github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-06 12:55:03 -05:00
Code Issues 564 Packages Projects Releases 72 Wiki Activity

[GH-ISSUE #1254] Permission denied error #1827

New Issue
Open
opened 2026-04-16 08:41:17 -05:00 by GiteaMirror · 10 comments
GiteaMirror commented 2026-04-16 08:41:17 -05:00
Owner
Copy Link

Originally created by @theAlevan on GitHub (Aug 11, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1254

A while back I made an issue, that I forgot about and was automatically closed. Still, the problem still persists.

I tried recreating my pangolin deployment from scratch. I made a new VM on my VPS, and deployed Pangolin using the minimal Pangolin config I found in the documentation.

I created my admin user, organisation, site (local site), and made the traefik dashboard as my first resource. And I still get this error, accesing the resource with the "Owner" account:

Image

Debug Logs:

2025-08-11T17:21:37.629Z [debug]: Verify session: Badger sent {"sessions":{},"originalRequestURL":"https://traefik.example.com/","scheme":"","host":"traefik.example.com","path":"/","method":"GET","tls":true,"requestIp":"xxx.xxx.xxx.xxx:50098","headers":{"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7","Accept-Encoding":"gzip, deflate, br, zstd","Accept-Language":"en-US,en;q=0.9","Dnt":"1","Priority":"u=0, i","Sec-Ch-Ua":""Not)A;Brand";v="8", "Chromium";v="138", "Google Chrome";v="138"","Sec-Ch-Ua-Mobile":"?0","Sec-Ch-Ua-Platform":""Linux"","Sec-Fetch-Dest":"document","Sec-Fetch-Mode":"navigate","Sec-Fetch-Site":"same-site","Sec-Fetch-User":"?1","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36","X-Forwarded-Host":"traefik.example.com","X-Forwarded-Port":"443","X-Forwarded-Proto":"https","X-Forwarded-Server":"53e1368fb1ea","X-Real-Ip":"xxx.xxx.xxx.xxx"}}
2025-08-11T17:21:37.630Z [debug]: Request IP: {"requestIp":"xxx.xxx.xxx.xxx:50098"}
2025-08-11T17:21:37.630Z [debug]: Client IP: {"clientIp":"xxx.xxx.xxx.xxx"}
2025-08-11T17:21:37.634Z [debug]: No more auth to check, resource not allowed
2025-08-11T17:21:37.634Z [info]: Resource access not allowed. Resource ID: 1. IP: xxx.xxx.xxx.xxx.
2025-08-11T17:21:37.634Z [debug]: {"data":{"valid":false,"redirectUrl":"https://pangolin.example.com/auth/resource/1?redirect=https%3A%2F%2Ftraefik.example.com%2F"},"success":true,"error":false,"message":"Access denied","status":200}

Every part of the Pangolin stack is on the latest released version.
As even the database was recreated, is there an error in my config? I tried both with postgres and with sqlite databases.
The strange thing is, that Pangolin v1.5.1 With Gerbil 1.0.0 works like a charm.
If it matters, my VPS is hosted on Oracle Cloud.

This is my pangolin config file:

app:
  dashboard_url: https://pangolin.example.com
  log_level: debug
  save_logs: false
  log_failed_attempts: true

domains:
  domain1:
    base_domain: "pangolin.example.com"
    cert_resolver: "letsencrypt"

server:
  secret: "secret"

gerbil:
  base_endpoint: "pangolin.example.com"

flags:
  require_email_verification: false
  disable_signup_without_invite: true
  disable_user_create_org: true

postgres:
  connection_string:
    postgresql://pangolin:secret@pangolin-postgres:5432/pangolin

My Traefik static config:

accessLog:
  filePath: /etc/traefik/logs/access.log
  format: json
  fields:
    defaultMode: keep
    headers:
      defaultMode: keep
api:
    dashboard: true
    insecure: true
certificatesResolvers:
    letsencrypt:
        acme:
            caServer: https://acme-v02.api.letsencrypt.org/directory
            dnsChallenge:
                delayBeforeCheck: 10
                provider: cloudflare
            email: mail@example.com
            storage: /letsencrypt/acme.json
entryPoints:
    web:
        address: :80
        http:
            redirections:
                entryPoint:
                    permanent: true
                    scheme: https
                    to: websecure
    websecure:
        address: :443
        http:
            tls:
                certResolver: letsencrypt
        transport:
            respondingTimeouts:
                readTimeout: 30m
    tcp-853:
        address: ":853/tcp"
ping: {}
experimental:
    fastProxy: true
    plugins:
        badger:
            moduleName: github.com/fosrl/badger
            version: v1.2.0
global:
    checkNewVersion: false
    sendAnonymousUsage: true
log:
    format: common
    level: info
providers:
    file:
        directory: /etc/traefik/
        watch: true
    http:
        endpoint: http://pangolin:3001/api/v1/traefik-config
        pollInterval: 5s
    providersThrottleDuration: 2
serversTransport:
    insecureSkipVerify: true

And my Traefik Dynamic config:

http:
  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: https

  routers:
    main-app-router-redirect:
      rule: "Host(`pangolin.example.com`)" 
      service: next-service
      entryPoints:
        - web
      middlewares:
        - redirect-to-https
    next-router:
      rule: "Host(`pangolin.example.com`) && !PathPrefix(`/api/v1`)" 
      service: next-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
        domains:
          - main: "example.com"
            sans:
              - "*.example.com"
    api-router:
      rule: "Host(`pangolin.example.com`) && PathPrefix(`/api/v1`)" 
      service: api-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
    ws-router:
      rule: "Host(`pangolin.example.com`)" # REPLACE THIS WITH YOUR DOMAIN
      service: api-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
  services:
    next-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3002" # Next.js server
    api-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000" # API/WebSocket server
Originally created by @theAlevan on GitHub (Aug 11, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1254 A while back I made an [issue](https://github.com/fosrl/pangolin/issues/1003), that I forgot about and was automatically closed. Still, the problem still persists. I tried recreating my pangolin deployment from scratch. I made a new VM on my VPS, and deployed Pangolin using the minimal Pangolin config I found in the [documentation](https://docs.digpangolin.com/self-host/advanced/config-file). I created my admin user, organisation, site (local site), and made the traefik dashboard as my first resource. And I still get this error, accesing the resource with the "Owner" account: <img width="646" height="351" alt="Image" src="https://github.com/user-attachments/assets/7e5634b2-0cac-41eb-a269-0eea762f938d" /> Debug Logs: > 2025-08-11T17:21:37.629Z [debug]: Verify session: Badger sent {"sessions":{},"originalRequestURL":"https://traefik.example.com/","scheme":"","host":"traefik.example.com","path":"/","method":"GET","tls":true,"requestIp":"xxx.xxx.xxx.xxx:50098","headers":{"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","Accept-Encoding":"gzip, deflate, br, zstd","Accept-Language":"en-US,en;q=0.9","Dnt":"1","Priority":"u=0, i","Sec-Ch-Ua":"\"Not)A;Brand\";v=\"8\", \"Chromium\";v=\"138\", \"Google Chrome\";v=\"138\"","Sec-Ch-Ua-Mobile":"?0","Sec-Ch-Ua-Platform":"\"Linux\"","Sec-Fetch-Dest":"document","Sec-Fetch-Mode":"navigate","Sec-Fetch-Site":"same-site","Sec-Fetch-User":"?1","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36","X-Forwarded-Host":"traefik.example.com","X-Forwarded-Port":"443","X-Forwarded-Proto":"https","X-Forwarded-Server":"53e1368fb1ea","X-Real-Ip":"xxx.xxx.xxx.xxx"}} > 2025-08-11T17:21:37.630Z [debug]: Request IP: {"requestIp":"xxx.xxx.xxx.xxx:50098"} > 2025-08-11T17:21:37.630Z [debug]: Client IP: {"clientIp":"xxx.xxx.xxx.xxx"} > 2025-08-11T17:21:37.634Z [debug]: No more auth to check, resource not allowed > 2025-08-11T17:21:37.634Z [info]: Resource access not allowed. Resource ID: 1. IP: xxx.xxx.xxx.xxx. > 2025-08-11T17:21:37.634Z [debug]: {"data":{"valid":false,"redirectUrl":"https://pangolin.example.com/auth/resource/1?redirect=https%3A%2F%2Ftraefik.example.com%2F"},"success":true,"error":false,"message":"Access denied","status":200} Every part of the Pangolin stack is on the latest released version. As even the database was recreated, is there an error in my config? I tried both with postgres and with sqlite databases. The strange thing is, that Pangolin v1.5.1 With Gerbil 1.0.0 works like a charm. If it matters, my VPS is hosted on Oracle Cloud. This is my pangolin config file: ``` app: dashboard_url: https://pangolin.example.com log_level: debug save_logs: false log_failed_attempts: true domains: domain1: base_domain: "pangolin.example.com" cert_resolver: "letsencrypt" server: secret: "secret" gerbil: base_endpoint: "pangolin.example.com" flags: require_email_verification: false disable_signup_without_invite: true disable_user_create_org: true postgres: connection_string: postgresql://pangolin:secret@pangolin-postgres:5432/pangolin ``` My Traefik static config: ``` accessLog: filePath: /etc/traefik/logs/access.log format: json fields: defaultMode: keep headers: defaultMode: keep api: dashboard: true insecure: true certificatesResolvers: letsencrypt: acme: caServer: https://acme-v02.api.letsencrypt.org/directory dnsChallenge: delayBeforeCheck: 10 provider: cloudflare email: mail@example.com storage: /letsencrypt/acme.json entryPoints: web: address: :80 http: redirections: entryPoint: permanent: true scheme: https to: websecure websecure: address: :443 http: tls: certResolver: letsencrypt transport: respondingTimeouts: readTimeout: 30m tcp-853: address: ":853/tcp" ping: {} experimental: fastProxy: true plugins: badger: moduleName: github.com/fosrl/badger version: v1.2.0 global: checkNewVersion: false sendAnonymousUsage: true log: format: common level: info providers: file: directory: /etc/traefik/ watch: true http: endpoint: http://pangolin:3001/api/v1/traefik-config pollInterval: 5s providersThrottleDuration: 2 serversTransport: insecureSkipVerify: true ``` And my Traefik Dynamic config: ``` http: middlewares: redirect-to-https: redirectScheme: scheme: https routers: main-app-router-redirect: rule: "Host(`pangolin.example.com`)" service: next-service entryPoints: - web middlewares: - redirect-to-https next-router: rule: "Host(`pangolin.example.com`) && !PathPrefix(`/api/v1`)" service: next-service entryPoints: - websecure tls: certResolver: letsencrypt domains: - main: "example.com" sans: - "*.example.com" api-router: rule: "Host(`pangolin.example.com`) && PathPrefix(`/api/v1`)" service: api-service entryPoints: - websecure tls: certResolver: letsencrypt ws-router: rule: "Host(`pangolin.example.com`)" # REPLACE THIS WITH YOUR DOMAIN service: api-service entryPoints: - websecure tls: certResolver: letsencrypt services: next-service: loadBalancer: servers: - url: "http://pangolin:3002" # Next.js server api-service: loadBalancer: servers: - url: "http://pangolin:3000" # API/WebSocket server ```
GiteaMirror added the needs investigatingstale labels 2026-04-16 08:41:17 -05:00
GiteaMirror commented 2026-04-16 08:41:19 -05:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (Aug 16, 2025):

Hum sorry for the delay! This is odd. Do you have SSO turned on in the
resource auth page? Could you post a screenshot of that? Does it work if
you explicitly assign your user to the resource or the admin role?

It does not look like there is a cookie in the auth request. When you
visit the resource what does your browser do? Do you get sent to a login
page and back?

<!-- gh-comment-id:3193391824 --> @oschwartz10612 commented on GitHub (Aug 16, 2025): Hum sorry for the delay! This is odd. Do you have SSO turned on in the resource auth page? Could you post a screenshot of that? Does it work if you explicitly assign your user to the resource or the admin role? It does not look like there is a cookie in the auth request. When you visit the resource what does your browser do? Do you get sent to a login page and back?
GiteaMirror commented 2026-04-16 08:41:19 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Aug 31, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:3239629591 --> @github-actions[bot] commented on GitHub (Aug 31, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
GiteaMirror commented 2026-04-16 08:41:20 -05:00
Author
Owner
Copy Link

@joe-cole1 commented on GitHub (Sep 1, 2025):

Hello @oschwartz10612 I just started experiencing this issue out of the blue today. You can see more details on my discord help thread, but I will copy most of them here.

https://discord.com/channels/1325658630518865980/1412024173735186464

Here are some details:

I have a single site, single org, single user (admin).

If I disable Pangolin auth (SSO from pangolin on the resource) then it works fine.

If I whitelist my IP address, it works.

It does not help if I add my user as an authorized user to the resource.

I have two devices logged in to pangolin. This is happening on my phone with all the resources. I recently logged out and back in to experiment with the new invitation fixes in the latest update, and that's when it started happening on my phone.

My tablet, which I have not logged out of, works fine still.

I deleted cookies and site data but that did not help. I've logged out and back in using username/password and passkey. Neither works.

Here are a couple things I thought might be relevant from the API. There's no logs anywhere, although I might not be looking in the right place.

The resource has this for roles assigned, and my user does still show as an admin and I still have full control over the pangolin backend.

{
  "data": {
    "roles": [
      {
        "roleId": 1,
        "name": "Admin",
        "description": "Admin role with the most permissions",
        "isAdmin": true
      }
    ]
  },
  "success": true,
  "error": false,
  "message": "Resource roles retrieved successfully",
  "status": 200
}

I'm not sure what to troubleshoot from here. I've been messing around with invitations, trying to add my family, and have added/removed users through the process, but I don't know how any of that would cause this.

<!-- gh-comment-id:3242953730 --> @joe-cole1 commented on GitHub (Sep 1, 2025): Hello @oschwartz10612 I just started experiencing this issue out of the blue today. You can see more details on my discord help thread, but I will copy most of them here. https://discord.com/channels/1325658630518865980/1412024173735186464 Here are some details: I have a single site, single org, single user (admin). If I disable Pangolin auth (SSO from pangolin on the resource) then it works fine. If I whitelist my IP address, it works. It does not help if I add my user as an authorized user to the resource. I have two devices logged in to pangolin. This is happening on my phone with all the resources. I recently logged out and back in to experiment with the new invitation fixes in the latest update, and that's when it started happening on my phone. My tablet, which I have not logged out of, works fine still. I deleted cookies and site data but that did not help. I've logged out and back in using username/password and passkey. Neither works. Here are a couple things I thought might be relevant from the API. There's no logs anywhere, although I might not be looking in the right place. The resource has this for roles assigned, and my user does still show as an admin and I still have full control over the pangolin backend. ``` { "data": { "roles": [ { "roleId": 1, "name": "Admin", "description": "Admin role with the most permissions", "isAdmin": true } ] }, "success": true, "error": false, "message": "Resource roles retrieved successfully", "status": 200 } ``` I'm not sure what to troubleshoot from here. I've been messing around with invitations, trying to add my family, and have added/removed users through the process, but I don't know how any of that would cause this.
GiteaMirror commented 2026-04-16 08:41:21 -05:00
Author
Owner
Copy Link

@joe-cole1 commented on GitHub (Sep 1, 2025):

My shareable link I use for custom headers in immich still works for the immich app.

<!-- gh-comment-id:3242954657 --> @joe-cole1 commented on GitHub (Sep 1, 2025): My shareable link I use for custom headers in immich still works for the immich app.
GiteaMirror commented 2026-04-16 08:41:22 -05:00
Author
Owner
Copy Link

@joe-cole1 commented on GitHub (Sep 1, 2025):

I've been looking around the API.

Is this normal?

If I GET /role/{role_id} and put in the admin role (1), then I get the following response.

{
  "data": null,
  "success": false,
  "error": true,
  "message": "Error verifying role access",
  "status": 500,
  "stack": null
}
<!-- gh-comment-id:3242954987 --> @joe-cole1 commented on GitHub (Sep 1, 2025): I've been looking around the API. Is this normal? If I GET /role/{role_id} and put in the admin role (1), then I get the following response. ``` { "data": null, "success": false, "error": true, "message": "Error verifying role access", "status": 500, "stack": null } ```
GiteaMirror commented 2026-04-16 08:41:22 -05:00
Author
Owner
Copy Link

@joe-cole1 commented on GitHub (Sep 1, 2025):

Here is my user info

{
  "data": {
    "users": [
      {
        "id": "redacted",
        "email": "email@gmail.com",
        "emailVerified": true,
        "dateCreated": "2025-08-03T06:26:58.193Z",
        "orgId": "org-id",
        "username": "email@gmail.com",
        "name": null,
        "type": "internal",
        "roleId": 1,
        "roleName": "Admin",
        "isOwner": true,
        "idpName": null,
        "idpId": null,
        "twoFactorEnabled": true
      }
    ],
    "pagination": {
      "total": 1,
      "limit": 1000,
      "offset": 0
    }
  },
  "success": true,
  "error": false,
  "message": "Users retrieved successfully",
  "status": 200
}
<!-- gh-comment-id:3242955629 --> @joe-cole1 commented on GitHub (Sep 1, 2025): Here is my user info ``` { "data": { "users": [ { "id": "redacted", "email": "email@gmail.com", "emailVerified": true, "dateCreated": "2025-08-03T06:26:58.193Z", "orgId": "org-id", "username": "email@gmail.com", "name": null, "type": "internal", "roleId": 1, "roleName": "Admin", "isOwner": true, "idpName": null, "idpId": null, "twoFactorEnabled": true } ], "pagination": { "total": 1, "limit": 1000, "offset": 0 } }, "success": true, "error": false, "message": "Users retrieved successfully", "status": 200 } ```
GiteaMirror commented 2026-04-16 08:41:23 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Sep 17, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:3300765961 --> @github-actions[bot] commented on GitHub (Sep 17, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
GiteaMirror commented 2026-04-16 08:41:23 -05:00
Author
Owner
Copy Link

@DGeyzer commented on GitHub (Oct 16, 2025):

I've also had this issue with my current setup, but only past version 1.9.4. The only thing that works for me is staying on 1.9.4, as even doing a completely fresh config on a newer version causes this error

<!-- gh-comment-id:3412504725 --> @DGeyzer commented on GitHub (Oct 16, 2025): I've also had this issue with my current setup, but only past version 1.9.4. The only thing that works for me is staying on 1.9.4, as even doing a completely fresh config on a newer version causes this error
GiteaMirror commented 2026-04-16 08:41:24 -05:00
Author
Owner
Copy Link

@bitburnerz commented on GitHub (Oct 24, 2025):

same problem here, fresh install

<!-- gh-comment-id:3443577018 --> @bitburnerz commented on GitHub (Oct 24, 2025): same problem here, fresh install
GiteaMirror commented 2026-04-16 08:41:25 -05:00
Author
Owner
Copy Link

@DGeyzer commented on GitHub (Dec 21, 2025):

I located the source of this issue on my end. According to the docs, in the config.yml, dashboard_url should be set to "https://pangolin.example.com". My dashboard_url was set in http, which caused the issues.

<!-- gh-comment-id:3679317227 --> @DGeyzer commented on GitHub (Dec 21, 2025): I located the source of this issue on my end. According to the docs, in the config.yml, dashboard_url should be set to "https://pangolin.example.com". My dashboard_url was set in http, which caused the issues.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label needs investigating stale
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#1827
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?