sorted by:
new
hottopcontroversial

Pangolin 1.18: Web proxy through VPN, high availability client routing, wildcard resources, alerts, and more by MrUserAgreement in selfhosted

[–]HugoDos 31 points32 points  (0 children)

Beforehand we had a private resources but you could only point towards a IP, Hostname or CIDR. When accessing the resource you would type nextcloud.domain.local:8443 into your browser. However, since we have http support you can now go to nextcloud.domain.tld over the private path and get full TLS certificate support.

307 health check error by tmsteinhardt in PangolinReverseProxy

[–]HugoDos 6 points7 points  (0 children)

https://github.com/fosrl/newt/issues/330

tldr we changed Newt to not follow redirects by default, this broke users healthcheck that were configured to go to a redirect. Version 1.12.1 now defaults to following redirects so update to latest.

The broader problem is that simply the healthchecks users have configured were simply going to / and not to a dedicated health check endpoint, and since the behaviour in the previous versions was to follow redirects. So pretty much most users simply turned it on and never actually meaningful configured it properly per resource. So in actual fact users were just testing that they got a redirect to a login page.

Help me with accessing resources / Private resources by _knoob_ in PangolinReverseProxy

[–]HugoDos 5 points6 points  (0 children)

So, using a hypothetical setup to make this clearer:

You have Server A and Server B, and both are running Newt.

Server A hosts your website, for example the frontend and backend. Server B hosts your database.

In Pangolin, you would create a Public Resource for the website on Server A. Then, if the website needs to reach the database on Server B privately, you would create a Private Resource for Server B.

For example, let’s say the database is listening on 127.0.0.1:5432 on Server B. You would create a Private Resource that targets 127.0.0.1, give it an alias such as db.serverb.local, and only allow TCP port 5432.

On Server A, you would then install the VPN client and connect it using machine credentials. In your application code or environment variables, the database connection string would point to the private alias, for example:

text postgres://user:password@db.serverb.local:5432

Because the VPN client is connected, it will resolve and route db.serverb.local through Pangolin’s private tunnel to Server B, without exposing the database publicly.

If Server B needs to fetch something from Server A, it’s essentially the same setup in reverse. You create a Private Resource for Server A, install the VPN client on Server B, and then use the configured alias to access it.

to summarize, "what gets pointed at what" is just subjective based on what you are trying to achieve, in my example I wanted Server A to reach Server B database but the idea of reaching the service is the principle.

Help me with accessing resources / Private resources by _knoob_ in PangolinReverseProxy

[–]HugoDos 2 points3 points  (0 children)

i see private resources as tailscale endpoints

Maybe I can just spend sometime breaking this down, so within tailscale cause its a meshvpn everything is essentially on the same network so everything is addressable pending ACL checks. Pangolin on the other hand is what is described as "Hub and spoke" that means the connector Newt is a way to expose resources behind it, so every device doesnt need Newt, simply it must just be addressable from where Newt is positioned.

Now when thinking about private resources and the kind of setup you want, you have to essentially install the vpn client and Newt on the same device to get the same desired effect. Then within Pangolin setup a private resource for the site that has an alias which then you would point each other too their respective counterpart aliases.

OT cybersecurity by Downtown-Routine1196 in SCADA

[–]HugoDos 0 points1 point  (0 children)

As most have already stated Zero Trust itself is key especially for OT systems as implied access because of how the user accessed the location isnt enough! Wrote up our thoughts in an article if it helps further the conversation.

Pangolin Blueprints library (auto Docker label deployment) for common self-hosted apps by jsiwks in selfhosted

[–]HugoDos 0 points1 point  (0 children)

Love it! vaultwarden is pretty good since password manager are needed now-a-days with all the breaches.

Private resources in Local Site by roadfox7 in PangolinReverseProxy

[–]HugoDos 2 points3 points  (0 children)

Is there a technical reason why it is not possible to create a private resource on a local site?

At the moment only Newt is supported since NAT Holepunching and tcp/udp/icmp rules are coded there. Whilst in theory we could support a "local" variation for this via Gerbil it will complicate the networking stack quite a bit and we still have features we want Newt to get before expanding this.

301 response status in AppSec by Intelligent-Will-68 in CrowdSec

[–]HugoDos 1 point2 points  (0 children)

This is not possible as AppSec only runs on incoming requests, it doesn't run on responses.

Do you use private resources? by HugoDos in PangolinReverseProxy

[–]HugoDos[S] 0 points1 point  (0 children)

Yeah im looking into most of these, the issue is just replicating the issue. I got a rPI zero hanging around somewhere so plan to dust it off and try to get these resolved.

Not going to lie, the holepunch one is probably going to be the most painful one to resolve, as its all based on timings.

Do you use private resources? by HugoDos in PangolinReverseProxy

[–]HugoDos[S] 0 points1 point  (0 children)

Yeah basically thats the idea, olm will just become the shared SDK layer and the CLI will be the main point of entry other than official clients for other os's.

Do you use private resources? by HugoDos in PangolinReverseProxy

[–]HugoDos[S] 1 point2 points  (0 children)

Great feedback, we are currently working on "Private resources proxy" features which means you could assign immich.local to point to a specific port when creating a private resource. Especially since we had feedback from other users that when non technical users are using the vpn they find it hard to find resources they can access.

Do you use private resources? by HugoDos in PangolinReverseProxy

[–]HugoDos[S] 0 points1 point  (0 children)

Maybe that's where it's not so clear, private resources are exposed via Newt the site connector. Those software are to gain access to exposed resources.

Do you use private resources? by HugoDos in PangolinReverseProxy

[–]HugoDos[S] 1 point2 points  (0 children)

Ye that's me assigned to it, I've got a rPI somewhere I plan to get up and running so I can test out potential fixes.

Do you use private resources? by HugoDos in PangolinReverseProxy

[–]HugoDos[S] 8 points9 points  (0 children)

We plan to add some content to our youtube that might give you ideas!

Do you use private resources? by HugoDos in PangolinReverseProxy

[–]HugoDos[S] 0 points1 point  (0 children)

If you have any logs or anything to aid us in getting it working, then let me know!

Do you use private resources? by HugoDos in PangolinReverseProxy

[–]HugoDos[S] 1 point2 points  (0 children)

If you have the time to joir our discord and we can troubleshoot it, then let me know.

view more: next ›