[PR #2095] [MERGED] Add ASN-based resource rule matching #2856

New Issue

Closed

opened 2026-04-16 09:38:56 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-04-16 09:38:56 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/pangolin/pull/2095
Author: @WildeTechSolutions
Created: 12/16/2025
Status: ✅ Merged
Merged: 12/20/2025
Merged by: @oschwartz10612

Base: main ← Head: feature/asn-matching

---

📝 Commits (4)

• 23ad1a2 Add ASN-based resource rule matching
• 42da3b0 Add asn option to blueprint type
• 91e700e Add hybrid route
• 26d8192 Add blueprint validation

📊 Changes

13 files changed (+808 additions, -14 deletions)

View changed files

➕ server/db/asns.ts (+321 -0)
➕ server/db/maxmindAsn.ts (+13 -0)
➕ server/lib/asn.ts (+29 -0)
📝 server/lib/blueprints/types.ts (+65 -5)
📝 server/lib/config.ts (+4 -0)
📝 server/lib/readConfigFile.ts (+2 -1)
📝 server/private/routers/hybrid.ts (+65 -0)
📝 server/routers/badger/verifySession.ts (+61 -2)
📝 server/routers/resource/createResourceRule.ts (+1 -1)
📝 server/routers/resource/updateResourceRule.ts (+1 -1)
📝 src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx (+243 -3)
📝 src/lib/pullEnv.ts (+2 -1)
📝 src/lib/types/env.ts (+1 -0)

📄 Description

• Add MaxMind ASN database integration
• Implement ASN lookup and matching in resource rule verification
• Add curated list of 100+ major ASNs (cloud, ISP, CDN, mobile carriers)
• Add ASN dropdown selector in resource rules UI with search functionality
• Support custom ASN input for unlisted ASNs
• Add 'ALL ASNs' special case handling (AS0)
• Cache ASN lookups with 5-minute TTL for performance
• Update validation schemas to support ASN match type

This allows administrators to create resource access rules based on Autonomous System Numbers, similar to existing country-based rules. Useful for restricting access by ISP, cloud provider, or mobile carrier.

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

The implementation is nearly identical to using the Country rules with the maxmind GeoIP database. This time you just need the GeoLite2-ASN.mmdb next to your GeoLite2-Country.mmdb. Fetching the ASN database is no different from fetching the Country database, and if Pangolin detects it, it will enable the rule capability just like with Country.

Similar to country, a number of popular ASNs are provided in the dropdown by default. This is a great way to reduce unwanted traffic to resources that can't support other Authentication means (i.e. Mobile apps that need api access that don't support custom headers like Amperfy).

How to test?

Add the geoip-updater container to docker-compose.yml.

  geoip-updater:
    image: maxmindinc/geoipupdate:latest
    container_name: geoip-updater
    volumes:
      - ./config/maxmind:/usr/share/GeoIP
    environment:
      GEOIPUPDATE_ACCOUNT_ID: ${GEOIP_ACCOUNT_ID}
      GEOIPUPDATE_LICENSE_KEY: ${GEOIP_LICENSE_KEY}
      GEOIPUPDATE_EDITION_IDS: ${GEOIP_EDITION_IDS}
    restart: on-failure

The GEOIP_EDITION_IDS variable should contain the ASN database:

GEOIP_EDITION_IDS=GeoLite2-Country GeoLite2-City GeoLite2-ASN

Add the maxmind_asn_path variable to the server block in config.yml:

server:
  maxmind_db_path: "./config/maxmind/GeoLite2-Country.mmdb"
  maxmind_asn_path: "./config/maxmind/GeoLite2-ASN.mmdb"

You can now create ASN rules in the same fashion as Country rules, i.e. Bypass Auth for your mobile carrier and Block Access for ALL.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/pangolin/pull/2095 **Author:** [@WildeTechSolutions](https://github.com/WildeTechSolutions) **Created:** 12/16/2025 **Status:** ✅ Merged **Merged:** 12/20/2025 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `main` ← **Head:** `feature/asn-matching` --- ### 📝 Commits (4) - [`23ad1a2`](https://github.com/fosrl/pangolin/commit/23ad1a225ba79c86788bb368943ac7ea0e13435d) Add ASN-based resource rule matching - [`42da3b0`](https://github.com/fosrl/pangolin/commit/42da3b087dc5833a33412112f9081a1e15248953) Add asn option to blueprint type - [`91e700e`](https://github.com/fosrl/pangolin/commit/91e700e6cbb89dc6f4eba01332c0e4eda5d40d69) Add hybrid route - [`26d8192`](https://github.com/fosrl/pangolin/commit/26d8192a539261806fce07064e42461825df6813) Add blueprint validation ### 📊 Changes **13 files changed** (+808 additions, -14 deletions) <details> <summary>View changed files</summary> ➕ `server/db/asns.ts` (+321 -0) ➕ `server/db/maxmindAsn.ts` (+13 -0) ➕ `server/lib/asn.ts` (+29 -0) 📝 `server/lib/blueprints/types.ts` (+65 -5) 📝 `server/lib/config.ts` (+4 -0) 📝 `server/lib/readConfigFile.ts` (+2 -1) 📝 `server/private/routers/hybrid.ts` (+65 -0) 📝 `server/routers/badger/verifySession.ts` (+61 -2) 📝 `server/routers/resource/createResourceRule.ts` (+1 -1) 📝 `server/routers/resource/updateResourceRule.ts` (+1 -1) 📝 `src/app/[orgId]/settings/resources/proxy/[niceId]/rules/page.tsx` (+243 -3) 📝 `src/lib/pullEnv.ts` (+2 -1) 📝 `src/lib/types/env.ts` (+1 -0) </details> ### 📄 Description - Add MaxMind ASN database integration - Implement ASN lookup and matching in resource rule verification - Add curated list of 100+ major ASNs (cloud, ISP, CDN, mobile carriers) - Add ASN dropdown selector in resource rules UI with search functionality - Support custom ASN input for unlisted ASNs - Add 'ALL ASNs' special case handling (AS0) - Cache ASN lookups with 5-minute TTL for performance - Update validation schemas to support ASN match type This allows administrators to create resource access rules based on Autonomous System Numbers, similar to existing country-based rules. Useful for restricting access by ISP, cloud provider, or mobile carrier. ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description The implementation is nearly identical to using the Country rules with the maxmind GeoIP database. This time you just need the `GeoLite2-ASN.mmdb` next to your `GeoLite2-Country.mmdb`. Fetching the ASN database is no different from fetching the Country database, and if Pangolin detects it, it will enable the rule capability just like with Country. <img width="2097" height="836" alt="image" src="https://github.com/user-attachments/assets/14ca063a-3b78-4a85-bba8-9a1cdd7af5a2" /> <img width="1903" height="999" alt="image" src="https://github.com/user-attachments/assets/317eace5-901b-45e3-9b64-d3237acfc60b" /> Similar to country, a number of popular ASNs are provided in the dropdown by default. This is a great way to reduce unwanted traffic to resources that can't support other Authentication means (i.e. Mobile apps that need api access that don't support custom headers like Amperfy). ## How to test? Add the `geoip-updater` container to `docker-compose.yml`. ```yml geoip-updater: image: maxmindinc/geoipupdate:latest container_name: geoip-updater volumes: - ./config/maxmind:/usr/share/GeoIP environment: GEOIPUPDATE_ACCOUNT_ID: ${GEOIP_ACCOUNT_ID} GEOIPUPDATE_LICENSE_KEY: ${GEOIP_LICENSE_KEY} GEOIPUPDATE_EDITION_IDS: ${GEOIP_EDITION_IDS} restart: on-failure ``` The `GEOIP_EDITION_IDS` variable should contain the ASN database: ```properties GEOIP_EDITION_IDS=GeoLite2-Country GeoLite2-City GeoLite2-ASN ``` Add the `maxmind_asn_path` variable to the `server` block in `config.yml`: ```yml server: maxmind_db_path: "./config/maxmind/GeoLite2-Country.mmdb" maxmind_asn_path: "./config/maxmind/GeoLite2-ASN.mmdb" ``` You can now create ASN rules in the same fashion as Country rules, i.e. `Bypass Auth` for your mobile carrier and `Block Access` for `ALL`. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-04-16 09:38:56 -05:00

GiteaMirror closed this issue 2026-04-16 09:38:57 -05:00

GiteaMirror referenced this issue 2026-04-16 09:51:37 -05:00

[PR #2856] [MERGED] fix image #3191

GiteaMirror referenced this issue 2026-04-20 09:16:40 -05:00

[PR #2856] [MERGED] fix image #5134

GiteaMirror referenced this issue 2026-04-25 16:32:12 -05:00

[PR #2856] [MERGED] fix image #7993

GiteaMirror referenced this issue 2026-04-30 06:05:29 -05:00

[PR #2856] [MERGED] fix image #9972

GiteaMirror referenced this issue 2026-05-06 16:34:24 -05:00

[PR #2856] [MERGED] fix image #11991

GiteaMirror referenced this issue 2026-05-13 19:16:26 -05:00

[PR #2856] [MERGED] fix image #14044

GiteaMirror referenced this issue 2026-05-16 04:09:19 -05:00

[PR #2856] [MERGED] fix image #16127

GiteaMirror referenced this issue 2026-05-18 18:26:36 -05:00

[PR #2856] [MERGED] fix image #18229

GiteaMirror referenced this issue 2026-05-21 21:55:53 -05:00

[PR #2856] [MERGED] fix image #20340

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/qs-6.15.2

rdp-ssh

dependabot/npm_and_yarn/prod-patch-updates-94425a55d0

dependabot/npm_and_yarn/dev-minor-updates-4aaf4dbce4

dependabot/go_modules/install/minor-updates-a249525a56

crowdin_dev

auto-update

dev

fix-site-delete

fix-3104

exit-node-reconnect

fix-logoUrl

button-to-rebuild-association

dependabot/npm_and_yarn/brace-expansion-5.0.6

copilot/fix-documentation-input-output-types

dependabot/github_actions/sigstore/cosign-installer-4.1.2

redis

resource-policies

dependabot/npm_and_yarn/next-15.5.18

dependabot/npm_and_yarn/fast-uri-3.1.2

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

breakout-sites-tables

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-rc.0

1.17.1

1.17.0

1.17.0-rc.0

1.16.2

1.16.1

1.16.0

1.16.0-rc.0

1.15.4

1.15.3

1.15.2

1.15.1

1.15.0

1.15.0-rc.0

1.14.1

1.14.0

1.14.0-rc.0

1.13.1

1.13.0

1.13.0-rc.0

1.12.3

1.12.2

1.12.1

1.12.0

1.12.0-rc.0

1.11.1

1.11.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#2856