mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-16 14:47:04 -05:00
[GH-ISSUE #2501] Ressource access not allowed / No valid auth #30006
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @elcajon on GitHub (Feb 18, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2501
Describe the Bug
When accessing my public resources, I noticed that some of them are not available. I noticed that I get the following error messages in the logs when accessing a page (regardless of whether the access works or not). I suspect that a successful access is delivered from the local browser cache and bypasses authentication. (wild guess)
Accessing the Pangolin UI (which is also randomly available) there are the following related access log entries:
I also noticed that access to resources works for a while after restarting the Pangolin Docker Compose stack (down & up) before the problems reappear. However, I couldn't find anything in the logs that pointed to the cause of the problems. It seems that this is the case when no service/resource is called for a longer period of time.
Komodo is just one example, all other resources are also affected.
I use Pocket ID as an IDP, but access still does not work via the local Pangolin user in the event of an error.
When the error occurs, I am redirected to the Pangolin login page. The login appears to be successful, but I am then redirected back to the login page. (No error message in the UI, entries in the log as shown above).
Since I can see the Pangolin page, I don't expect there to be a problem with Crowdsec.
Unfortunately, I have no idea what the cause could be, but I am happy to provide any information that might help identify the cause.
Docker Compose
Resource Configuration
Environment
To Reproduce
Not sure to be honest.
I think if it were a general problem, I wouldn't be the first to notice it. Generally speaking, I believe the problem must have come with one of the latest releases, otherwise I would have noticed it sooner. Could it be related to a particular version of Traefik?
Expected Behavior
Reliable access to all resources
@kebel87 commented on GitHub (Feb 18, 2026):
I have the same issue, specifically with Komodo but also withh more services (Ansible). Something in the pipeline seems to have changed, dunno whether it's related to Pangolin, Komodo or PocketId.
@marcschaeferger commented on GitHub (Mar 1, 2026):
I can confirm that this issue also exists in Pangolin 1.16.2 but with a bit different effects at least for me, as i can access the ressources.
Environment
Additional Observations
I tested authentication using the same browser session where I am already logged into the Pangolin Dashboard/UI.
I also tested using a different browser.
In both cases:
All requests originate from the same static public IPv4 address (company-owned). And it can only be me doing the requests.
When the issue occurs:
Resource access not allowedentries.This affects multiple resources, not just a single one.
I’ve attached a screenshot of the log behavior as well.
@pierreminik commented on GitHub (Mar 5, 2026):
I'm seeing this issue as well and it seems to be an issue with newly created rules after upgrading Pangolin to one of the newer versions. Uncertain which specific version introduced this issue as I have not created new rules for every version.
In my case, I have public resources which are protected but have a "Bypass auth" rule for my home IP. This simple rule works for public resources created in earlier versions of Pangolin. Even though my home IP is shown correctly in the Request Logs of the Pangolin dashboard I can see a "No Valid Auth" reason for a Denied action to this request.
The error logs for the docker compose stack matches those posted above, ie.:
pangolin | 2026-03-05T12:47:00+00:00 [info]: Resource access not allowed. Resource ID: 16. IP: XX.XX.XX.XX..Rules which have not changes since some of the last few releases still work, ie. the rules created in earlier versions with the very same "Bypass auth" rule for my home IP, is shown in the Request Logs of the Pangolin dashboard as "Allowed by Rule".
@github-actions[bot] commented on GitHub (Mar 20, 2026):
This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.