Installing and Setting Up Pangolin and Middleware Manager

This guide walks you through installing and configuring Pangolin and the Middleware Manager from scratch on a Linux VPS, setting up your reverse proxy and authentication system with confidence.

Why use the Middleware Manager?

The Middleware Manager monitors resources from your chosen data source (either a Pangolin API or a direct Traefik API connection) and provides a web UI to:

• Define and manage custom Traefik middlewares.
• Attach these middlewares to your resources with specific priorities.
• Configure advanced router settings for each resource, including entrypoints, TLS Subject Alternative Names (SANs), TCP SNI routing rules, custom request headers, and router priority.
• Create, update, and delete custom Traefik services (LoadBalancer, Weighted, Mirroring, Failover).
• Assign these custom services to your resources, overriding default service behavior.
• Discover, install, and manage Traefik plugins directly from the UI.

dashboardV31735×908 123 KB

plugin_hubV31735×1234 201 KB

See the Middleware Manager github repo for more details

Prerequisites

• A Linux system with root access (Ubuntu or Debian recommended)
• A domain name pointing to your server’s public IP address
• Ports 80 (TCP), 443 (TCP), and 51820 (UDP) open to the world
• A working email for Let’s Encrypt certificates

Important: Docker publishes all defined ports on all interfaces. Misconfigurations can expose services unintentionally. Always check firewall rules.

Step 1: VPS & Domain Setup

Choose any major cloud provider or VPS host, and ensure your domain’s DNS points to your VPS’s public IP.

Step 2: Run the Pangolin Installer

Navigate to your desired install directory and run:

wget -O installer "https://github.com/fosrl/pangolin/releases/download/1.4.0/installer_linux_$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')" && chmod +x ./installer
sudo ./installer

The installer will ask for:

=== Basic Configuration ===
Enter your base domain (e.g., example.com): yourdomain.com
Enter dashboard domain (e.g., dashboard.yourdomain.com): dashboard.yourdomain.com
Let's Encrypt Email: admin@yourdomain.com
Use Gerbil for tunnels? (yes/no): yes

=== Admin Setup ===
Admin Email: admin@yourdomain.com
Admin Password: ********

=== Security Settings ===
Disable signup without invite? (yes/no): yes
Disable org creation? (yes/no): no
Enable email functionality? (yes/no): no

=== Start Installation ===
Start containers now? (yes/no): yes

PangolinLogin592×758 16.2 KB

Screenshot Pangolin login page

Step 3: Secure Your Server with ufw

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 3456/tcp
sudo ufw allow 9000/tcp
sudo ufw allow 22/tcp
sudo ufw deny 8000/tcp
sudo ufw enable

Check status:

ufw status

Step 4: Connect Your First Site

In Pangolin:

• Create a new Site
• Copy the command provided, which looks like:

./newt --id ABC123 --secret XYZ456 --endpoint https://dashboard.yourdomain.com

After a few seconds, the status of your site in Pangolin should turn Online.

Step 5: Enable the Traefik Dashboard

Follow this guide in order to set up the Traefik dashboard as it will be essential in debugging any issues.

Step 6: Prepare Traefik Folder for Middleware Manager

Its important to change the folder structure for Traefik configuration before the middleware-manager will work. Lets do that now.

Current Folder for Traefik Dynamic Config:

config/traefik/dynamic_config.yml

Rules is the Target Folder for Traefik Dynamic Config:

config/traefik/rules/dynamic_config.yml

Run:

mkdir -p ./config/traefik/rules
mv ./config/traefik/dynamic_config.yml ./config/traefik/rules/

Your config directory structure should now look like this:

config/
├── config.yml
│   ├── config.yaml
├── db
│   └── db.sqlite
├── key
├── letsencrypt
│   └── acme.json
├── logs
└── traefik
    ├── logs
    ├── rules
    │   └── dynamic_config.yml
    └── traefik_config.yml

Update traefik_config.yml:

providers:
  http:
    endpoint: "http://pangolin:3001/api/v1/traefik-config"
    pollInterval: "5s"
  file:
    directory: /rules
    watch: true

Update docker-compose.yml for the traefik container:

volumes:
  - ./config/traefik/rules:/rules

Restart stack:

docker compose down
docker compose up -d --force-recreate

Check logs:

docker logs traefik

Step 7: Install Middleware Manager

Append to docker-compose.yml:

middleware-manager:
  image: hhftechnology/middleware-manager:v3.0.1
  container_name: middleware-manager
  restart: unless-stopped
  volumes:
    - ./data:/data
    - ./config/traefik/rules:/conf
    - ./config/middleware-manager:/app/config
    - ./config/traefik:/etc/traefik
  environment:
    - PANGOLIN_API_URL=http://pangolin:3001/api/v1
    - TRAEFIK_CONF_DIR=/conf
    - DB_PATH=/data/middleware.db
    - PORT=3456
    - ACTIVE_DATA_SOURCE=pangolin
    - TRAEFIK_STATIC_CONFIG_PATH=/etc/traefik/traefik_config.yml
    - PLUGINS_JSON_URL=https://raw.githubusercontent.com/hhftechnology/middleware-manager/traefik-int/plugin/plugins.json
  ports:
    - "3456:3456"

Restart:

docker compose down
docker compose up -d --force-recreate

Check:

docker logs middleware-manager

Navigate to: http://your_server_ip:3456/

UnprotectedMiddlewareManager1285×655 49.2 KB

Screenshot of Middleware manager

Step 8: Secure the Middleware Manager

2. In Pangolin, create a new Resource:

   • Name: middleware-manager
   • Domain: middleware-manager.yourdomain.com
   • Site: your local site
   • Target: middleware-manager on port 3456
   • Protected with authentication

PangolResourceForMiddlewareManager773×834 44.6 KB

TargetForMiddlewareManager1234×153 11.1 KB

Screenshot Resource config pointing to middleware-manager

Restrict Direct Access to the IPAddress:port

sudo ufw deny 3456/tcp

Remove ports from the middleware service in docker-compose.yml:

# REMOVE:
# ports:
#   - "3456:3456"

Again restart for the port changes to take affect:

docker compose down
docker compose up -d --force-recreate

Step 9: Test Middleware (IP Whitelist)

In Middleware Manager:

1. Select the Traefik Dashboard resource

2. Apply the ipwhitelist middleware

3. Try accessing: https://traefik.yourdomain.com

   • You should see a 403 Forbidden
   • This is because your IP address is not specifically allowed

4. Add your IP to the middleware config:

{
  "sourceRange": [
    "YOUR_IP_ADDRESS_HERE/32",
    "192.168.1.0/24",
    "10.0.0.0/8"
  ]
}

5. Retry accessing Traefik dashboard

Warning: Misconfiguring IP whitelists can lock you out! Always confirm via Traefik dashboard after changes.

You’re All Set!

You now have:

• Pangolin + Middleware Manager installed
• Traefik configured correctly
• The Traefik Dashboard available
• Middleware protection tested and live

Happy deploying!

Great job. Thanks. I’ll test you guide

Hi there, are the known issues with ufw and docker resolved?

Hi, i think its working for me now. I am able to block direct port access to the middleware manager and use the Pangolin resource target to access my middleware manager. I am not overly familiar with the ufw docker issue.

Hello, everything works very well for me.

But I have a question. Maybe you can help me. When I check the security headers in my pangolin panel: pangolin.my-domain.com, I have a terrible result. Is it worrying?

Screenshot From 2025-05-28 17-18-581661×811 77.7 KB

headers are not on pangolin UI domain but on its resources. check any resource domain you have created after adding headers.

Should TRAEFIK_STATIC_CONFIG_PATH= be set to /etc/traefik/traefik_config.yml or /etc/traefik/traefik.yml – I’ve seen both (this post, github, and with the MM dashboard seem inconsistent)

The correct one /etc/traefik/traefik_config.yml

I’ve set the environment variable to
TRAEFIK_STATIC_CONFIG_PATH=/etc/traefik/traefik_config.yml

and also mapped traefik volume in order to work and load plugins
- ${CONFIGDIR}/traefik:/etc/traefik

Speaking of Ability to disable log · Issue #49 · hhftechnology/middleware-manager · GitHub
can you please also code a variable such as HEALTHCHECKS_INTERVAL or HEALTHCHECKS_ENABLE ?
Thanks in advance

Middleware manager is a generator. You don’t have to keep it running,once configuration is generated you can bring the container down when again required to add a middleware you can bring it up. Scanning logs are necessary while it’s running.

Is there a way to silence the middleware manager spam log?
As it is, at every 10 seconds it prints (in my case) around 200 rows of logs.
I’d like to silence this, can you please find a way to at least reduce this?

Clipboard012543×1265 431 KB

Did you read my above comment. ?

Hello, thank you, that makes perfect sense now
Somehow I did not read your comment.
All good now, I configured everything perfectly, thanks for your guides, my crowdsec and security measures are amazingly tight now.

Have a great day!

after I have added Middleware Manager to docker-compose.yml and docker compose down; docker compose up -d --force-recreate

getting the error: (root) Additional property middleware-manager is not allowed

how to solve it?

share your compose file on hhf cord. HHF Technology

I realise this one is probably resolved, but I had the same issue initially. The cause was that the code snippet linked above under step 7 (the docker-compose.yml addition) when copy-pasted into docker-compose.yml, needs to be indented by 1 tier more than the tier it appears at when copy-pasted. If using VS Code to edit this, you can just select the entire pasted code block and press TAB once.

I’ve successfully installed everything, but I’m stuck on configuring the IP Whitelist. I’ve added every IP address I know, but I still can’t re-enable the Traefik Manager.

My Pangolin setup is on an Oracle VPS, and I’ve already added the necessary ports to the Oracle security rules. I’ve tried using the VPS public IP, my public IP, my LAN IP, and the VPS Tailscale IP, but none of them have worked.

Could you please let me know where I can find the correct IP address to configure the whitelist?