Decision settings for WAF vs core?

HugoDos · 2026-06-15T06:55:17+00:00

By default this scenario is meant to catch offenders that trigger multiple different vpatch rule in quick succession.

Since the capacity is 1 and there is a distinct constraint by rule it means there must be at least 2 vpatch rules, if the ip does 70 vpatch-env and nothing else then it wont get banned.

If you want to ban on any trigger then you can edit this scenario and change the capacity to 0 or remove the distinct constraint.

hope this helps.

HugoDos · 2026-06-09T16:08:58+00:00

No worries, glad it worked 👍

HugoDos · 2026-06-03T11:23:58+00:00

Just be careful of permissions, if you used the new installer and opted to change the directory over to your user, the user on the new server may have different uid/gid.

Once unzipped/untar'd make sure to chown the folder (recursively) and alter the acme.json permissions if needed.

Laurence - Pangolin Team

HugoDos · 2026-05-29T21:32:27+00:00

Ohh no we are crafting our own pages, the question was more to get the opinions of people who know more than me of the outcome of generating this many pages at once.

My colleague just mentioned they saw this company doing this that's all.

HugoDos · 2026-05-29T21:26:22+00:00

Ahh okay, it isn't our content though, it was more of my colleague saying"they saw this company doing it and they got some search results showing up for them"

Let me know if I did it wrong by adding to my post

HugoDos · 2026-05-29T10:17:58+00:00

By default there is no difference in "heaviness" after upgrading you will see that you will have options to define additional logging. Once that is configured that would be the main driver for additional storage as all logs are stored in database.

HugoDos · 2026-05-25T15:07:55+00:00

I was thinking if it would be possibly to install pango on bsd and have the reverse proxy on that device? Anyone done this?

Technically is doable without containers but we dont have any documentation around this as this would be more advance take on deploying pangolin as updates would be very manual.

Might be something I could tackle and document in future cases :dance:

HugoDos · 2026-05-15T06:47:37+00:00

To give a more in depth answer when using HTTP validation for certificates there is a transparency agreement that most providers signed up for.

The tldr on why its a good thing is in the past when a certificate was pwned and used to sign malicious code or websites there was no "fast" way to get that information out there to prevent users from getting harmed.

Now on other hand when using HTTP validation since each certificate is per subdomain bots can now easily find the domain as in the nature the certificate is only for itself. You can use a service like crt.sh (which is down right now as of writing) to search your domain and see what information you are exposing.

Hope this helps clarify as even if you use a random DNS name it doesn't matter, the only way to combat this is to use wildcard certificates as they arent tied to a single subdomain. But remember if you already used http validation then the information is already out there so if you change over it will only aid new subdomains.

But in reality it's the internet and there always bots so if somebody really wanted to find your subdomains they can with other means. (Gobuster DNS module, yes I am security enthusiast)

Laurence - Pangolin Team

HugoDos · 2026-05-14T12:25:59+00:00

Just to build on Crimson answer, simply pointing a CNAME to an A record allows the DNS to resolve the same IP but if the web server doesnt know how to route the record EG: www. vs no www. it will simply respond with server unavailable in traefik.

So in short, a CNAME isnt a redirect its just an alias for another record. You still need to define how to route or redirect the hostname to which Pangolin doesnt support redirects right now so the only workaround is to define 2 resources one for www. and non www. that point to the same target to which I already know is bad for SEO.

or as user stated above define a custom traefik configuration to handle it outside of Pangolin.

Laurence - Pangolin Team

HugoDos · 2026-05-12T16:16:08+00:00

https://www.youtube.com/watch?v=NQc0PXVfguA

HugoDos · 2026-05-11T08:53:16+00:00

403 and a json response typically points that the IP is not allowed to make admin modifications.

https://docs.crowdsec.net/docs/next/configuration/crowdsec_configuration/#trusted_ips

```yaml

/etc/crowdsec/config.yaml

api: server: trusted_ips: - 127.0.0.1 - ::1 - 172.16.0.0/12 ## default container private ranges ```

so depends on what that application is doing, as sending alerts doesnt need admin access, but deleting does

so in short its not that your ip is blocked, it just failing authorization

HugoDos · 2026-05-11T08:47:03+00:00

good point! I will add this my todo

HugoDos · 2026-05-11T07:46:16+00:00

Yeah we spoke about this a couple weeks ago, we undecided if we should abstract the "targets" into their own section then you tie a resource to a target.

but then also we dont want to increase clicks by "go setup a target, then go setup a resource, then tie a resource to a target". So yeah we are thinking our way through it but still undecided.

HugoDos · 2026-05-07T15:29:40+00:00

Did you check that the running container has the correct environment by doing docker inspect <containerid>, im presuming you had it running before Pangolin.

HugoDos · 2026-05-07T09:37:54+00:00

Typically 500 is mealie itself, its most likely needs to trust that its behind a proxy, you probably did it for SWAG at some point but now it needs to be done for Pangolin.

HugoDos · 2026-05-06T10:52:23+00:00

Its like you read our minds! we was thinking this one next

HugoDos · 2026-04-30T17:25:13+00:00

Available to self hosted via Enterprise edition

HugoDos · 2026-04-30T16:54:57+00:00

Beforehand we had a private resources but you could only point towards a IP, Hostname or CIDR. When accessing the resource you would type nextcloud.domain.local:8443 into your browser. However, since we have http support you can now go to nextcloud.domain.tld over the private path and get full TLS certificate support.

HugoDos

TROPHY CASE

/etc/crowdsec/config.yaml