[GH-ISSUE #615] What about getting client public IPs? #18616

New Issue

Closed

opened 2026-05-21 18:16:14 -05:00 by GiteaMirror · 12 comments

GiteaMirror commented 2026-05-21 18:16:14 -05:00

Owner

Copy Link

Originally created by @chris-coria on GitHub (Apr 29, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/615

By default, pangolin is using this network:

networks:
  default:
    driver: bridge
    name: pangolin

So it means it is behind Docker NAT, and thus, Pangolin cannot get real IP because it is using network's default gateway.

The only solution is by exposing Gerbil to network_mode: host but doing so, Docker hostnames won't be available. But, if you change things like --reachableAt, --remoteConfig or --reportBandwidthTo, it won't work and show a HTTP Bad Gateway error in the Pangolin dashboard.

So, how to achieve this in order to log in the Traefik's access.log the real IP? Things like Traefik's plugins to achieve this won't work as I described, it is behind Docker NAT. And "mode: host" in "ports" won't work for docker compose files.

This is the docker-compose.yml I am trying to modify:

services:
  pangolin:
    image: fosrl/pangolin:1.2.0
    container_name: pangolin
    restart: unless-stopped
    volumes:
      - ./config:/app/config
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"]
      interval: "3s"
      timeout: "3s"
      retries: 15
    network_mode: host

  gerbil:
    image: fosrl/gerbil:1.0.0
    container_name: gerbil
    restart: unless-stopped
    depends_on:
      pangolin:
        condition: service_healthy
    command:
      - --reachableAt=http://localhost:3003
      - --generateAndSaveKeyTo=/var/config/key
      - --remoteConfig=http://localhost:3001/api/v1/gerbil/get-config
      - --reportBandwidthTo=http://localhost:3001/api/v1/gerbil/receive-bandwidth
    volumes:
      - ./config/:/var/config
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    network_mode: host
      
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    network_mode: service:gerbil # Ports appear on the gerbil service
    depends_on:
      pangolin:
        condition: service_healthy
    command:
      - --configFile=/etc/traefik/traefik_config.yml
    environment:
      - CF_DNS_API_TOKEN=${CLOUDFLARE_API_KEY}
    volumes:
      - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
      - ./config/crowdsec:/etc/crowdsec:ro # Volume to store the Crowdsec's Appsec configurations
      - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
      - ./config/logs/:/var/log/traefik/ # Storage for Traefik logs.

And this is the config.yml file:

app:
  dashboard_url: "https://pangolin.example.com"
  log_level: "info"
  save_logs: true

domains:
  domain1:
    base_domain: "example.com"
    cert_resolver: "cloudflare"
    prefer_wildcard_cert: true

server:
  external_port: 3000
  internal_port: 3001
  next_port: 3002
  internal_hostname: "localhost"
  session_cookie_name: "p_session_token"
  resource_access_token_param: "p_token"
  resource_access_token_headers:
    id: "P-Access-Token-Id"
    token: "P-Access-Token"
  resource_session_request_param: "p_session_request"

traefik:
  cert_resolver: "cloudflare"
  http_entrypoint: "web"
  https_entrypoint: "websecure"

gerbil:
  start_port: 51820
  base_endpoint: "pangolin.example.com"
  use_subdomain: false
  block_size: 24
  site_block_size: 30
  subnet_group: 100.89.137.0/20

rate_limits:
  global:
    window_minutes: 1
    max_requests: 100

email:
  smtp_host: "smtp.example.com"
  smtp_port: 465
  smtp_user: "support@example.com"
  smtp_pass: "xxxxxxxxxxx"
  no_reply: "support@example.com"

users:
  server_admin:
    email: "user@example.com"
    password: "xxxxxxxxxxxxxxxxxx"

flags:
  require_email_verification: true
  disable_signup_without_invite: true
  disable_user_create_org: true
  allow_raw_resources: true
  allow_base_domain_resources: true

Originally created by @chris-coria on GitHub (Apr 29, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/615 By default, pangolin is using this network: ```yml networks: default: driver: bridge name: pangolin ``` So it means it is behind Docker NAT, and thus, Pangolin cannot get real IP because it is using network's default gateway. The only solution is by exposing Gerbil to `network_mode: host` but doing so, **_Docker hostnames won't be available_**. But, if you change things like `--reachableAt`, `--remoteConfig` or `--reportBandwidthTo`, it won't work and show a **_HTTP Bad Gateway error_** in the Pangolin dashboard. So, how to achieve this in order to log in the Traefik's `access.log` the real IP? Things like Traefik's plugins to achieve this won't work as I described, it is behind Docker NAT. And "mode: host" in "ports" won't work for docker compose files. This is the docker-compose.yml I am trying to modify: ```yml services: pangolin: image: fosrl/pangolin:1.2.0 container_name: pangolin restart: unless-stopped volumes: - ./config:/app/config healthcheck: test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"] interval: "3s" timeout: "3s" retries: 15 network_mode: host gerbil: image: fosrl/gerbil:1.0.0 container_name: gerbil restart: unless-stopped depends_on: pangolin: condition: service_healthy command: - --reachableAt=http://localhost:3003 - --generateAndSaveKeyTo=/var/config/key - --remoteConfig=http://localhost:3001/api/v1/gerbil/get-config - --reportBandwidthTo=http://localhost:3001/api/v1/gerbil/receive-bandwidth volumes: - ./config/:/var/config cap_add: - NET_ADMIN - SYS_MODULE network_mode: host traefik: image: traefik:latest container_name: traefik restart: unless-stopped network_mode: service:gerbil # Ports appear on the gerbil service depends_on: pangolin: condition: service_healthy command: - --configFile=/etc/traefik/traefik_config.yml environment: - CF_DNS_API_TOKEN=${CLOUDFLARE_API_KEY} volumes: - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration - ./config/crowdsec:/etc/crowdsec:ro # Volume to store the Crowdsec's Appsec configurations - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates - ./config/logs/:/var/log/traefik/ # Storage for Traefik logs. ``` And this is the config.yml file: ```yml app: dashboard_url: "https://pangolin.example.com" log_level: "info" save_logs: true domains: domain1: base_domain: "example.com" cert_resolver: "cloudflare" prefer_wildcard_cert: true server: external_port: 3000 internal_port: 3001 next_port: 3002 internal_hostname: "localhost" session_cookie_name: "p_session_token" resource_access_token_param: "p_token" resource_access_token_headers: id: "P-Access-Token-Id" token: "P-Access-Token" resource_session_request_param: "p_session_request" traefik: cert_resolver: "cloudflare" http_entrypoint: "web" https_entrypoint: "websecure" gerbil: start_port: 51820 base_endpoint: "pangolin.example.com" use_subdomain: false block_size: 24 site_block_size: 30 subnet_group: 100.89.137.0/20 rate_limits: global: window_minutes: 1 max_requests: 100 email: smtp_host: "smtp.example.com" smtp_port: 465 smtp_user: "support@example.com" smtp_pass: "xxxxxxxxxxx" no_reply: "support@example.com" users: server_admin: email: "user@example.com" password: "xxxxxxxxxxxxxxxxxx" flags: require_email_verification: true disable_signup_without_invite: true disable_user_create_org: true allow_raw_resources: true allow_base_domain_resources: true ```

GiteaMirror added the stale label 2026-05-21 18:16:14 -05:00

GiteaMirror closed this issue 2026-05-21 18:16:19 -05:00

GiteaMirror commented 2026-05-21 18:16:23 -05:00

Author

Owner

Copy Link

@TuncTaylan commented on GitHub (Apr 29, 2025):

Could you please elaborate why you need this or what doesn’t work?
Pangolin is reachable with the public ip of the host via the ports 443.

<!-- gh-comment-id:2838474812 --> @TuncTaylan commented on GitHub (Apr 29, 2025): Could you please elaborate why you need this or what doesn’t work? Pangolin is reachable with the public ip of the host via the ports 443.

GiteaMirror commented 2026-05-21 18:16:24 -05:00

Author

Owner

Copy Link

@chris-coria commented on GitHub (Apr 29, 2025):

Could you please elaborate why you need this or what doesn’t work? Pangolin is reachable with the public ip of the host via the ports 443.

I not mean Pangolin is not reachable, I mean getting the real IP of the client is not working due to "bridge" network. Docker NATs the requests and due so, crowdsec will NOT work because ALL THE TRAFFIC IPs is "coming" from the Pangolin's network gateway.

So if anyone does something tricky, crowdsec will ban the Pangolin's docker network gateway and not the real IP of the attacker. Do I mean?

You could see by mounting - ./config/logs/:/var/log/traefik/ in traefik's volumes and enable accessLog in the traefik static file:

accessLog:
  bufferingSize: 100
  fields:
    defaultMode: drop
    headers:
      defaultMode: drop
      names:
        Authorization: redact
        Content-Type: keep
        Cookie: redact
        User-Agent: keep
        X-Forwarded-For: keep
        X-Forwarded-Proto: keep
        X-Real-Ip: keep
    names:
      ClientAddr: keep
      ClientHost: keep
      DownstreamContentSize: keep
      DownstreamStatus: keep
      Duration: keep
      RequestMethod: keep
      RequestHost: keep
      RequestPath: keep
      RequestProtocol: keep
      RetryAttempts: keep
      ServiceName: keep
      StartUTC: keep
      TLSCipher: keep
      TLSVersion: keep
  # Container's dir, not the machine dir.
  filePath: /var/log/traefik/access.log 
  filters:
    minDuration: 100ms
    retryAttempts: true
    statusCodes:
      - 200-299
      - 400-499
      - 500-599
  format: json

Use the default pangolin manual installation guide and you'll see.

<!-- gh-comment-id:2840309612 --> @chris-coria commented on GitHub (Apr 29, 2025): > Could you please elaborate why you need this or what doesn’t work? Pangolin is reachable with the public ip of the host via the ports 443. I not mean Pangolin is not reachable, I mean getting the real IP of the client is not working due to "bridge" network. Docker NATs the requests and due so, crowdsec will NOT work because _**ALL THE TRAFFIC IPs is "coming" from the Pangolin's network gateway**_. So if anyone does something tricky, crowdsec will ban the Pangolin's docker network gateway and not the real IP of the attacker. Do I mean? You could see by mounting `- ./config/logs/:/var/log/traefik/` in traefik's volumes and enable `accessLog` in the traefik static file: ```yaml accessLog: bufferingSize: 100 fields: defaultMode: drop headers: defaultMode: drop names: Authorization: redact Content-Type: keep Cookie: redact User-Agent: keep X-Forwarded-For: keep X-Forwarded-Proto: keep X-Real-Ip: keep names: ClientAddr: keep ClientHost: keep DownstreamContentSize: keep DownstreamStatus: keep Duration: keep RequestMethod: keep RequestHost: keep RequestPath: keep RequestProtocol: keep RetryAttempts: keep ServiceName: keep StartUTC: keep TLSCipher: keep TLSVersion: keep # Container's dir, not the machine dir. filePath: /var/log/traefik/access.log filters: minDuration: 100ms retryAttempts: true statusCodes: - 200-299 - 400-499 - 500-599 format: json ``` Use the default pangolin manual installation guide and you'll see.

GiteaMirror commented 2026-05-21 18:16:26 -05:00

Author

Owner

Copy Link

@TuncTaylan commented on GitHub (Apr 30, 2025):

I'm still having difficulties with understanding you, of what client are you talking about?
I have the stack pangolin + crowdsec and it sees the real IPs of the attackers and blocks them:

<!-- gh-comment-id:2840904718 --> @TuncTaylan commented on GitHub (Apr 30, 2025): I'm still having difficulties with understanding you, of what client are you talking about? I have the stack pangolin + crowdsec and it sees the real IPs of the attackers and blocks them: 

GiteaMirror commented 2026-05-21 18:16:28 -05:00

Author

Owner

Copy Link

@chris-coria commented on GitHub (Apr 30, 2025):

Then I don't understand why in my Traefik's access log it is showing the Pangolin docker network instead of real IP. Here is my debug:

You can see the docker network inspect, the default gateway is taken IP.

root@ubuntu:~/pangolin/config/logs# ls
access.log  crowdsec-bouncer.log  pangolin-2025-04-29.log.gz  pangolin-2025-04-30.log  pangolin.log  traefik.log

root@ubuntu:~/pangolin/config/logs# cat access.log
{"ClientAddr":"172.19.0.1:42576","ClientHost":"172.19.0.1","DownstreamContentSize":0,"DownstreamStatus":304,"Duration":140200520,"RequestHost":"books.domain.com","RequestMethod":"GET","RequestPath":"/static/js/libs/jquery.form.min.js","RequestProtocol":"HTTP/2.0","RetryAttempts":0,"ServiceName":"5-service@http","StartUTC":"2025-04-30T18:19:25.143380025Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_Content-Type":"","level":"info","msg":"","origin_Content-Type":"","request_Cookie":"REDACTED","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 OPR/118.0.0.0","request_X-Forwarded-Proto":"https","request_X-Real-Ip":"172.19.0.1","time":"2025-04-30T18:19:25Z"}
{"ClientAddr":"172.19.0.1:42576","ClientHost":"172.19.0.1","DownstreamContentSize":4399,"DownstreamStatus":200,"Duration":64612010,"RequestHost":"books.domain.com","RequestMethod":"GET","RequestPath":"/login","RequestProtocol":"HTTP/2.0","RetryAttempts":0,"ServiceName":"5-service@http","StartUTC":"2025-04-30T18:19:26.977520457Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_Content-Type":"text/html; charset=utf-8","level":"info","msg":"","origin_Content-Type":"text/html; charset=utf-8","request_Cookie":"REDACTED","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 OPR/118.0.0.0","request_X-Forwarded-Proto":"https","request_X-Real-Ip":"172.19.0.1","time":"2025-04-30T18:19:27Z"}

root@ubuntu:~/pangolin/config/logs# sudo docker network inspect pangolin
[
    {
        "Name": "pangolin",
        "Id": "429a4b6a0ee75c3e90483f6971e294a31f03a0672c3163f32bf33654e89a0ac4",
        "Created": "2025-04-29T19:29:25.995334309-06:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv4": true,
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.19.0.0/16",
                    "Gateway": "172.19.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "4160cd02d9ec5659c6faa7e74161ba6483f799feefa464407c203459a0b6dd20": {
                "Name": "pangolin",
                "EndpointID": "dad85ca689337ddf2571e1e29f1b6b58a6f66f21a8613b33c96e5e3f93e24f24",
                "MacAddress": "6e:1d:5d:a2:7a:ab",
                "IPv4Address": "172.19.0.2/16",
                "IPv6Address": ""
            },
            "ec0f73c6675f60f93da616df804d8bb9f73d841f301d125eafd80113c1b162a2": {
                "Name": "gerbil",
                "EndpointID": "fd9cf82dc7b43bbee08984d45c24db84c82af718789cfbc63b5d6cfef04628c8",
                "MacAddress": "da:4c:23:ec:2c:b2",
                "IPv4Address": "172.19.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {
            "com.docker.compose.config-hash": "c4377f62cbdfc3098f2a00a8a7a2ae0f02b5fed1a6e6342c0a7200d7bfa9e40e",
            "com.docker.compose.network": "default",
            "com.docker.compose.project": "pangolin",
            "com.docker.compose.version": "2.35.1"
        }
    }
]

<!-- gh-comment-id:2842911938 --> @chris-coria commented on GitHub (Apr 30, 2025): Then I don't understand why in my Traefik's access log it is showing the Pangolin docker network instead of real IP. Here is my debug: You can see the docker network inspect, the default gateway is taken IP. ```bash root@ubuntu:~/pangolin/config/logs# ls access.log crowdsec-bouncer.log pangolin-2025-04-29.log.gz pangolin-2025-04-30.log pangolin.log traefik.log root@ubuntu:~/pangolin/config/logs# cat access.log {"ClientAddr":"172.19.0.1:42576","ClientHost":"172.19.0.1","DownstreamContentSize":0,"DownstreamStatus":304,"Duration":140200520,"RequestHost":"books.domain.com","RequestMethod":"GET","RequestPath":"/static/js/libs/jquery.form.min.js","RequestProtocol":"HTTP/2.0","RetryAttempts":0,"ServiceName":"5-service@http","StartUTC":"2025-04-30T18:19:25.143380025Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_Content-Type":"","level":"info","msg":"","origin_Content-Type":"","request_Cookie":"REDACTED","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 OPR/118.0.0.0","request_X-Forwarded-Proto":"https","request_X-Real-Ip":"172.19.0.1","time":"2025-04-30T18:19:25Z"} {"ClientAddr":"172.19.0.1:42576","ClientHost":"172.19.0.1","DownstreamContentSize":4399,"DownstreamStatus":200,"Duration":64612010,"RequestHost":"books.domain.com","RequestMethod":"GET","RequestPath":"/login","RequestProtocol":"HTTP/2.0","RetryAttempts":0,"ServiceName":"5-service@http","StartUTC":"2025-04-30T18:19:26.977520457Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_Content-Type":"text/html; charset=utf-8","level":"info","msg":"","origin_Content-Type":"text/html; charset=utf-8","request_Cookie":"REDACTED","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 OPR/118.0.0.0","request_X-Forwarded-Proto":"https","request_X-Real-Ip":"172.19.0.1","time":"2025-04-30T18:19:27Z"} root@ubuntu:~/pangolin/config/logs# sudo docker network inspect pangolin [ { "Name": "pangolin", "Id": "429a4b6a0ee75c3e90483f6971e294a31f03a0672c3163f32bf33654e89a0ac4", "Created": "2025-04-29T19:29:25.995334309-06:00", "Scope": "local", "Driver": "bridge", "EnableIPv4": true, "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.19.0.0/16", "Gateway": "172.19.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "4160cd02d9ec5659c6faa7e74161ba6483f799feefa464407c203459a0b6dd20": { "Name": "pangolin", "EndpointID": "dad85ca689337ddf2571e1e29f1b6b58a6f66f21a8613b33c96e5e3f93e24f24", "MacAddress": "6e:1d:5d:a2:7a:ab", "IPv4Address": "172.19.0.2/16", "IPv6Address": "" }, "ec0f73c6675f60f93da616df804d8bb9f73d841f301d125eafd80113c1b162a2": { "Name": "gerbil", "EndpointID": "fd9cf82dc7b43bbee08984d45c24db84c82af718789cfbc63b5d6cfef04628c8", "MacAddress": "da:4c:23:ec:2c:b2", "IPv4Address": "172.19.0.3/16", "IPv6Address": "" } }, "Options": {}, "Labels": { "com.docker.compose.config-hash": "c4377f62cbdfc3098f2a00a8a7a2ae0f02b5fed1a6e6342c0a7200d7bfa9e40e", "com.docker.compose.network": "default", "com.docker.compose.project": "pangolin", "com.docker.compose.version": "2.35.1" } } ] ```

GiteaMirror commented 2026-05-21 18:16:30 -05:00

Author

Owner

Copy Link

@parsoli commented on GitHub (Apr 30, 2025):

I'm still having difficulties with understanding you, of what client are you talking about? I have the stack pangolin + crowdsec and it sees the real IPs of the attackers and blocks them:

Hey, I see where the OP is coming from. I don't have a fancy Crowdsec GUI either. How did you get that? I do have Crowdsec working but even with Grafana and Prometheus, I only see the docker networks IP address as SOURCE, not the public IP's of the persons accessing resources....I'd love to know more

<!-- gh-comment-id:2843483252 --> @parsoli commented on GitHub (Apr 30, 2025): > I'm still having difficulties with understanding you, of what client are you talking about? I have the stack pangolin + crowdsec and it sees the real IPs of the attackers and blocks them: > >  Hey, I see where the OP is coming from. I don't have a fancy Crowdsec GUI either. How did you get that? I do have Crowdsec working but even with Grafana and Prometheus, I only see the docker networks IP address as SOURCE, not the public IP's of the persons accessing resources....I'd love to know more

GiteaMirror commented 2026-05-21 18:16:31 -05:00

Author

Owner

Copy Link

@chris-coria commented on GitHub (Apr 30, 2025):

I'm still having difficulties with understanding you, of what client are you talking about? I have the stack pangolin + crowdsec and it sees the real IPs of the attackers and blocks them:

Hey, I see where the OP is coming from. I don't have a fancy Crowdsec GUI either. How did you get that? I do have Crowdsec working but even with Grafana and Prometheus, I only see the docker networks IP address as SOURCE, not the public IP's of the persons accessing resources....I'd love to know more

Glad to know i'm not the only one with that problem. The GUI he is using is Crowdsec.net dashboard. You need to enroll your instance there. Free plans only allow you to record 500 alerts.

<!-- gh-comment-id:2843492554 --> @chris-coria commented on GitHub (Apr 30, 2025): > > I'm still having difficulties with understanding you, of what client are you talking about? I have the stack pangolin + crowdsec and it sees the real IPs of the attackers and blocks them: > >  > > Hey, I see where the OP is coming from. I don't have a fancy Crowdsec GUI either. How did you get that? I do have Crowdsec working but even with Grafana and Prometheus, I only see the docker networks IP address as SOURCE, not the public IP's of the persons accessing resources....I'd love to know more Glad to know i'm not the only one with that problem. The GUI he is using is Crowdsec.net dashboard. You need to enroll your instance there. Free plans only allow you to record 500 alerts.

GiteaMirror commented 2026-05-21 18:16:33 -05:00

Author

Owner

Copy Link

@parsoli commented on GitHub (Apr 30, 2025):

Yea, I haven't been able to run cscli commands. Say's "FATA[2025-04-30T22:45:58Z] while reading yaml file: open /etc/crowdsec/config.yaml: no such file or directory". There is no crowdsec folder in etc. It's all buried where I installed docker from under /home/docker. Have had to tweak things to work overall.

<!-- gh-comment-id:2843603652 --> @parsoli commented on GitHub (Apr 30, 2025): Yea, I haven't been able to run cscli commands. Say's "FATA[2025-04-30T22:45:58Z] while reading yaml file: open /etc/crowdsec/config.yaml: no such file or directory". There is no crowdsec folder in etc. It's all buried where I installed docker from under /home/docker. Have had to tweak things to work overall.

GiteaMirror commented 2026-05-21 18:16:35 -05:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (May 15, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:2881886268 --> @github-actions[bot] commented on GitHub (May 15, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

GiteaMirror commented 2026-05-21 18:16:36 -05:00

Author

Owner

Copy Link

@sorcer1122 commented on GitHub (May 17, 2025):

I am having exactly the same problem - I cannot see real IPs of the clients trying to access my pangolin instance, so there is no way to limit pangolin to say only certain IP addresses due to Docker NAT. Having 2FA is great but it would be even better to have an option to limit access to pangolin from say one or two IPs only.

<!-- gh-comment-id:2888629033 --> @sorcer1122 commented on GitHub (May 17, 2025): I am having exactly the same problem - I cannot see real IPs of the clients trying to access my pangolin instance, so there is no way to limit pangolin to say only certain IP addresses due to Docker NAT. Having 2FA is great but it would be even better to have an option to limit access to pangolin from say one or two IPs only.

GiteaMirror commented 2026-05-21 18:16:37 -05:00

Author

Owner

Copy Link

@dpurnam commented on GitHub (May 26, 2025):

For now, I just run it in HOST Docker Network Mode. I'm yet to setup crowdsec, though.

Also in this setup, the IP Based Bypass Rules for Resources don't work.

<!-- gh-comment-id:2909514227 --> @dpurnam commented on GitHub (May 26, 2025): For now, I just run it in [HOST Docker Network Mode](https://github.com/dpurnam/pangolin). I'm yet to setup crowdsec, though. Also in this setup, the IP Based Bypass Rules for Resources [don't work](https://github.com/fosrl/pangolin/issues/741).

GiteaMirror commented 2026-05-21 18:16:37 -05:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Jun 10, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:2957361695 --> @github-actions[bot] commented on GitHub (Jun 10, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

GiteaMirror commented 2026-05-21 18:16:38 -05:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Jun 24, 2025):

This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.

<!-- gh-comment-id:2998367591 --> @github-actions[bot] commented on GitHub (Jun 24, 2025): This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/prod-patch-updates-94425a55d0

dependabot/npm_and_yarn/dev-minor-updates-4aaf4dbce4

dependabot/go_modules/install/minor-updates-a249525a56

crowdin_dev

auto-update

dev

fix-site-delete

fix-3104

exit-node-reconnect

fix-logoUrl

button-to-rebuild-association

rdp-ssh

dependabot/npm_and_yarn/brace-expansion-5.0.6

copilot/fix-documentation-input-output-types

dependabot/github_actions/sigstore/cosign-installer-4.1.2

redis

resource-policies

dependabot/npm_and_yarn/next-15.5.18

dependabot/npm_and_yarn/fast-uri-3.1.2

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

breakout-sites-tables

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-rc.0

1.17.1

1.17.0

1.17.0-rc.0

1.16.2

1.16.1

1.16.0

1.16.0-rc.0

1.15.4

1.15.3

1.15.2

1.15.1

1.15.0

1.15.0-rc.0

1.14.1

1.14.0

1.14.0-rc.0

1.13.1

1.13.0

1.13.0-rc.0

1.12.3

1.12.2

1.12.1

1.12.0

1.12.0-rc.0

1.11.1

1.11.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label stale

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#18616