1.0.0-beta.15

What's Changed

• Support for adding more than one base domain
  • SSO works across multiple base domains
• Automatically install and configure Crowdsec via installer script
  • Add option to add Crowdsec on new installs via installer script
  • Add option to add Crowdsec to existing installs via installer script
• Add support h2c as method to resource target
• Strip :80 and :443 from domain to before matching to resource
  • Fix Plex custom URL on iOS app connectivity issue
• Evaluate rules even if all auth is disabled for resource
• Fix bug causing targets and rules tables to only show 10 rows
• Delete stale data (expired sessions) from database on start up

Full Changelog: 1.0.0-beta.14...1.0.0-beta.15

How to Update

Important

Always back up your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

Automatic Crowdsec Add-on

If you already have Pangolin installed:

Fully update the latest Pangolin version first. Make sure she stack is not running, then, download the latest installer and rerun it as root. It will detect that you have already installed Pangolin and will prompt for a Crowdsec install. Respond yes.

Your stack will be brought down and backed up in the local directory. Crowdsec will be added to the config files and the stack will be brought back up. If config is broken untar the backup created at runtime and replace.

For first time installs:

Go through installation steps as usual. The last question will ask if you want to install Crowdsec. Respond yes.

Multiple Base Domains

You can now use more than one domain in Pangolin. The migration script will handle migrating your old domain to the new config format. To add new domains, see the domains section of the Pangolin config file in the docs.

1.0.0-beta.14

What's Changed

Mostly hotfixes coming off the 1.0.0-beta.13 release:

• Allow more special characters in rules
• Router refresh after clicking save to invalidate browser page cache
• Fix SQL FK constraint error that occurred when resetting password with 2Fa
• Allow underscores in target hostname (needed for Docker networks)
• Add IPv6 CIDR validation in rules middleware check

Full Changelog: 1.0.0-beta.13...1.0.0-beta.14

How to Update

Important

Always backup your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

1.0.0-beta.13

What's Changed

• Resource access control rules for IPs, IP ranges, and URL path matching
• Add code snippets for Newt Docker commands in create site workflow
• Fix table row limit selector so it works
• Fix toast dismissal causing components to refresh
• Implement separate stricter rate limit on verify email and reset password request endpoints
• Allow more special characters in password

Full Changelog: 1.0.0-beta.12...1.0.0-beta.13

Access Control Rules

There are many use cases for access control rules. One of which is allowing mobile clients to interact with your service's API without getting redirected to authentication. This lets you require authentication when accessing from a browser and also allow the mobile client to connect. The below screenshot shows an example using Vaultwarden by allowing specific URL path patterns to bypass authentication.

How to Update

Always backup your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

1.0.0-beta.12

What's Changed

• Allow resources to use the base domain if allow_base_domain_resources flag is set
• Add ability to transfer resource to different site
• Support using IP address in Gerbil's base_endpoint field
• Create resource dialog resets upon closing
• Fix bug preventing updating raw TCP/UDP port on existing resource
• Fix "Authentication" column sorting on resources table
• Use Traefik v3.3.3 in the installer
• Add Docker network config to docker compose for installer

New Contributors

• @synologyy made their first contribution in #120
• @j4n-e4t made their first contribution in #64

Full Changelog: 1.0.0-beta.11...1.0.0-beta.12

Cloudflare Proxy ON

We tested and can confirm that you can enable the Cloudflare Proxy (orange cloud) on your DNS records for Pangolin. You should setup wildcard certificates with your Cloudflare API keys and use Full (Strict) SSL mode. Read more on how to configure here.

Note: You're bound by the Cloudflare terms of service as soon as you enable the proxy.

How to Update

Always backup your config app-data before updating. This will allow you to easily roll back if the update breaks your configuration. You will not be able to easily downgrade otherwise.

View documentation

1.0.0-beta.11

What's Changed

Some more hotfixes:

• Fix filtering issue causing resources on local sites not to resolve
• Allow comma in passwords
• Fix migration ordering in auto migration script

Full Changelog: 1.0.0-beta.10...1.0.0-beta.11

1.0.0-beta.10

What's Changed

These are mostly hotfixes and minor improvements after releasing beta.9.

• Fix bug causing Newts to pull targets for other sites as noted in #117
• Add copy entry point snippet after creating raw TCP/UDP resource
• Remove secure_cookies from config
  • Pangolin always prefers to use secure cookies when possible
• Remove quotes around autogenerated smtp_port in installer
• Add dot preceding domain name in create resource form

Full Changelog: 1.0.0-beta.9...1.0.0-beta.10

1.0.0-beta.9

What's Changed

• Add support for creating raw TCP/UDP resources
• Support load balancing between multiple targets on a resource
• Refactor resource authentication to use exchange method by passing temporary session token in query param
  • Necessary for multi-domain auth (full multi-domain support coming soon)
  • Necessary to allow auth http (no-ssl) resources (some browsers still break this)
  • Add resource_session_request_param to config
  • Remove resource_session_cookie_name from config
• Make http (no-ssl) resources functional
• Set readTimeout in Traefik config to prevent large file transfer limit
• Allow using wildcard email in email whitelist, like: *@example.com
• Make emails case-insensitive
• Add additional_middlewares to traefik section of config to allow setting custom middleware to resources
• Add log statements for failed authentication attempts
  • Enabled by setting log_failed_attempts to true in config
• Updates to SMTP section of config
  • All fields are not optional allowing use with unauthenticated SMTP server
  • Option to set smtp_secure (defaults to false)
  • Fall back to smtp_user if no no-repy is set
• Add dashboard_session_length_hours and resource_session_length_hours to allow setting custom session length
• Remove permanent redirect from redirect-to-https middleware
• Surround strings in config with double quotes
• Use ID value in selectors for data-selected
• Log password reset code to console to allow password reset if no SMTP configured (temporary fix)
• Create sqlite db backup before running automated migration script on startup
• Add in-memory caching to authentication middleware very-session requests

Full Changelog: https://github.com/fosrl/pangolin/compare/1.0.0-beta.8..1.0.0-beta.9

Acknowledgements

• We recently opened up our GitHub sponsors page, and thank you to those of you who have already sponsored us!
• Thank you to @hhftechnology for writing a how-to guide to manually configure Crowdsec. We plan to automate this in the future.
• Thank you to @nkkfs for beginning the internationalization process with Polish.

How to Update

Note: The auto migration script included in the updated images should handle automatic migrations. No manual intervention should be required. But just in case, the following are important:

1. Make sure the Badger version is at least v1.0.0-beta.3 in the static traefik_config.yml

2. Make sure you have these set, especially resource_session_request_param.

server:
    ...
    secure_cookies: true
    session_cookie_name: "p_session_token"
    resource_access_token_param: "p_token"
    resource_session_request_param: "p_session_request"
    ...

2. Update Newt to at least 1.0.0-beta.5. This is a requirement but if you plan to use TCP/UDP raw resources.

1.0.0-beta.8

What's Changed

• Pick random port when updating targets

Full Changelog: 1.0.0-beta.7...1.0.0-beta.8

1.0.0-beta.7

What's Changed

• Add missing await when verifying pincode by @mallendeo in #75
• Remove double createHttpError

New Contributors

• @mallendeo made their first contribution in #75

Full Changelog: 1.0.0-beta.6...1.0.0-beta.7

1.0.0-beta.6

What's Changed

• Optionally set CORS config in config.yml (see Docs)
  • Default CORS settings are more open to allow for insecure local access via http
  • Installer will set strict CORS policy
• Optionally set trust proxy in config.yml (see Docs)
• Support for setting some config variables as environment variables (see Docs where marked Env: ...)
  • This was introduced to make Unraid setup easier
• Automatically update exit nodes in database to use Gerbil start port from config if changed after the exit node was created
• Optionally attempt to generate (and overwrite) Traefik config files if GENERATE_TRAEFIK_CONFIG environment variable is set
  • This was introduced to make Unraid setup easier

Full Changelog: 1.0.0-beta.5...1.0.0-beta.6