github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-12 00:41:24 -05:00
Code Issues 564 Packages Projects Releases 72 Wiki Activity

GeoIP Country Block rules prevent application of configured Authentication Methods #730

New Issue
Closed
opened 2025-11-13 12:09:25 -06:00 by GiteaMirror · 4 comments
GiteaMirror commented 2025-11-13 12:09:25 -06:00
Owner
Copy Link

Originally created by @grizzlycode on GitHub (Oct 19, 2025).

Describe the Bug

When a resource is successfully protected by a standard authentication method and the new GeoIP Country Block rules are simultaneously enabled for that same resource, the existing authentication method ceases to function or appears to be completely bypassed.

The resource becomes accessible without the required authentication check, or the authentication flow simply fails when the GeoIP rules are active. Disabling the GeoIP rules immediately restores the expected authentication functionality, strongly suggesting a conflict or an incorrect priority sequencing between the GeoIP middleware and the authentication middleware.

This issue was observed using a simple GeoIP rule configuration: Allow traffic from the United States (US) and Block all other countries.

Environment

  • OS Type & Version: Ubuntu 24.04
  • Pangolin Version: 1.11.0
  • Gerbil Version: 1.2.2
  • Traefik Version: 3.5.3
  • Newt Version: 1.5.2

To Reproduce

Steps to reproduce the observed behavior:

Prerequisite: Configure a resource to use a standard authentication method. Verify that access to the resource is successfully gated by this authentication.

Navigate to the Rules tab configuration panel for this specific, authenticated resource.

Enable the rules

Configure a simple rule set (e.g., Allow US and Block All Others).

Save and apply the settings.

Attempt to access the protected resource.

Observed Result: While the country blocking works. The previously functional authentication methods are now disabled or bypassed, allowing unauthorized access or failing the intended auth flow.

Expected Behavior

The GeoIP Country Block rules should apply before or in conjunction with the configured authentication methods. Enabling the GeoIP rules should not interfere with or disable existing applied security features like authentication. All security features should work simultaneously and correctly when rules are enabled.

Originally created by @grizzlycode on GitHub (Oct 19, 2025). ### Describe the Bug When a resource is successfully protected by a standard authentication method and the new GeoIP Country Block rules are simultaneously enabled for that same resource, the existing authentication method ceases to function or appears to be completely bypassed. The resource becomes accessible without the required authentication check, or the authentication flow simply fails when the GeoIP rules are active. Disabling the GeoIP rules immediately restores the expected authentication functionality, strongly suggesting a conflict or an incorrect priority sequencing between the GeoIP middleware and the authentication middleware. This issue was observed using a simple GeoIP rule configuration: Allow traffic from the United States (US) and Block all other countries. ### Environment - OS Type & Version: Ubuntu 24.04 - Pangolin Version: 1.11.0 - Gerbil Version: 1.2.2 - Traefik Version: 3.5.3 - Newt Version: 1.5.2 ### To Reproduce Steps to reproduce the observed behavior: Prerequisite: Configure a resource to use a standard authentication method. Verify that access to the resource is successfully gated by this authentication. Navigate to the Rules tab configuration panel for this specific, authenticated resource. Enable the rules Configure a simple rule set (e.g., Allow US and Block All Others). Save and apply the settings. Attempt to access the protected resource. Observed Result: While the country blocking works. The previously functional authentication methods are now disabled or bypassed, allowing unauthorized access or failing the intended auth flow. ### Expected Behavior The GeoIP Country Block rules should apply before or in conjunction with the configured authentication methods. Enabling the GeoIP rules should not interfere with or disable existing applied security features like authentication. All security features should work simultaneously and correctly when rules are enabled.
GiteaMirror commented 2025-11-13 12:09:26 -06:00
Author
Owner
Copy Link

@txwgnd commented on GitHub (Oct 19, 2025):

This seems to be a duplicate of #1679

@txwgnd commented on GitHub (Oct 19, 2025): This seems to be a duplicate of #1679
GiteaMirror commented 2025-11-13 12:09:26 -06:00
Author
Owner
Copy Link

@grizzlycode commented on GitHub (Oct 19, 2025):

This seems to be a duplicate of #1679

So I guess I missed issue 1679 which is a similar issue to mine.

The "Pass to Auth" action was a very helpful observation in that thread.

I've tested the suggested solution and can confirm that changing the action to "Pass to Auth" in my ruleset achieves the desired behavior: applying my resource authentication options while simultaneously enforcing the geoblock for unauthorized countries.

If this is the intended configuration, I would strongly recommend expanding the geoblock documentation. Specifically, it would be beneficial to:

  1. Clarify the behavior of "Always": State explicitly that the "Always" action will bypass any resource-level authentication methods.
  2. Highlight the use of "Pass to Auth": Explain that users must specifically select "Pass to Auth" to apply configured resource authentication alongside the geoblock.
  3. Provide Configuration Examples: Include a concrete example for when to use each of the actions ("Always" vs. "Pass to Auth").

This small clarification in the documentation would significantly help users avoid configuration errors and clearly understand the flow of access control.

You may close this issue and continue to work on 1679 since its similar.

@grizzlycode commented on GitHub (Oct 19, 2025): > This seems to be a duplicate of [#1679](https://github.com/fosrl/pangolin/issues/1679) So I guess I missed issue [1679 ](https://github.com/fosrl/pangolin/issues/1679) which is a similar issue to mine. The "Pass to Auth" action was a very helpful observation in that thread. I've tested the suggested solution and can confirm that changing the action to **"Pass to Auth"** in my ruleset achieves the desired behavior: applying my resource authentication options while simultaneously enforcing the geoblock for unauthorized countries. If this is the intended configuration, I would strongly recommend expanding the **geoblock documentation**. Specifically, it would be beneficial to: 1. **Clarify the behavior of "Always"**: State explicitly that the **"Always"** action will bypass any resource-level authentication methods. 2. **Highlight the use of "Pass to Auth"**: Explain that users must specifically select **"Pass to Auth"** to apply configured resource authentication alongside the geoblock. 3. **Provide Configuration Examples**: Include a concrete example for when to use each of the actions (**"Always"** vs. **"Pass to Auth"**). This small clarification in the documentation would significantly help users avoid configuration errors and clearly understand the flow of access control. You may close this issue and continue to work on 1679 since its similar.
GiteaMirror commented 2025-11-13 12:09:26 -06:00
Author
Owner
Copy Link

@grizzlycode commented on GitHub (Oct 19, 2025):

One quick question on Geoblock does deny all countries include IPs that may not have a country assigned?

@grizzlycode commented on GitHub (Oct 19, 2025): One quick question on Geoblock does deny all countries include IPs that may not have a country assigned?
GiteaMirror commented 2025-11-13 12:09:26 -06:00
Author
Owner
Copy Link

@grizzlycode commented on GitHub (Oct 19, 2025):

After rereading the docs, I think this one is on me. Keep up the good work.

https://docs.pangolin.net/manage/geoblocking

  1. Setting Up Geo Blocking Rules
  2. Navigate to your target resource and select the Rules tab
  3. Create a new rule and select Country as the match type
  4. Choose your rule action:
  • Allow: Bypass authentication for users from specific countries
  • Deny: Block all access from specific countries
  • Pass to Auth: Let users from specific countries proceed to authentication
@grizzlycode commented on GitHub (Oct 19, 2025): After rereading the docs, I think this one is on me. Keep up the good work. https://docs.pangolin.net/manage/geoblocking > 1. Setting Up Geo Blocking Rules > 2. Navigate to your target resource and select the Rules tab > 3. Create a new rule and select Country as the match type > 4. Choose your rule action: > > - Allow: Bypass authentication for users from specific countries > - Deny: Block all access from specific countries > - Pass to Auth: Let users from specific countries proceed to authentication
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#730
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?