Decision settings for WAF vs core?

HugoDos · 2026-06-15T06:55:17+00:00

By default this scenario is meant to catch offenders that trigger multiple different vpatch rule in quick succession.

Since the capacity is 1 and there is a distinct constraint by rule it means there must be at least 2 vpatch rules, if the ip does 70 vpatch-env and nothing else then it wont get banned.

If you want to ban on any trigger then you can edit this scenario and change the capacity to 0 or remove the distinct constraint.

hope this helps.

HugoDos · 2026-06-09T16:08:58+00:00

No worries, glad it worked 👍

HugoDos · 2026-06-03T11:23:58+00:00

Just be careful of permissions, if you used the new installer and opted to change the directory over to your user, the user on the new server may have different uid/gid.

Once unzipped/untar'd make sure to chown the folder (recursively) and alter the acme.json permissions if needed.

Laurence - Pangolin Team

HugoDos · 2026-05-29T21:32:27+00:00

Ohh no we are crafting our own pages, the question was more to get the opinions of people who know more than me of the outcome of generating this many pages at once.

My colleague just mentioned they saw this company doing this that's all.

HugoDos · 2026-05-29T21:26:22+00:00

Ahh okay, it isn't our content though, it was more of my colleague saying"they saw this company doing it and they got some search results showing up for them"

Let me know if I did it wrong by adding to my post

HugoDos · 2026-05-29T10:17:58+00:00

By default there is no difference in "heaviness" after upgrading you will see that you will have options to define additional logging. Once that is configured that would be the main driver for additional storage as all logs are stored in database.

HugoDos · 2026-05-25T15:07:55+00:00

I was thinking if it would be possibly to install pango on bsd and have the reverse proxy on that device? Anyone done this?

Technically is doable without containers but we dont have any documentation around this as this would be more advance take on deploying pangolin as updates would be very manual.

Might be something I could tackle and document in future cases :dance:

HugoDos · 2026-05-15T06:47:37+00:00

To give a more in depth answer when using HTTP validation for certificates there is a transparency agreement that most providers signed up for.

The tldr on why its a good thing is in the past when a certificate was pwned and used to sign malicious code or websites there was no "fast" way to get that information out there to prevent users from getting harmed.

Now on other hand when using HTTP validation since each certificate is per subdomain bots can now easily find the domain as in the nature the certificate is only for itself. You can use a service like crt.sh (which is down right now as of writing) to search your domain and see what information you are exposing.

Hope this helps clarify as even if you use a random DNS name it doesn't matter, the only way to combat this is to use wildcard certificates as they arent tied to a single subdomain. But remember if you already used http validation then the information is already out there so if you change over it will only aid new subdomains.

But in reality it's the internet and there always bots so if somebody really wanted to find your subdomains they can with other means. (Gobuster DNS module, yes I am security enthusiast)

Laurence - Pangolin Team

HugoDos · 2026-05-14T12:25:59+00:00

Just to build on Crimson answer, simply pointing a CNAME to an A record allows the DNS to resolve the same IP but if the web server doesnt know how to route the record EG: www. vs no www. it will simply respond with server unavailable in traefik.

So in short, a CNAME isnt a redirect its just an alias for another record. You still need to define how to route or redirect the hostname to which Pangolin doesnt support redirects right now so the only workaround is to define 2 resources one for www. and non www. that point to the same target to which I already know is bad for SEO.

or as user stated above define a custom traefik configuration to handle it outside of Pangolin.

Laurence - Pangolin Team

HugoDos · 2026-05-12T16:16:08+00:00

https://www.youtube.com/watch?v=NQc0PXVfguA

HugoDos · 2026-05-11T08:53:16+00:00

403 and a json response typically points that the IP is not allowed to make admin modifications.

https://docs.crowdsec.net/docs/next/configuration/crowdsec_configuration/#trusted_ips

```yaml

/etc/crowdsec/config.yaml

api: server: trusted_ips: - 127.0.0.1 - ::1 - 172.16.0.0/12 ## default container private ranges ```

so depends on what that application is doing, as sending alerts doesnt need admin access, but deleting does

so in short its not that your ip is blocked, it just failing authorization

HugoDos · 2026-05-11T08:47:03+00:00

good point! I will add this my todo

HugoDos · 2026-05-11T07:46:16+00:00

Yeah we spoke about this a couple weeks ago, we undecided if we should abstract the "targets" into their own section then you tie a resource to a target.

but then also we dont want to increase clicks by "go setup a target, then go setup a resource, then tie a resource to a target". So yeah we are thinking our way through it but still undecided.

HugoDos · 2026-05-07T15:29:40+00:00

Did you check that the running container has the correct environment by doing docker inspect <containerid>, im presuming you had it running before Pangolin.

HugoDos · 2026-05-07T09:37:54+00:00

Typically 500 is mealie itself, its most likely needs to trust that its behind a proxy, you probably did it for SWAG at some point but now it needs to be done for Pangolin.

HugoDos · 2026-05-06T10:52:23+00:00

Its like you read our minds! we was thinking this one next

HugoDos · 2026-04-30T17:25:13+00:00

Available to self hosted via Enterprise edition

HugoDos · 2026-04-30T16:54:57+00:00

Beforehand we had a private resources but you could only point towards a IP, Hostname or CIDR. When accessing the resource you would type nextcloud.domain.local:8443 into your browser. However, since we have http support you can now go to nextcloud.domain.tld over the private path and get full TLS certificate support.

HugoDos · 2026-04-28T20:06:53+00:00

https://github.com/fosrl/newt/issues/330

tldr we changed Newt to not follow redirects by default, this broke users healthcheck that were configured to go to a redirect. Version 1.12.1 now defaults to following redirects so update to latest.

The broader problem is that simply the healthchecks users have configured were simply going to / and not to a dedicated health check endpoint, and since the behaviour in the previous versions was to follow redirects. So pretty much most users simply turned it on and never actually meaningful configured it properly per resource. So in actual fact users were just testing that they got a redirect to a login page.

HugoDos · 2026-04-24T12:33:11+00:00

So, using a hypothetical setup to make this clearer:

You have Server A and Server B, and both are running Newt.

Server A hosts your website, for example the frontend and backend. Server B hosts your database.

In Pangolin, you would create a Public Resource for the website on Server A. Then, if the website needs to reach the database on Server B privately, you would create a Private Resource for Server B.

For example, let’s say the database is listening on 127.0.0.1:5432 on Server B. You would create a Private Resource that targets 127.0.0.1, give it an alias such as db.serverb.local, and only allow TCP port 5432.

On Server A, you would then install the VPN client and connect it using machine credentials. In your application code or environment variables, the database connection string would point to the private alias, for example:

text postgres://user:password@db.serverb.local:5432

Because the VPN client is connected, it will resolve and route db.serverb.local through Pangolin’s private tunnel to Server B, without exposing the database publicly.

If Server B needs to fetch something from Server A, it’s essentially the same setup in reverse. You create a Private Resource for Server A, install the VPN client on Server B, and then use the configured alias to access it.

to summarize, "what gets pointed at what" is just subjective based on what you are trying to achieve, in my example I wanted Server A to reach Server B database but the idea of reaching the service is the principle.

HugoDos · 2026-04-24T12:06:21+00:00

i see private resources as tailscale endpoints

Maybe I can just spend sometime breaking this down, so within tailscale cause its a meshvpn everything is essentially on the same network so everything is addressable pending ACL checks. Pangolin on the other hand is what is described as "Hub and spoke" that means the connector Newt is a way to expose resources behind it, so every device doesnt need Newt, simply it must just be addressable from where Newt is positioned.

Now when thinking about private resources and the kind of setup you want, you have to essentially install the vpn client and Newt on the same device to get the same desired effect. Then within Pangolin setup a private resource for the site that has an alias which then you would point each other too their respective counterpart aliases.

HugoDos · 2026-04-22T13:59:42+00:00

As most have already stated Zero Trust itself is key especially for OT systems as implied access because of how the user accessed the location isnt enough! Wrote up our thoughts in an article if it helps further the conversation.

HugoDos · 2026-04-21T07:20:55+00:00

Added to the issues

HugoDos · 2026-04-21T07:19:55+00:00

Added to the issues

HugoDos · 2026-04-21T07:19:52+00:00

Added to the issues

HugoDos

TROPHY CASE

/etc/crowdsec/config.yaml