TjYzFtLIcUWNEXlf/images/org-auth-page.png?w=840&fit=max&auto=format&n=TjYzFtLIcUWNEXlf&q=85&s=b45918a3c80e1a876b85ad02e7b77e7c 840w, https://mintcdn.com/fossorial/TjYzFtLIcUWNEXlf/images/org-auth-page.png?w=1100&fit=max&auto=format&n=TjYzFtLIcUWNEXlf&q=85&s=48965ea8135a8a80fc5b7069d627bf19 1100w, https://mintcdn.com/fossorial/TjYzFtLIcUWNEXlf/images/org-auth-page.png?w=1650&fit=max&auto=format&n=TjYzFtLIcUWNEXlf&q=85&s=8fa8d551eb190988cc170c6bf330a75e 1650w, https://mintcdn.com/fossorial/TjYzFtLIcUWNEXlf/images/org-auth-page.png?w=2500&fit=max&auto=format&n=TjYzFtLIcUWNEXlf&q=85&s=116ecb54c33f65c15ecc33493b078066 2500w" />
</Frame>
## Configuration
1. Go to **Settings** in your organization sidebar
2. Use the domain picker to select your custom domain
3. Save your changes
<Note>
You need to add a custom domain to your organization first. Free domains (`*.tunneled.to`, `*.hostlocal.app`, etc.) cannot be used for auth pages. [Learn how to add domains](/manage/domains#adding-domains)
</Note>
<Frame>
<img src="https://mintcdn.com/fossorial/TjYzFtLIcUWNEXlf/images/set-org-auth-page-domain.png?fit=max&auto=format&n=TjYzFtLIcUWNEXlf&q=85&s=e02c1885b52bb11d15abf8d97047813b" data-og-width="1252" width="1252" data-og-height="498" height="498" data-path="images/set-org-auth-page-domain.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/fossorial/TjYzFtLIcUWNEXlf/images/set-org-auth-page-domain.png?w=280&fit=max&auto=format&n=TjYzFtLIcUWNEXlf&q=85&s=576704d1cb86f2644163f9a563ad517b 280w, https://mintcdn.com/fossorial/TjYzFtLIcUWNEXlf/images/set-org-auth-page-domain.png?w=560&fit=max&auto=format&n=TjYzFtLIcUWNEXlf&q=85&s=94691d9f42e9ee33c3c00fc205f801d0 560w, https://mintcdn.com/fossorial/TjYzFtLIcUWNEXlf/images/set-org-auth-page-domain.png?w=840&fit=max&auto=format&n=TjYzFtLIcUWNEXlf&q=85&s=65bb49a2b3c3c0e82b180cd5f95e6e06 840w, https://mintcdn.com/fossorial/TjYzFtLIcUWNEXlf/images/set-org-auth-page-domain.png?w=1100&fit=max&auto=format&n=TjYzFtLIcUWNEXlf&q=85&s=089705d26c1d9c0e3b07ca10bcb5c14b 1100w, https://mintcdn.com/fossorial/TjYzFtLIcUWNEXlf/images/set-org-auth-page-domain.png?w=1650&fit=max&auto=format&n=TjYzFtLIcUWNEXlf&q=85&s=5404340ac8186beb1b2bbfa63280425b 1650w, https://mintcdn.com/fossorial/TjYzFtLIcUWNEXlf/images/set-org-auth-page-domain.png?w=2500&fit=max&auto=format&n=TjYzFtLIcUWNEXlf&q=85&s=4e07e443d5dfb14f2fbf43ba6ea8071d 2500w" />
</Frame>
docs/01_Architecture/Pangolin/Mange_Pangolin/Access_Control/Device_Approvals.md
+53
View File
@@ -0,0 +1,53 @@
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt
> Use this file to discover all available pages before exploring further.
# Device Approvals
> Only allow trusted devices to connect to an organization
<div id="pangolin-toc-cta" className="pangolin-toc-cta-source">
<Card title="Try free on Pangolin Cloud" icon="cloud" href="https://app.pangolin.net/auth/signup" arrow="true" cta="Sign up free">
Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
</Card>
</div>
<Note>
Only available in Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition).
</Note>
By default, any client configured with valid credentials can connect to an organization. To enhance security, you can
enable device approvals, which require each new device to be manually approved by an administrator before it can
connect.
When device approvals are enabled, the first time a user connects a new device to the organization, the device will be
marked as "Pending Approval." An administrator must then review and approve the device in the management console before
it can access organization resources.
<Frame>
<img src="https://mintcdn.com/fossorial/VqiOoRUR8g1Tf03J/images/device_waiting_approval.png?fit=max&auto=format&n=VqiOoRUR8g1Tf03J&q=85&s=74238fab8ebb39dbafa5a29b57176df4" data-og-width="1617" width="1617" data-og-height="833" height="833" data-path="images/device_waiting_approval.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/fossorial/VqiOoRUR8g1Tf03J/images/device_waiting_approval.png?w=280&fit=max&auto=format&n=VqiOoRUR8g1Tf03J&q=85&s=fa45e6f378ce6eb7e25acacd708d4008 280w, https://mintcdn.com/fossorial/VqiOoRUR8g1Tf03J/images/device_waiting_approval.png?w=560&fit=max&auto=format&n=VqiOoRUR8g1Tf03J&q=85&s=37ec2b315882b581a5d7fffdb2684595 560w, https://mintcdn.com/fossorial/VqiOoRUR8g1Tf03J/images/device_waiting_approval.png?w=840&fit=max&auto=format&n=VqiOoRUR8g1Tf03J&q=85&s=60d237a13367df77aa437b235d9ef10e 840w, https://mintcdn.com/fossorial/VqiOoRUR8g1Tf03J/images/device_waiting_approval.png?w=1100&fit=max&auto=format&n=VqiOoRUR8g1Tf03J&q=85&s=ac8e62cbdff19ca6a9bda7df0e4ca0cc 1100w, https://mintcdn.com/fossorial/VqiOoRUR8g1Tf03J/images/device_waiting_approval.png?w=1650&fit=max&auto=format&n=VqiOoRUR8g1Tf03J&q=85&s=8263611227808ceb56a2a96167ec84ef 1650w, https://mintcdn.com/fossorial/VqiOoRUR8g1Tf03J/images/device_waiting_approval.png?w=2500&fit=max&auto=format&n=VqiOoRUR8g1Tf03J&q=85&s=edd7fca56fdd56fbb926569b56506f8f 2500w" />
</Frame>
All approvals can also be managed from a central page as they stream in to allow admins to approve or deny devices
quickly.
<Frame>
<img src="https://mintcdn.com/fossorial/VqiOoRUR8g1Tf03J/images/approvals_page.png?fit=max&auto=format&n=VqiOoRUR8g1Tf03J&q=85&s=d6b11a0954136d4868b4a789f51931d2" data-og-width="1577" width="1577" data-og-height="391" height="391" data-path="images/approvals_page.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/fossorial/VqiOoRUR8g1Tf03J/images/approvals_page.png?w=280&fit=max&auto=format&n=VqiOoRUR8g1Tf03J&q=85&s=93bd92df5a919d2afef9699ebc336986 280w, https://mintcdn.com/fossorial/VqiOoRUR8g1Tf03J/images/approvals_page.png?w=560&fit=max&auto=format&n=VqiOoRUR8g1Tf03J&q=85&s=85efca901caafac5855547bffc34bea8 560w, https://mintcdn.com/fossorial/VqiOoRUR8g1Tf03J/images/approvals_page.png?w=840&fit=max&auto=format&n=VqiOoRUR8g1Tf03J&q=85&s=555018b65187974d8d3912fed1561c3d 840w, https://mintcdn.com/fossorial/VqiOoRUR8g1Tf03J/images/approvals_page.png?w=1100&fit=max&auto=format&n=VqiOoRUR8g1Tf03J&q=85&s=c44424269a6b2d0e878dec2ee46dfe67 1100w, https://mintcdn.com/fossorial/VqiOoRUR8g1Tf03J/images/approvals_page.png?w=1650&fit=max&auto=format&n=VqiOoRUR8g1Tf03J&q=85&s=127c422c3cb4b8f1c0f65eddfa47dcc7 1650w, https://mintcdn.com/fossorial/VqiOoRUR8g1Tf03J/images/approvals_page.png?w=2500&fit=max&auto=format&n=VqiOoRUR8g1Tf03J&q=85&s=9de4de683265ed987cc8e4d13453abfe 2500w" />
</Frame>
## Enabling Device Approvals
Device approvals are enabled on a per-role basis. To enable device approvals for a role, follow these steps:
1. Click on the **Roles** tab.
2. Select the role you want to enable device approvals for.
3. Toggle the **Require Device Approval** option to enable it.
4. Save your changes.
Once enabled, any new user connecting with that role will require approval from an administrator before it can access
organization resources.
<Tip>
You cannot enable device approvals for the "Admin" role.
</Tip>
docs/01_Architecture/Pangolin/Mange_Pangolin/Access_Control/Forwarded_Headers.md
+63
View File
@@ -0,0 +1,63 @@
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt
> Use this file to discover all available pages before exploring further.
# Forwarded Headers
> Learn how Pangolin forwards user identity information to your backend applications through HTTP headers
<div id="pangolin-toc-cta" className="pangolin-toc-cta-source">
<Card title="Try free on Pangolin Cloud" icon="cloud" href="https://app.pangolin.net/auth/signup" arrow="true" cta="Sign up free">
Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
</Card>
</div>
Pangolin can forward user identity information to your backend applications through custom HTTP headers. This allows
your applications to receive user details directly from the request headers, enabling integration with Pangolin's
authentication system.
<Info>
Forwarded headers are only available when using authentication methods that provide user identity information.
</Info>
## Supported Headers
Pangolin forwards the following headers to your backend when user identity is available:
| Header | Description | Example |
|----------------|---------------------------------|------------------------|
| `Remote-User` | Unique username or user ID | `user_123` |
| `Remote-Email` | User's email address | `john.doe@example.com` |
| `Remote-Name` | User's full name | `John Doe` |
| `Remote-Role` | User's role or group membership | `admin` |
## Authentication Methods
### Headers Available
These authentication methods provide user identity information and will include the forwarded headers:
<CardGroup cols={2}>
<Card title="Single Sign-On (SSO)" icon="users">
Full user identity information including username, email, and name.
</Card>
</CardGroup>
### Headers Not Available
These authentication methods do not provide user identity information:
<CardGroup cols={2}>
<Card title="PIN Code" icon="hashtag">
No user identity - only access control.
</Card>
<Card title="Password" icon="lock">
No user identity - only access control.
</Card>
<Card title="Shareable Links" icon="link">
No user identity - only access control.
</Card>
</CardGroup>
docs/01_Architecture/Pangolin/Mange_Pangolin/Access_Control/Geo-blocking.md
+99
View File
@@ -0,0 +1,99 @@
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt
> Use this file to discover all available pages before exploring further.
# Geo-blocking
> Configure geo blocking to restrict access based on geographic location
<div id="pangolin-toc-cta" className="pangolin-toc-cta-source">
<Card title="Try free on Pangolin Cloud" icon="cloud" href="https://app.pangolin.net/auth/signup" arrow="true" cta="Sign up free">
Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
</Card>
</div>
<Note>
Geoblocking is available in Pangolin community! Make sure to follow this guide for how to enable: [Enabling Geo Blocking](/self-host/advanced/enable-geoblocking)
</Note>
<iframe className="w-full aspect-video rounded-xl" src="https://www.youtube.com/embed/_2EheKVUYxI" title="YouTube video player" frameBorder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowFullScreen />
## Benefits of Geo Blocking
Geo blocking provides several important security and compliance advantages:
### Security Benefits
* **Reduce Attack Surface**: Block access from regions with high levels of malicious activity or where you don't expect
legitimate users
* **Prevent Unauthorized Access**: Limit exposure to threat actors operating from specific geographic locations
* **Compliance Requirements**: Meet regulatory requirements that restrict data access based on geographic location
* **Resource Protection**: Prevent unnecessary load on your services from regions where you don't operate
## Implementing Geo Blocking with Bypass Rules
Geo blocking in Pangolin is implemented using [bypass rules](/manage/access-control/rules) with country-based matching.
You can create rules that either allow or deny access based on the visitor's country.
<Frame caption="Screenshot of resources rules from the Pangolin Dashboard.">
<img src="https://mintcdn.com/fossorial/Q8zHyI8PHlGty9PM/images/country_rules.png?fit=max&auto=format&n=Q8zHyI8PHlGty9PM&q=85&s=bf402f45fd986ccf154fd9d0ab299bef" alt="Pangolin Dashboard" data-og-width="1746" width="1746" data-og-height="590" height="590" data-path="images/country_rules.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/fossorial/Q8zHyI8PHlGty9PM/images/country_rules.png?w=280&fit=max&auto=format&n=Q8zHyI8PHlGty9PM&q=85&s=3b4714c3ad8e8a616ac543ed60db1578 280w, https://mintcdn.com/fossorial/Q8zHyI8PHlGty9PM/images/country_rules.png?w=560&fit=max&auto=format&n=Q8zHyI8PHlGty9PM&q=85&s=3906ad347cb3d9e617866e04aab794f5 560w, https://mintcdn.com/fossorial/Q8zHyI8PHlGty9PM/images/country_rules.png?w=840&fit=max&auto=format&n=Q8zHyI8PHlGty9PM&q=85&s=2f6488d3728cc429e2706c07e1990621 840w, https://mintcdn.com/fossorial/Q8zHyI8PHlGty9PM/images/country_rules.png?w=1100&fit=max&auto=format&n=Q8zHyI8PHlGty9PM&q=85&s=98f668ef76b52ac1fc967219341da7a3 1100w, https://mintcdn.com/fossorial/Q8zHyI8PHlGty9PM/images/country_rules.png?w=1650&fit=max&auto=format&n=Q8zHyI8PHlGty9PM&q=85&s=3cba803e94e8beb1c75ad34d1d502c40 1650w, https://mintcdn.com/fossorial/Q8zHyI8PHlGty9PM/images/country_rules.png?w=2500&fit=max&auto=format&n=Q8zHyI8PHlGty9PM&q=85&s=ef7addc920457e8cd0f658af529ad052 2500w" />
</Frame>
### Setting Up Geo Blocking Rules
1. Navigate to your target resource and select the **Rules** tab
2. Create a new rule and select **Country** as the match type
3. Choose your rule action:
* **Allow**: Bypass authentication for users from specific countries
* **Deny**: Block all access from specific countries
* **Pass to Auth**: Let users from specific countries proceed to authentication
### Common Geo Blocking Patterns
#### Allow Only Specific Countries
Create a "Deny" rule that blocks all countries except those you want to allow:
1. Create a **Deny** rule
2. Select **Country** match type
3. Choose "ALL" to match all countries
4. Add priority: 100 (lower priority)
Then create specific allow rules for your approved countries:
1. Create **Allow** rules for each approved country
2. Set higher priority (e.g., 10, 20, 30) so they process first
#### Block Specific High-Risk Countries
Create targeted deny rules for specific countries while allowing all others:
1. Create **Deny** rules for each country you want to block
2. Select the specific countries from the dropdown
3. Set appropriate priorities
#### Regional Access Control
Combine geo blocking with other rule types for sophisticated access control:
1. **Path + Country**: Block admin paths (`/admin/*`) from all countries except your headquarters
2. **IP + Country**: Allow specific IPs from restricted countries (for VPN users or partners)
3. **CIDR + Country**: Combine network-based and geography-based restrictions
### Best Practices
<Warning>
IP geolocation is not always 100% accurate. Users with VPNs, proxies, or mobile networks may appear to be from different countries than expected.
</Warning>
### Rule Priority Example
```
Priority 1: Allow - Country: United States
Priority 2: Allow - Country: Canada
Priority 3: Allow - Country: United Kingdom
Priority 4: Deny - Country: ALL
```
This configuration allows access only from the US, Canada, and UK while blocking all other countries.
docs/01_Architecture/Pangolin/Mange_Pangolin/Access_Control/Multi-Factor_Authentication.md
+41
View File
@@ -0,0 +1,41 @@
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt
> Use this file to discover all available pages before exploring further.
# Multi-Factor Authentication
> Enable and manage two-factor authentication and enforcement for your organization
<div id="pangolin-toc-cta" className="pangolin-toc-cta-source">
<Card title="Try free on Pangolin Cloud" icon="cloud" href="https://app.pangolin.net/auth/signup" arrow="true" cta="Sign up free">
Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
</Card>
</div>
Pangolin supports twofactor authentication (2FA) for Pangolin user accounts.
### Enable or Disable 2FA
* Click your profile menu (top right) to enable twofactor authentication.
* You will need to confirm your password and code before enabling/disabling 2FA.
### Supported Methods
* **Timebased onetime code (TOTP)**: Use an authenticator app (e.g., 1Password, Google Authenticator).
* **Push via email**: Contact sales to enable.
* **Push via Duo**: Contact sales to enable.
### Enforcement
<Note>
Twofactor enforcement (requiring 2FA at login) is available in [Enterprise Edition](/self-host/enterprise-edition) only.
</Note>
To enable enforcement, go to Organization Settings and toggle 2FA enforcement in the Security section.
* Enforcement is configured per organization.
* MFA enforcement only applies to internal Pangolin user accounts. This policy does not apply to accounts linked to an
external identity provider.
* When enforced, users must enable 2FA before accessing the organization or its resources.
* Users without 2FA will see a prompt directing them to enable it before proceeding.
docs/01_Architecture/Pangolin/Mange_Pangolin/Access_Control/Password_Rotation.md
+32
View File
@@ -0,0 +1,32 @@
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt
> Use this file to discover all available pages before exploring further.
# Password Rotation
> Configure password expiration and rotation requirements for your organization
<div id="pangolin-toc-cta" className="pangolin-toc-cta-source">
<Card title="Try free on Pangolin Cloud" icon="cloud" href="https://app.pangolin.net/auth/signup" arrow="true" cta="Sign up free">
Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
</Card>
</div>
By default, Pangolin does not require passwords to be rotated on a regular basis. However, password rotation can be
required on a perorganization basis.
### Configuration
<Note>
Password expiry and rotation is an [Enterprise Edition](/self-host/enterprise-edition)-only feature.
</Note>
To enable password rotation, go to Organization Settings and select a maximum password age in the Security section.
After the configured period expires, users will be prompted to change their password when accessing the organization or
its resources.
* Password rotation is enforced on a perorganization basis.
* Password rotation only applies to internal Pangolin user accounts. This policy does not apply to accounts linked to an
external identity provider.
* Users who need to change their password will see a prompt directing them to update it before proceeding.
docs/01_Architecture/Pangolin/Mange_Pangolin/Access_Control/Rules.md
+170
View File
@@ -0,0 +1,170 @@
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt
> Use this file to discover all available pages before exploring further.
# Rules
> Configure rules to allow or deny access to resources without authentication
<div id="pangolin-toc-cta" className="pangolin-toc-cta-source">
<Card title="Try free on Pangolin Cloud" icon="cloud" href="https://app.pangolin.net/auth/signup" arrow="true" cta="Sign up free">
Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
</Card>
</div>
Rules allow you to either "allow" and bypass the Pangolin auth system (no pin, login, password), or "deny" and fully
reject the request. After you create a resource you can select the "Rules" tab on the sidebar and enable rules.
<CardGroup cols={3}>
<Card title="Bypass Auth" icon="check">
Bypass authentication completely for matching requests. Users can access resources without any login or PIN.
</Card>
<Card title="Block Access" icon="x">
Completely reject requests that match the rule. Useful for blocking admin paths or sensitive endpoints.
</Card>
<Card title="Pass to Auth" icon="x">
Pass requests that match the rule to the next stage for user to authenticate with SSO, password, or pin. Useful for enforcing auth on specific paths while allowing others.
</Card>
</CardGroup>
## Types of Rules
Rules are processed from top to bottom in order of their priority. This means you can have multiple rules to bypass auth
and to just flat deny users at the end.
Right now you can match on the following items:
### Path
Path match rules allow URL patterns defined with plain text and wildcards (`*`) that match any characters. Patterns and
URLs are split into segments (using `/`), and **each segment is matched individually**.
#### Examples:
* `blog/posts`
Matches the exact path `/blog/posts`.
* `blog/*`
Matches any path under `/blog` (e.g., `/blog/travel`).
* `*/2023/*`
Matches paths with `/2023/` as a middle segment (e.g., `/news/2023/summary`).
* `article*`
Matches **segments** starting with "article" (e.g., `/article-123`).
* `*admin*`
Matches **segments** containing "admin" (e.g., `/my-admin-panel`).
* `personal-*/*`
Matches paths where the first segment starts with `personal-` and is followed by any segment (e.g.,
`/personal-blog/post`).
#### Segment-by-Segment Matching
* **Normalization:**
Both patterns and URLs are split into segments. For example, `/blog/journal/entry` becomes
`["blog", "journal", "entry"]`, while `/blog*` becomes `["blog*"]`.
* **Validation:**
Each pattern segment must correspond to a URL segment, and wildcards match zero or more characters within that
segment. A pattern like `/blog*` only matches the first segment, so URLs with extra segments require additional
placeholders (e.g., `/blog*/*`).
### Country
Country match rules allow you to specify allowed or denied countries for requests based on their IP address. This is
useful for geo-restrictions or compliance with regional regulations.
We use a IP database to geolocate the IP address but this is not always accurate. We try to keep it updated, but there
may be cases where the location is incorrect.
Select the "ALL" option to match all countries for allowing or denying access.
### CIDR
CIDR (Classless Inter-Domain Routing) notation specifies IP address ranges using an IP address and a network prefix
length. The format is \[IP address]/\[prefix length].
**Examples:**
* `192.168.1.0/0` - Matches all 256 IPs from 192.168.1.0 to 192.168.1.255
* `10.0.0.0/8` - Matches any IP starting with 10 (16.7 million addresses)
* `2001:db8::/32` - Matches a range of IPv6 addresses
* `0.0.0.0/0` - Matches all IPv4 addresses
<Note>
The prefix length (1-32 for IPv4, 1-128 for IPv6) determines how many bits from the left are fixed. Smaller prefix numbers match larger ranges.
</Note>
### IP
Pretty simple: you can match on simply an IP address like your home IP to bypass auth. This is the same as entering a
/32 CIDR.
**Examples:**
* `23.234.134.32`
* `34.45.245.64`
* `192.168.1.1`
## Rules for Specific Apps
This table compiles paths that need to be allowed for various apps to work with Pangolin authentication.
| App | Required Bypass Rules |
|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Media Management** | |
| Radarr | `/api/*` |
| Sonarr | `/api/*` |
| Lidarr | `/api/*` |
| **Media Servers** | |
| Jellyfin (iOS) | `/system/info/public` |
| Jellyfin (Roku) | `/System/Info/Public`<br />`/Users/AuthenticateByName`<br />`/Users/Public`<br />`/QuickConnect/Initiate`<br />`/QuickConnect/Connect`<br />`/Users/AuthenticateWithQuickConnect` |
| Audiobookshelf | Audiobookshelf also supports `/audiobookshelf` by default. Each rule should also be applied to this path.<br />`/api/*`<br />`/login`<br />`/auth/*`<br />`/feed/*`<br />`/socket.io/`<br />`/status`<br />`/logout`<br />`/ping`<br />`/public/*`<br />The following is needed for public shares and is optional for clients:<br />`/share/*`<br />`/_nuxt/*.js`<br />`/_nuxt/fonts/*` |
| **Management & Monitoring** | |
| Tautulli | `/api/*` |
| Harbour | `/api/*` |
| Hoarder App | `/api/*` |
| Uptime Kuma Manager | `/api/*`<br />`/socket.io/*` |
| Beszel | `/api/beszel/agent-connect` |
| MeshCentral | `/api/*`<br />`/meshrelay.ashx`<br />`/agent.ashx` |
| **Security & Privacy** | |
| AdGuard Home | `/api/*` |
| Ente Auth | `*api*` |
| Vaultwarden/Bitwarden | `/api/*`<br />`/identity/*`<br />`/wl/*`<br />Always Deny - Path - `/admin/*` |
| **Cloud & Sync** | |
| Nextcloud | `/` (Main interface)<br />`/index.php` (Core handler)<br />`/remote.php` (Remote access)<br />`/status.php` (Status checks)<br />`/ocs` (Collaboration Services API)<br />`/apps` (Applications)<br />`/remote.php/webdav` (WebDAV endpoint)<br />`/remote.php/dav` (CalDAV/CardDAV)<br />`/remote.php/caldav` (Calendar sync)<br />`/remote.php/carddav` (Contacts sync)<br />`/ocs/v1.php` (API endpoints)<br />`/ocs/v2.php` (API v2 endpoints)<br />`/login` (Authentication)<br />`/.well-known/*` (Service discovery)<br />`/.well-known/webfinger` (WebFinger protocol)<br />`/s/*` (Shared files/folders) |
| Onlyoffice | `/cache/*`<br />`*/CommandService.ashx`<br />`*/converter/*`<br />`*/doc/*`<br />`*/downloadas/*`<br />`/downloadfile/*`<br />`*/fonts/*`<br />`/healthcheck`<br />`/methodology/*`<br />`*/plugins.json`<br />`*/sdkjs/*`<br />`*/sdkjs-plugins/*`<br />`*/themes.json`<br />`*/web-apps/*` |
| **Photo Management** | |
| Ente Photos | `*api*` |
| Immich | `/api/*`<br />`/.well-known/immich` |
| **File Management** | |
| Filebrowser | `/static/*`<br />`/share/*` <br /> `/api/public/dl/*` <br /> `/api/public/share/*` |
| **Notes & Knowledge Management** | |
| Joplin Notes Server | `/api/*`<br />`/shares/*`<br />`/css/*`<br />`/images/*`<br />Always Deny - Path - `/login/*` (optional) |
| Erugo | `/api/*`<br />`/shares/*`<br />`/build/*`<br />`/get-logo` |
| Memos | `/api/*`<br />`/assets/*`<br />`/explore*`<br />`/memos.api.v1.*`<br />`/auth/callback*`<br />`/auth`<br />`/site.webmanifest`<br />`/logo.webp`<br />`/full-logo.webp`<br />`/android-chrome-192x192.png` |
| Linkding | `/api/*`<br />`/bookmarks/*`<br />Always Deny - Path - `/admin/*` |
| **Communication** | |
| Matrix/Synapse (Clients) | `/_matrix/*`<br />`/_synapse/client/*` |
| Matrix/Synapse (Federation) | `/_matrix/*` |
| **Notifications** | |
| Gotify | `/version`<br />`/message`<br />`/application`<br />`/client`<br />`/stream`<br />`/plugin`<br />`/health` |
| **Home Automation** | |
| Home Assistant | `/api/*`<br />`/auth/*`<br />`/frontend_latest/*`<br />`/lovelace/*`<br />`/static/*`<br />`/hacsfiles/*`<br />`/local/*`<br />`/manifest.json`<br />`/sw-modern.js` |
| n8n | `/webhook-test/*/webhook`<br />`/webhook/*/webhook` |
| **Project Management** | |
| Jetbrains Youtrack | `/api/*`<br />`/hub/api/*`<br /> |
| **Genealogy** | |
| Gramps Web | `/api/*` |
| **Analytics** | |
| Liwan | `/script.js`<br /> `/api/send` |
| Umami | `/script.js`<br /> `/api/send` |
<Note>
These rules are examples and may need to be adjusted based on your specific app configuration and version.
</Note>
docs/01_Architecture/Pangolin/Mange_Pangolin/Access_Control/Security_Keys.md
+25
View File
@@ -0,0 +1,25 @@
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt
> Use this file to discover all available pages before exploring further.
# Security Keys
> Use security keys for passwordless login to your Pangolin account
<div id="pangolin-toc-cta" className="pangolin-toc-cta-source">
<Card title="Try free on Pangolin Cloud" icon="cloud" href="https://app.pangolin.net/auth/signup" arrow="true" cta="Sign up free">
Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
</Card>
</div>
You can log in with security keys, also known as passwordless login. On the login page, there is an option below the
login button to Log in with security key.
### Add a Security Key
To add a security key, you must first be logged in. Then click your profile menu (top right) and select Add Security
Keys. Follow the steps to add your key.
Once a security key is added to your account, you can select the Continue with security key option the next time you log
in.
docs/01_Architecture/Pangolin/Mange_Pangolin/Access_Control/Session_Length.md
+33
View File
@@ -0,0 +1,33 @@
> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt
> Use this file to discover all available pages before exploring further.
# Session Length
> Configure maximum session length and expiration policies for your organization
<div id="pangolin-toc-cta" className="pangolin-toc-cta-source">
<Card title="Try free on Pangolin Cloud" icon="cloud" href="https://app.pangolin.net/auth/signup" arrow="true" cta="Sign up free">
Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
</Card>
</div>
By default, Pangolin keeps extending a session indefinitely if a user is actively using it. If a user is not actively
using the session, it will expire after 30 days.
However, you can require users to log in at regular intervals by enforcing maximum session lengths on a perorganization
basis.
### Configuration
<Note>
Session length enforcement is an [Enterprise Edition](/self-host/enterprise-edition)-only feature.
</Note>
To enable session length enforcement, go to Organization Settings and set a maximum session length in the Security
section. After this amount of time, users will be prompted to log back in to acquire a fresh session.
* Session length enforcement is configured per organization.
* Session length enforcement applies to both internal Pangolin users and users linked to external identity providers.
* Users whose session has expired will see a prompt directing them to log in again before proceeding.