mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-16 06:08:33 -05:00
[PR #2490] (feat) DNS Authority #34300
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/fosrl/pangolin/pull/2490
Author: @mattv8
Created: 2/17/2026
Status: 🔄 Open
Base:
dev← Head:dns-authority📝 Commits (10+)
dacdcf4DNS authority management and features90a1c24Add TLS certificate handling to auth proxy configurationd1440b5Update target URL scheme to use method from target configuration18ac6adAdd multi-target, path routing, and proxy settings to auth configb8b69a5Add targetUrl for backward compatibility in ResourceAuthConfig0fdaf3efeat(dns): include sticky metadata in authority config7eb86dffeat(dns): persist target latency and fold migration into 1.16.0c3f6cb3chore(migrations): keep pg 1.16.0 upstream and move dns changes to 1.16.18488e8echore(migrations): bump dns migration to 1.17.180a9fbdremove http property from resource auth configuration📊 Changes
39 files changed (+2820 additions, -40 deletions)
View changed files
📝
messages/en-US.json(+42 -0)📝
package.json(+3 -3)📝
server/db/pg/schema/schema.ts(+13 -1)📝
server/db/sqlite/schema/schema.ts(+17 -1)📝
server/internalServer.ts(+9 -2)➕
server/lib/jwtKeypair.ts(+131 -0)📝
server/lib/readConfigFile.ts(+1 -0)📝
server/lib/traefik/TraefikConfigManager.ts(+223 -0)📝
server/openApi.ts(+2 -1)➕
server/routers/auth/authProxy.ts(+413 -0)📝
server/routers/auth/index.ts(+3 -1)➕
server/routers/auth/validateSession.ts(+132 -0)➕
server/routers/dns/dnsAuthority.ts(+713 -0)📝
server/routers/external.ts(+3 -0)📝
server/routers/internal.ts(+9 -0)📝
server/routers/newt/getNewtToken.ts(+71 -1)➕
server/routers/newt/handleAuthProxyStatusMessage.ts(+41 -0)➕
server/routers/newt/handleDnsStatusMessage.ts(+57 -0)📝
server/routers/newt/handleNewtRegisterMessage.ts(+58 -0)📝
server/routers/newt/index.ts(+2 -0)...and 19 more files
📄 Description
Community Contribution License Agreement
By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.
Description
This adds DNS Authority and Auth Proxy support to Pangolin. The companion Newt PR is https://github.com/fosrl/newt/pull/236. I opened a discussion about this beforehand. Read more about my motivation for building this feature there.
What this does
Pangolin builds authoritative DNS zone configs and pushes them to Newt over WebSocket. Newt binds port 53 and serves A/NS/SOA responses. The DNS answers use the Site's public IP (not the internal target IP); the idea is that DNS controls which site the user's traffic reaches, and then Traefik/the tunnel handles proxying to the actual backend.
There are two layers, and they can operate independently or together:
Domain-level zones: work with existing wildcard domains. When you enable DNS Authority on a Site and set its public IP, Pangolin finds every wildcard domain that has Resources with Targets on that Site. For each domain it builds a
*.baseDomainzone containing all DNS-Authority-enabled Sites as targets. Health is aggregated at the Site level a Site is considered healthy for a domain if any of its Targets across Resources on that domain are healthy. This is the "just turn it on" mode: no per-Resource config needed, and it covers every subdomain under the wildcard automatically.Per-resource zones: give finer control. Enabling
dnsAuthorityEnabledon a specific Resource creates a zone for that Resource'sfullDomain(e.g.,app.docker.example.com). Unlike domain-level, health is tracked per-Target (not per-Site), and the user can configure a custom TTL (10–86400s) and routing policy (failover, round-robin, or priority). This works with any domain type, not just wildcards.Zone configs are rebuilt and pushed to each Newt agent: Site DNS Authority toggle, Resource update, Target create/update/delete, health check status change, and Newt reconnect (which gets the full set of zones immediately).
Auth Proxy: Pangolin also pushes auth proxy configs so Newt can enforce SSO at the edge. Newt tries local JWT verification first using an RSA public key from Pangolin (sub-ms), then falls back to the Pangolin session validation API if needed.
How it works
Schema changes
Migration
1.16.0(I am assuming this warrants a version up) adds columns tosites(publicIp,dnsAuthorityEnabled,dnsStatus,dnsError) andresources(dnsAuthorityEnabled,dnsAuthorityTtl,dnsAuthorityRoutingPolicy). Both PG and SQLite migrations are included. Everything defaults tooff(backwards compatibility).Backward compatibility
All new behavior is behind
dnsAuthorityEnabledtoggles on both sites and resources. Existing deployments are unaffected; nothing activates until a user explicitly enables it.Documentation
This feature will need docs at https://docs.pangolin.net/manage/dns-authority (placeholder links are in the code). I'm happy to write those once (if) the approach is agreed upon.
How to test?
Option 1: Full local test stack
There's a complete end-to-end test stack in
mattv8/pangolin-testingthat spins up PostgreSQL, Pangolin, Gerbil, two Newt instances, two backends, and a test client on a Docker bridge network.The bootstrap script enables DNS Authority, creates two sites with public IPs, and verifies resolution:
Failover test:
Auth proxy test:
See the testing README for the full architecture diagram and service map.
Option 2: Drop-in to an existing stack
Pangolin swap the image in your
docker-compose.yml:Newt install the pre-compiled binary:
Rollback:
Then enable DNS Authority on a site (set public IP), and optionally on individual resources, through the UI.
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.