Applying Anubis Selectively with Middleware Manager

Self-hosted Applications
, ,
1

Applying Anubis Selectively with Middleware Manager

This guide details how to transition from a global, catch-all Anubis implementation to a more flexible setup where Anubis is applied as a forwardAuth middleware. This allows you to use Middleware Manager to protect specific routers (resources) on a case-by-case basis, giving you granular control over your application’s security.

The Concept: forwardAuth Middleware

Instead of using a low-priority router to catch all traffic, we will define Anubis as a middleware. This middleware can then be attached to any router you choose within the Middleware Manager UI.

Advantages of this approach:

  • Granular Control: Protect specific routes (e.g., /dashboard) while leaving others (e.g., /api/public) unprotected.

  • Dynamic Configuration: Easily add or remove Anubis protection from any resource through the Middleware Manager UI without editing YAML files or restarting containers.

  • Cleanliness: Keeps your routing configuration clean and focused on directing traffic, while security logic is handled by middleware.

Step 1: Revert Dynamic Routing Configuration

First, we must remove the “catch-all” logic from your dynamic configuration file. This step is crucial as it returns your routers to their original state, listening directly on the public entrypoint.

Edit your dynamic routing file (e.g., ./config/traefik/rules/your-file.yml or /root/config/traefik/dynamic_config.yml) and restore it to its original configuration before we added the Anubis routers and services.

# ./config/traefik/rules/your-file.yml
# ./root/config/traefik/dynamic_config.yml

http:
  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: https

  routers:
    # HTTP to HTTPS redirect router
    main-app-router-redirect:
      rule: "Host(`pangolin.development.hhf.technology`)"
      service: next-service
      entryPoints:
        - web
      middlewares:
        - redirect-to-https

    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
      rule: "Host(`pangolin.development.hhf.technology`) && !PathPrefix(`/api/v1`)"
      service: next-service
      entryPoints:
        - websecure # <-- Back to websecure
      tls:
        certResolver: letsencrypt

    # API router (handles /api/v1 paths)
    api-router:
      rule: "Host(`pangolin.development.hhf.technology`) && PathPrefix(`/api/v1`)"
      service: api-service
      entryPoints:
        - websecure # <-- Back to websecure
      tls:
        certResolver: letsencrypt

  services:
    # ORIGINAL SERVICES
    next-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3002"  # Next.js server

    api-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000"  # API/WebSocket server

Key Change: All routers that should be publicly accessible are now back on the websecure entrypoint. The anubis entrypoint is no longer referenced here, and the anubis-catchall-router and anubis-service have been removed from this file.

Step 2: Ensure Anubis Service is Running

Your docker-compose.yml file should still contain the anubis service definition from the previous guide. It doesn’t need any changes. It simply needs to be running so that Traefik can forward authentication requests to it.

# docker-compose.yml (ensure this service exists)

services:
  # ... your other services
  anubis:
    image: ghcr.io/techarohq/anubis:main
    container_name: anubis
    restart: unless-stopped
    networks:
      - pangolin
    environment:
      - BIND=:8923
      - TARGET=http://traefik:3923 # This is now ignored but harmless
      - COOKIE_DOMAIN=hhf.technology
      - COOKIE_DYNAMIC_DOMAIN=false
      - DIFFICULTY=4

After modifying your rules, restart the stack to apply the changes:

docker compose up -d --force-recreate

At this point, your site should function as it did before, with no Anubis protection active.

Step 3: Create the Anubis forwardAuth Middleware

Now, let’s create the reusable Anubis middleware in your Middleware Manager UI.

  1. Navigate to your Middleware Manager dashboard.

  2. Click on “Middlewares” in the sidebar.

  3. Click the “Add Middleware” button.

  4. Fill out the form:

    • Name: anubis-auth (or another descriptive name).

    • Type: Select ForwardAuth from the dropdown menu.

    • Address: Enter the address of the Anubis service: http://anubis:8923.

    • Trust Forward Header: Leave this checked (it’s the default and generally recommended).

  5. Click “Save”.

You have now created a middleware named anubis-auth that, when applied to a router, will send all incoming requests for that router to the Anubis service for verification.

Step 4: Apply Anubis Protection to a Resource

Let’s apply your new middleware to protect the main front-end router but leave the API router unprotected.

  1. In Middleware Manager, click on “Resources” in the sidebar.

  2. You will see a list of your resources (next-router, api-router, etc.).

  3. Find the eg:-next-router resource and click the “Manage” button.

  4. In the resource management view, click on the “Middlewares” tab.

  5. You will see a dropdown list of available middlewares. Select anubis-auth@file from the list.

  6. Click the “Assign” button.

The anubis-auth middleware is now active on your next-router.

Step 5: Deploy and Verify

  1. Deploy Changes: In Middleware Manager, a “Deploy Changes” button should appear at the top. Click it to write the new middleware configuration to your Traefik rules file.

  2. Verify:

    • Open a new private browsing window and navigate to https://pangolin.development.hhf.technology. Because this matches the next-router, you should be greeted by the Anubis challenge page.

    • After the challenge, you should be redirected to your Pangolin UI.

    • Now, try to access an API endpoint directly, for example, by using curl or visiting https://pangolin.development.hhf.technology/api/v1/some-endpoint. This request should go through without an Anubis challenge, because we did not apply the anubis-auth middleware to the api-router.

You have successfully configured granular, on-demand bot protection using Anubis and Middleware Manager. You can now repeat Step 4 for any other resource you wish to protect.

1 Like
Integrating Anubis with Pangolin and Traefik
2

few questions;

  1. by default Pangolin gave Crowdsec integration, does this means Crowdsec can’t work together with Anubis? (since you didn’t include crowdsec in this guide).
  2. five days ago anubis merged forward auth middleware feature [2], does this guide already consider this new feature?

sorry to say but this guide is unnecessary complicated in its wording. as a newbie at setting up pangolin I’d prefer if you stick to the default [1] as example.

[1] https://docs[.]digpangolin[.]com/self-host/quick-install

[2] https://github[.]com/TecharoHQ/anubis/pull/368

3

Thank you for your reply.

This guide is for advanced users; newbies should stick to the default Pangolin installation. This process requires altering Traefik files, which can impact your overall performance if not done correctly. Anubis is applied to the stack rather than to individual resources. For more fine-tuning and forward authentication features, you will need a deeper knowledge of the system and must deploy a middleware manager.

1. five days ago anubis merged forward auth middleware feature [2], does this guide already consider this new feature? yes this was kept in mind i was watching this feature

@Iron5448 for you use this but this too is advance

Integrating Anubis with Pangolin and Traefik - Self-hosted Applications - HHF Technology Forums