calvin.erfmann/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-01-28 22:00:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Restrict raw resources and use st from config

Browse Source
This commit is contained in:
Owen
2025-10-26 18:15:39 -07:00
parent 0743daf56a
commit 85270f497a
6 changed files with 50 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
install/config/traefik/dynamic_config.yml
View File

@@ -51,3 +51,12 @@ http:
loadBalancer: loadBalancer:
servers: servers:
- url: "http://pangolin:3000" # API/WebSocket server - url: "http://pangolin:3000" # API/WebSocket server
tcp:
serversTransports:
pp-transport-v1:
proxyProtocol:
version: 1
pp-transport-v2:
proxyProtocol:
version: 2

27
server/lib/traefik/TraefikConfigManager.ts
View File

@@ -309,10 +309,7 @@ export class TraefikConfigManager {
this.lastActiveDomains = new Set(domains); this.lastActiveDomains = new Set(domains);
} }
if ( if (process.env.USE_PANGOLIN_DNS === "true" && build != "oss") {
process.env.USE_PANGOLIN_DNS === "true" &&
build != "oss"
) {
// Scan current local certificate state // Scan current local certificate state
this.lastLocalCertificateState = this.lastLocalCertificateState =
await this.scanLocalCertificateState(); await this.scanLocalCertificateState();
@@ -450,7 +447,8 @@ export class TraefikConfigManager {
currentExitNode, currentExitNode,
config.getRawConfig().traefik.site_types, config.getRawConfig().traefik.site_types,
build == "oss", // filter out the namespace domains in open source build == "oss", // filter out the namespace domains in open source
build != "oss" // generate the login pages on the cloud and hybrid build != "oss", // generate the login pages on the cloud and hybrid,
build == "saas" ? false : config.getRawConfig().traefik.allow_raw_resources // dont allow raw resources on saas otherwise use config
); );
const domains = new Set<string>(); const domains = new Set<string>();
@@ -502,6 +500,25 @@ export class TraefikConfigManager {
}; };
} }
// tcp:
// serversTransports:
// pp-transport-v1:
// proxyProtocol:
// version: 1
// pp-transport-v2:
// proxyProtocol:
// version: 2
if (build != "saas") {
// add the serversTransports section if not present
if (traefikConfig.tcp && !traefikConfig.tcp.serversTransports) {
traefikConfig.tcp.serversTransports = {
"pp-transport-v1": { proxyProtocol: { version: 1 } },
"pp-transport-v2": { proxyProtocol: { version: 2 } }
};
}
}
return { domains, traefikConfig }; return { domains, traefikConfig };
} catch (error) { } catch (error) {
// pull data out of the axios error to log // pull data out of the axios error to log

30
server/lib/traefik/getTraefikConfig.ts
View File

@@ -23,7 +23,8 @@ export async function getTraefikConfig(
exitNodeId: number, exitNodeId: number,
siteTypes: string[], siteTypes: string[],
filterOutNamespaceDomains = false, filterOutNamespaceDomains = false,
generateLoginPageRouters = false generateLoginPageRouters = false,
allowRawResources = true
): Promise<any> { ): Promise<any> {
// Define extended target type with site information // Define extended target type with site information
type TargetWithSite = Target & { type TargetWithSite = Target & {
@@ -103,7 +104,7 @@ export async function getTraefikConfig(
isNull(targetHealthCheck.hcHealth) // Include targets with no health check record isNull(targetHealthCheck.hcHealth) // Include targets with no health check record
), ),
inArray(sites.type, siteTypes), inArray(sites.type, siteTypes),
config.getRawConfig().traefik.allow_raw_resources allowRawResources
? isNotNull(resources.http) // ignore the http check if allow_raw_resources is true ? isNotNull(resources.http) // ignore the http check if allow_raw_resources is true
: eq(resources.http, true) : eq(resources.http, true)
) )
@@ -566,8 +567,6 @@ export async function getTraefikConfig(
...(protocol === "tcp" ? { rule: "HostSNI(`*`)" } : {}) ...(protocol === "tcp" ? { rule: "HostSNI(`*`)" } : {})
}; };
const serversTransportName = `${key}-proxy-protocol-transport`;
config_output[protocol].services[serviceName] = { config_output[protocol].services[serviceName] = {
loadBalancer: { loadBalancer: {
servers: (() => { servers: (() => {
@@ -621,8 +620,10 @@ export async function getTraefikConfig(
} }
}); });
})(), })(),
...(resource.proxyProtocol ...(resource.proxyProtocol && protocol == "tcp"
? { serversTransport: serversTransportName } ? {
serversTransport: `pp-transport-v${resource.proxyProtocolVersion || 1}`
}
: {}), : {}),
...(resource.stickySession ...(resource.stickySession
? { ? {
@@ -636,23 +637,6 @@ export async function getTraefikConfig(
: {}) : {})
} }
}; };
// Add serversTransport configuration if proxy protocol is enabled
if (resource.proxyProtocol) {
if (!config_output[protocol].serversTransports) {
config_output[protocol].serversTransports = {};
}
config_output[protocol].serversTransports[serversTransportName] = {
proxyProtocol: {
version: resource.proxyProtocolVersion || 1
}
};
logger.debug(
`Enabled Proxy Protocol v${resource.proxyProtocolVersion || 1} for ${protocol} resource ${resource.resourceId} (${resource.name})`
);
}
} }
} }
return config_output; return config_output;

10
server/private/lib/traefik/getTraefikConfig.ts
View File

@@ -50,7 +50,8 @@ export async function getTraefikConfig(
exitNodeId: number, exitNodeId: number,
siteTypes: string[], siteTypes: string[],
filterOutNamespaceDomains = false, filterOutNamespaceDomains = false,
generateLoginPageRouters = false generateLoginPageRouters = false,
allowRawResources = true
): Promise<any> { ): Promise<any> {
// Define extended target type with site information // Define extended target type with site information
type TargetWithSite = Target & { type TargetWithSite = Target & {
@@ -135,7 +136,7 @@ export async function getTraefikConfig(
isNull(targetHealthCheck.hcHealth) // Include targets with no health check record isNull(targetHealthCheck.hcHealth) // Include targets with no health check record
), ),
inArray(sites.type, siteTypes), inArray(sites.type, siteTypes),
config.getRawConfig().traefik.allow_raw_resources allowRawResources
? isNotNull(resources.http) // ignore the http check if allow_raw_resources is true ? isNotNull(resources.http) // ignore the http check if allow_raw_resources is true
: eq(resources.http, true) : eq(resources.http, true)
) )
@@ -688,6 +689,11 @@ export async function getTraefikConfig(
} }
}); });
})(), })(),
...(resource.proxyProtocol && protocol == "tcp" // proxy protocol only works for tcp
? {
serversTransport: `pp-transport-v${resource.proxyProtocolVersion || 1}`
}
: {}),
...(resource.stickySession ...(resource.stickySession
? { ? {
sticky: { sticky: {

3
server/private/routers/hybrid.ts
View File

@@ -270,7 +270,8 @@ hybridRouter.get(
remoteExitNode.exitNodeId, remoteExitNode.exitNodeId,
["newt", "local", "wireguard"], // Allow them to use all the site types ["newt", "local", "wireguard"], // Allow them to use all the site types
true, // But don't allow domain namespace resources true, // But don't allow domain namespace resources
false // Dont include login pages false, // Dont include login pages,
true // allow raw resources
); );
return response(res, { return response(res, {

3
server/routers/traefik/traefikConfigProvider.ts
View File

@@ -21,7 +21,8 @@ export async function traefikConfigProvider(
currentExitNodeId, currentExitNodeId,
config.getRawConfig().traefik.site_types, config.getRawConfig().traefik.site_types,
build == "oss", // filter out the namespace domains in open source build == "oss", // filter out the namespace domains in open source
build != "oss" // generate the login pages on the cloud and hybrid build != "oss", // generate the login pages on the cloud and and enterprise,
config.getRawConfig().traefik.allow_raw_resources
); );
if (traefikConfig?.http?.middlewares) { if (traefikConfig?.http?.middlewares) {