Deploying Pangolin in corporate environment (using private/self signate certificates)

[Esa-mimbias]

Hi friends,

I managed to have Pangolin working in a corporate environment, with kind of classical constraints:

• I can't manage DNS
• I can't manage certificates but got a wildcard certificate for my sub.domain.tld
• Pangolin server is not directly exposed to Internet, it ha a private IP and is behind a firewall/HA Proxy bearing the public IP and TLS termination
• Pangolin server can't access to Internet directly (must use an HTTP proxy)

NB:

• I'm a very recent Traefik user
• I'm not using newt in this context, yet

docker-compose.yml

I use a .env file for containers to include proxy configuration

docker-compose.yml content;

services:
  pangolin:
    env_file:
      - .env
  gerbil:
    env_file:
      - .env
  traefik:
    env_file:
      - .env

.env file content :

HTTP_PROXY=http://<proxy.ip:proxy.port>
HTTPS_PROXY=http://<proxy.ip:proxy.port>
NO_PROXY="localhost,pangolin,gerbil,traefik,.<sub.domain.tld>,*.<sub.domain.tld>,localhost,<private.IPs>"

infos:

• may be overkill
• HTTP_PROXY may be useless
• NO_PROXYing containers' name is essential
• sub.domain.tld may indeed be domain.tld

AND

add a bind for your certificates in traefik container

  traefik:
    volumes:
      - ./mycerts:/etc/ssl/mycerts

create ./mycerts dir and copy your cert (fullchain) and key in this directory

config/config.yml

these are the important parts:

app:
    dashboard_url: "https://pangolin.sub.domain.tld"

domains:
    domain1:
        base_domain: "sub.domain.tld"
        cert_resolver: ""
        prefer_wildcart_cert: true

config/traefik/traefik_config.yml

complete file:

api:
  insecure: true
  dashboard: true

providers:
  http:
    endpoint: "http://pangolin:3001/api/v1/traefik-config"
    pollInterval: "5s"
  file:
    filename: "/etc/traefik/dynamic_config.yml"

experimental:
  plugins:
    badger:
      moduleName: "github.com/fosrl/badger"
      version: "v1.2.0"

log:
  level: "DEBUG"
  format: "common"
  maxSize: 100
  maxBackups: 3
  maxAge: 3
  compress: true

# unused but seems necessary:
certificatesResolvers:
  letsencrypt:
    acme:
      httpChallenge:
        entryPoint: web
      email: "<let's encrypt email, not used>"
      storage: "/letsencrypt/acme.json"
      caServer: "https://acme-v02.api.letsencrypt.org/directory"

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
    transport:
      respondingTimeouts:
        readTimeout: "30m"
    http:
      tls: true 

serversTransport:
  insecureSkipVerify: true

config/traefik/dynamic_config.yml

may be a little confusing because I added integration API routing, just remove those parts if not needed

http:
  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: https

  routers:
    # HTTP to HTTPS redirect router
    main-app-router-redirect:
      rule: "Host(`pangolin.sub.domain.tld`)"
      service: next-service
      entryPoints:
        - web
      middlewares:
        - redirect-to-https

    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
      rule: "Host(`pangolin.sub.domain.tld`) && !PathPrefix(`/api/v1`)"
      service: next-service
      entryPoints:
        - websecure
      tls: 
        domains:
          - main: pangolin.sub.domain.tld
            sans:
              - "*.sub.domain.tld"

    # API router (handles /api/v1 paths)
    api-router:
      rule: "Host(`pangolin.sub.domain.tld`) && PathPrefix(`/api/v1`)"
      service: api-service
      entryPoints:
        - websecure
      tls:
        domains:
          - main: pangolin.sub.domain.tld
            sans:
              - "*.sub.domain.tld"

    # WebSocket router
    ws-router:
      rule: "Host(`pangolin.sub.domain.tld`)"
      service: api-service
      entryPoints:
        - websecure
      tls:
        domains:
          - main: pangolin.sub.domain.tld
            sans:
              - "*.sub.domain.tld"

    # integration API routing
    int-api-router-redirect:
      rule: "Host(`pangapi.sub.domain.tld`)"
      service: int-api-service
      entryPoints:
        - web
      middlewares:
        - redirect-to-https

    int-api-router:
      rule: "Host(`pangapi.sub.domain.tld`)"
      service: int-api-service
      entryPoints:
        - websecure
      tls:
        domains:
          - main: pangapi.sub.domain.tld
            sans:
              - "*.sub.domain.tld"

  services:
    next-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3002"  # Next.js server

    api-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000"  # API/WebSocket server

    # intergation API declaration
    int-api-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3004"
tls:
  stores:
    default:
      defaultCertificate:
        certFile: "/etc/ssl/mycerts/mycerts.crt"
        keyFile: "/etc/ssl/mycerts/mycerts.key"
  certificates:
    - certFile: "/etc/ssl/mycerts/mycerts.crt"
      keyFile: "/etc/ssl/mycerts/mycerts.key"
      stores:
        - default

Haproxy

HA proxy configuration is classic, backend uses Pangolin IP, port 443, and SSL Encrypt is checked

Things not working (yet) and missing for my setup

It seems that Pangolin does not support self-signed certs/CA (even if I add my private CA to /etc/ssl/certs in containers), nor proxying inside the app.

Impacts:

• can't use SSL over internal mail server (thanks to 1.9.0 config.email.smtp_tls_reject_unauthorized: false I can send - unencrypted- mails anyway)
• can't connect to my private OIDC server (bearing self signed certs as it is not exposed to Internet directly)
• can't connect to external OIDC servers (at least a Gitlab server), as connexion to OIDC server to get token infos is not proxyfied.

Conclusion

works fast and fine. Some Teleport servers may be decommissioned soon :)

Any comment / fix / questions are welcome

[oschwartz10612]

Hey! This is very interesting the constraints and how you have Pangolin running this way. We have some ideas about how we could make this easier and would love to learn more about how you are using it. Would you mind reaching out to us to chat? numbat@fossorial.io

[TheLordDuck]

Does Pangolin still doesnt support selfsigned certificates from selfhosted traefik?