Mapped out path structures for open-source applications. Traefik RP and Pangolin Users

Web Technologies & Applications Reverse-proxy
,
1

Audiobookshelf Paths

Main Application Paths:
/ - The main Audiobookshelf interface
/settings - Settings interface
/authors - Author browsing and management
/series - Series browsing and management
/collections - Collections browsing and management
/library - Library management
/playlists - Playlists management
/podcasts - Podcast browsing and management

API and Authentication:
/api/login - Authentication endpoint
/api/auth - Authentication related endpoints
/api/user - User management API
/api/libraries - Libraries API
/api/items - Items (books) API
/api/authors - Authors API
/api/series - Series API
/api/collections - Collections API
/api/progress - Reading progress API
/api/stream - Audio streaming API
/api/search - Search functionality

Media Streaming:
/audio - Audio streaming endpoint
/covers - Book cover images
/metadata - Metadata files
/api/chapters - Chapter information

Paths that should be denied:
/config - Configuration directory
/data - User data directory
/metadata - Metadata storage
/backups - Backup files
/.git - Source control (if exists)
/node_modules - Dependencies directory
/logs - Log files

Mealie Paths

Main Application Paths:
/ - The main Mealie interface
/group - Group management interface
/recipes - Recipe browsing and management
/mealplans - Meal planning interface
/shopping - Shopping list management
/settings - Settings interface
/admin - Admin panel
/theme - Theme customization

API and Authentication:
/api/auth - Authentication endpoints
/api/users - User management API
/api/groups - Group management API
/api/recipes - Recipes API
/api/mealplans - Meal plans API
/api/shopping-lists - Shopping lists API
/api/organizers - Tags, categories, etc.
/api/media - Media file management

Recipe and Meal Planning:
/recipes/create - Recipe creation
/recipes/all - All recipes
/recipes/categories - Recipe categories
/recipes/tags - Recipe tags
/mealplans/calendar - Meal planning calendar
/mealplans/today - Today's meals
/shopping/current - Current shopping list

Media Resources:
/api/media/recipes - Recipe images
/api/media/users - User avatars
/assets - Static assets
/fonts - Font files

Paths that should be denied:
/data - Data storage directory
/config - Configuration files
/.env - Environment variables
/migrations - Database migrations
/backups - Backup files
/logs - Log files
/node_modules - Dependencies directory
/.git - Source control (if exists)

Immich Paths

Main Application Paths:
/ - The main Immich interface
/auth - Authentication pages
/photos - Photo library and browsing
/albums - Album management
/sharing - Sharing interface
/favorites - Favorite photos/videos
/explore - Explore/discover content
/people - People/face recognition
/memories - Memories/timeline features
/settings - User settings

API and Authentication:
/api/auth - Authentication endpoints
/api/user - User management API
/api/asset - Photo/video assets API
/api/album - Albums API
/api/shared - Shared content API
/api/partner - Partner sharing API
/api/person - Person/face recognition API
/api/search - Search functionality
/api/server-info - Server information

Media Access:
/api/asset/download - Asset download endpoint
/api/asset/thumbnail - Thumbnail generation
/api/asset/preview - Preview generation
/api/asset/metadata - Metadata access
/api/asset/upload - Upload endpoint
/api/backup - Backup related endpoints

WebSocket:
/api/websocket - Real-time updates via WebSocket

Paths that should be denied:
/server-data - Server data storage
/uploads - Raw uploaded files
/library - Library storage
/config - Configuration files
/logs - Log files
/database - Database files
/.env - Environment configuration
/node_modules - Dependencies directory
/.git - Source control (if exists)
/docker-data - Docker volumes and data

MeshCentral Paths

Main Application Paths:
/ - The main MeshCentral interface
/login - Login page
/logout - Logout endpoint
/home - Home dashboard
/mydevices - User's devices
/admin - Administrator panel
/recording - Session recordings
/files - File transfer interface
/audit - Audit logs
/messenger - Chat/messenger function
/devicegroups - Device group management
/deviceshare - Device sharing settings
/notes - Notes management

API and Management:
/api - API endpoints
/meshagents - Agent download/management
/webrelay - Web relay functionality
/deviceaction - Device action endpoints
/devicecommands - Device command endpoints
/userfiles - User file management
/meshsettings - Mesh configuration
/translate - Translation endpoints
/control - Remote control endpoints

Connection and WebSockets:
/meshrelay.ashx - Relay connections
/meshcentral.ashx - WebSocket endpoints
/agent.ashx - Agent communication
/notify.ashx - Notification system
/mescript.ashx - Script execution
/commander.ashx - Command interface
/health.ashx - Health check endpoints

Media and Resources:
/images - Image resources
/scripts - Script resources
/styles - Style sheets
/fonts - Font files
/welcome - Welcome resources

Paths that should be denied:
/data - Data directory
/db - Database files
/amtscripts - Intel AMT scripts
/certs - Certificates directory
/config.json - Configuration file
/meshcentral-data - Main data directory
/meshcentral-files - File storage
/meshcentral-backups - Backup files
/node_modules - Dependencies directory
/.git - Source control (if exists)
/logs - Log files

Vaultwarden Paths

Main Application Paths:
/ - The main Vaultwarden web interface
/app - Web vault application
/login - Login page
/signup - Registration page
/2fa - Two-factor authentication
/settings - User settings
/lock - Lock the vault
/vault - The main vault interface
/generator - Password generator

API and Authentication:
/api/accounts - Account management
/api/folders - Folder management
/api/collections - Collection management
/api/sync - Data synchronization
/api/ciphers - Password/cipher management
/api/organizations - Organization management
/api/two-factor - 2FA settings and management
/api/emergency-access - Emergency access controls
/identity - Identity server endpoints
/icons - Website icons cache
/attachments - Secure attachments
/notifications - Notification service
/api/sends - Secure sharing (Bitwarden Send)

Admin Interface:
/admin - Admin panel (if enabled)
/admin/users - User management
/admin/organizations - Organization management
/admin/diagnostics - System diagnostics
/admin/invitations - Invitation management

Special Endpoints:
/.well-known/jwks.json - JSON Web Key Set
/.well-known/openid-configuration - OpenID configuration
/version.json - Version information
/alive - Health check endpoint
/socket - WebSocket notifications

Paths that should be denied:
/data - Data directory
/config.json - Configuration file
/.env - Environment configuration
/rsa_key* - RSA key files
/.git - Source control (if exists)
/sqlite - Database files
/attachments-data - Raw attachment storage
/logs - Log files
/backups - Backup files
/docker-data - Docker volumes (if using Docker)

LunaSea Paths

Main Application Paths:
/ - The main LunaSea web interface
/dashboard - Dashboard overview
/services - Services management
/settings - Application settings
/profile - User profile

API and Integration:
/api/services - Services API
/api/dashboard - Dashboard data
/api/status - Status endpoints
/api/config - Configuration management
/api/auth - Authentication endpoints
/api/webhooks - Webhook configuration

Connection to Services:
/connect/sonarr - Sonarr connection
/connect/radarr - Radarr connection
/connect/lidarr - Lidarr connection
/connect/readarr - Readarr connection
/connect/sabnzbd - SABnzbd connection
/connect/nzbget - NZBGet connection
/connect/transmission - Transmission connection
/connect/deluge - Deluge connection
/connect/overseerr - Overseerr connection

Paths that should be denied:
/data - Data storage
/config - Configuration files
/.env - Environment configuration
/logs - Log files
/.git - Source control (if exists)
/node_modules - Dependencies directory

Sable Paths

Main Application Paths:
/ - The main Sable interface
/library - Media library
/downloads - Downloads management
/settings - Settings interface
/users - User management
/metadata - Metadata management
/search - Search functionality

API and Authentication:
/api/auth - Authentication endpoints
/api/library - Library API
/api/downloads - Downloads API
/api/metadata - Metadata API
/api/users - User management API
/api/search - Search API
/api/settings - Settings API

Media Management:
/stream - Media streaming
/files - File management
/import - Import functionality
/export - Export functionality
/scan - Library scanning
/metadata/refresh - Metadata refresh

Paths that should be denied:
/data - Data directory
/config - Configuration files
/logs - Log files
/cache - Cache directory
/.git - Source control (if exists)
/node_modules - Dependencies directory
/.env - Environment configuration

Rudarr Paths

Main Application Paths:
/ - The main Rudarr interface
/activity - Activity/history view
/calendar - Calendar view
/settings - Settings interface
/system - System information
/movies - Movies management
/add - Add new content

API and Authentication:
/api - API root
/api/movie - Movie API
/api/release - Release API
/api/command - Command API
/api/history - History API
/api/wanted - Wanted API
/api/system - System API
/api/profile - Profile API
/api/notification - Notification API
/api/indexer - Indexer API
/api/downloadclient - Download client API
/api/queue - Queue API
/api/rootfolder - Root folder API
/api/auth - Authentication API

Media Management:
/feed - RSS feed
/remotemap - Remote path mapping
/import - Library import
/mediamanagement - Media management
/indexers - Indexer management
/downloadclients - Download client management

Paths that should be denied:
/data - Data directory
/config.xml - Configuration file
/logs - Log files
/backup - Backup files
/.git - Source control (if exists)
/node_modules - Dependencies directory
/Metadata - Metadata directory
/UpdateLogs - Update logs
/.db - Database files

Tautulli Paths

Main Application Paths:
/ - The main Tautulli interface
/home - Home dashboard
/users - User statistics and management
/libraries - Library statistics
/history - Playback history
/graphs - Statistics graphs
/synced_items - Synced content
/recently_added - Recently added media
/scheduled - Scheduled tasks
/settings - Settings interface
/logs - Log viewer

User and Media Monitoring:
/user - User profile and activity
/user_ips - User IP addresses
/stream - Active stream details
/sessions - Active sessions
/library - Library details
/search - Search functionality
/playlist - Playlist information
/get_pms_token - Plex authentication token

API and Notifications:
/api/v2 - APIv2 endpoints
/api - Legacy API
/status - Server status
/activity - Current activity
/newsletters - Newsletter management
/mobile_app - Mobile app configuration
/notifiers - Notification agents
/export - Data export functions

System and Configuration:
/register - Tautulli registration
/update - Update checking
/restart - Restart service
/shutdown - Shutdown service
/backup - Backup configuration
/restore - Restore configuration
/manage - Server management

Paths that should be denied:
/config - Configuration directory
/data - Data directory
/logs - Raw log files
/backups - Backup files
/cache - Cache directory
/pmsantisense.db - Database file
/tautulli.db - Main database
/.git - Source control (if exists)
/plexpy - Legacy files (renamed from PlexPy)
/config.ini - Configuration file
/.env - Environment configuration

Harbour Paths

Main Application Paths:
/ - The main Harbour interface
/dashboard - Dashboard overview
/containers - Container management
/images - Docker image management
/volumes - Volume management
/networks - Network management
/settings - Settings interface
/stacks - Stack management (docker-compose)
/registry - Container registry access
/templates - Template management
/deployments - Deployment management

API and Authentication:
/api/auth - Authentication endpoints
/api/containers - Container API
/api/images - Images API
/api/volumes - Volumes API
/api/networks - Networks API
/api/stacks - Stacks API
/api/templates - Templates API
/api/events - Docker events stream
/api/settings - Settings API
/api/health - Health check API
/api/system - System information API
/api/registries - Registry management API

Management Functions:
/logs - Container logs
/stats - Container statistics
/exec - Execute commands in containers
/deploy - Deployment interface
/console - Web console access
/prune - System pruning tools
/webhooks - Webhook management
/backup - Backup and restore
/monitor - Resource monitoring

Paths that should be denied:
/data - Data directory
/config - Configuration files
/database - Database files
/logs/raw - Raw log files
/.env - Environment configuration
/.git - Source control (if exists)
/node_modules - Dependencies directory
/docker.sock - Docker socket file (very sensitive)
/certs - Certificate storage
/backups - Backup files
/db - Database storage

AdGuard Home Paths

Main Application Paths:
/ - The main AdGuard Home interface
/dashboard - Dashboard overview
/dns - DNS configuration
/dhcp - DHCP server settings
/settings - General settings
/clients - Client management
/filters - Filter management
/rewrites - DNS rewrites
/services - DNS services configuration
/logs - Query logs interface

API and Authentication:
/api/status - Status information
/api/v1 - API v1 endpoints
/login - Authentication page
/control/login - Control authentication
/control/logout - Logout endpoint
/api/v1/filtering - Filtering API
/api/v1/parental - Parental control API
/api/v1/safebrowsing - Safe browsing API
/api/v1/safesearch - Safe search API
/api/v1/stats - Statistics API

Filtering and Management:
/control/filtering - Filtering controls
/control/blocking - Blocking controls
/control/dns_info - DNS information
/control/access - Access settings
/control/stats - Statistics page
/control/dhcp - DHCP management
/control/clients - Client management
/control/blocked - Blocked domains list
/control/allowed - Allowed domains list
/control/tls - TLS configuration

System and Configuration:
/control/version.json - Version information
/install - Installation endpoint
/assets - Static assets
/control/profile - User profile
/control/update - Update controls
/health - Health check endpoint

Paths that should be denied:
/data - Data directory
/config.yaml - Main configuration file
/AdGuardHome.yaml - Configuration file
/work_dir - Working directory
/data/filters - Filter files
/data/sessions - Session data
/data/stats - Statistics data
/data/querylog - Query logs
/data/updates - Update packages
/.git - Source control (if exists)
/conf - Configuration directory
/vhosts - Virtual hosts configuration
/volumes - Docker volumes (if using Docker)

Hoarder App Paths

Main Application Paths:
/ - The main Hoarder interface
/dashboard - Dashboard overview
/collections - Collections management
/library - Media library view
/categories - Categories management
/tags - Tags management
/search - Search functionality
/recent - Recently added items
/favorites - Favorite items
/settings - Settings interface
/backup - Backup management
/stats - Statistics and analytics

API and Authentication:
/api/auth - Authentication endpoints
/api/users - User management API
/api/collections - Collections API
/api/items - Items/media API
/api/categories - Categories API
/api/tags - Tags API
/api/search - Search API
/api/import - Import API
/api/export - Export API
/api/stats - Statistics API

Media Management:
/view - Item viewer
/content - Content access
/metadata - Metadata editor
/upload - Upload interface
/scan - Library scanning
/duplicates - Duplicate finder
/organize - Organization tools
/batch - Batch operations
/import - Import interface
/export - Export interface

Integration:
/api/webhooks - Webhook configuration
/api/plugins - Plugin management
/api/external - External services integration
/api/sync - Synchronization services

Paths that should be denied:
/data - Data directory
/config - Configuration files
/database - Database files
/storage - Raw storage location
/temp - Temporary files
/logs - Log files
/.env - Environment configuration
/.git - Source control (if exists)
/node_modules - Dependencies directory
/backups - Raw backup files
/media - Direct media storage

Uptime Kuma Paths

Main Application Paths:
/ - The main Uptime Kuma interface
/dashboard - Dashboard view
/settings - Settings interface
/status - Status page management
/status-page - Public status page
/setup - Initial setup
/manage - Management interface
/metrics - Metrics and statistics
/maintenance - Maintenance mode settings
/incidents - Incident management
/tags - Tags management
/groups - Monitor group management

API and Authentication:
/api - API endpoints
/api/auth - Authentication endpoints
/api/user - User management
/api/2fa - Two-factor authentication
/api/status - Status API
/api/dashboard - Dashboard API
/api/metrics - Metrics API
/api/settings - Settings API
/api/export - Export configuration
/api/import - Import configuration
/api/notification - Notification API

Monitor Management:
/api/monitor - Monitor management
/api/monitor/add - Add monitor
/api/monitor/edit - Edit monitor
/api/monitor/delete - Delete monitor
/api/monitor/pause - Pause monitoring
/api/monitor/resume - Resume monitoring
/api/monitor/verify - Verify monitor connection
/api/proxy - Proxy monitoring
/api/heartbeat - Heartbeat endpoints

Notification and Alerts:
/api/notification/test - Test notifications
/api/notification/discord - Discord integration
/api/notification/telegram - Telegram integration
/api/notification/slack - Slack integration
/api/notification/email - Email notifications
/api/notification/webhook - Webhook notifications
/api/incident - Incident reporting

Paths that should be denied:
/data - Data directory
/data/kuma.db - Database file
/config - Configuration directory
/logs - Log files
/backup - Backup files
/.env - Environment configuration
/.git - Source control (if exists)
/node_modules - Dependencies directory
/ssl - SSL certificates
/temp - Temporary files
/dist - Distribution files
/docker-data - Docker volumes and data

Jellyfin Paths

Main Application Paths:
/ - The main Jellyfin interface
/web - Web client interface
/dashboard - Admin dashboard
/setup - Initial setup wizard
/login - Login page
/home - Home/landing page
/items - Media items browsing
/library - Library management
/livetv - Live TV interface
/playback - Playback interface
/dlna - DLNA settings
/users - User management
/sync - Sync interface

Library and Media:
/movies - Movies library
/tvshows - TV Shows library
/music - Music library
/photos - Photos library
/artists - Music artists
/albums - Music albums
/genres - Genre browsing
/collections - Collections view
/playlists - Playlists management
/channels - Channels
/trailers - Movie trailers

API and Authentication:
/api - API root
/api/auth - Authentication endpoints
/api/sessions - Session management
/api/users - User API
/api/items - Items/media API
/api/library - Library API
/api/system - System information API
/api/displaypreferences - User display preferences
/socket - WebSocket connections
/emby - Legacy Emby compatibility API

Media Streaming:
/Audio - Audio streaming endpoints
/Videos - Video streaming endpoints
/Images - Image endpoints
/Subtitles - Subtitle endpoints
/hls - HLS streaming
/dash - DASH streaming
/download - Media downloads
/playlist - Playlist files

System and Configuration:
/system/info - System information
/system/logs - Log viewer
/system/restart - Restart service
/system/shutdown - Shutdown service
/plugins - Plugin management
/metadata - Metadata management
/encodingsettings - Transcoding settings
/devices - Device management
/apikeys - API key management

Paths that should be denied:
/config - Configuration directory
/data - Data directory
/transcodes - Transcode temporary directory
/metadata - Raw metadata directory
/cache - Cache directory
/log - Log files
/plugins - Plugins directory
/ffmpeg - FFMPEG binaries
/backup - Backup files
/system/migrations - Database migrations
/.git - Source control (if exists)
/addon_data - Addon data
/jellyfin.db - Database file

Plex Media Server

Main Application Paths:
/ - The main Plex web interface
/web - The Plex web client interface
/web/index.html - Main web client entry point
/:/timeline - Timeline/progress reporting
/identity - Identity provider services

API and Authentication:
/:/prefs - User preferences
/:/resources - Resource endpoints
/:/plugins - Plugin management
/:/dashboard - Server dashboard data
/:/sync - Sync service endpoints
/:/transcode - Transcoding endpoints
/:/library - Library management endpoints
/:/scrobble - Media progress tracking
/:/rating - Media rating endpoints
/status/sessions - Current streaming sessions

Media Related Paths:
/library/metadata - Media metadata access
/photo/:/transcode - Photo transcoding
/video/:/transcode - Video transcoding
/music/:/transcode - Music transcoding
/:/progress - Streaming progress

Discovery and Authentication:
/.well-known - Service discovery 
/api - API endpoints
/clients - Client connection endpoints
/servers - Server discovery endpoints
/accounts - Account management
/auth - Authentication endpoints
/pin - Pin-based authentication

Paths that should be denied or protected:
/logs - Server logs
/system - System information
/:/certificates - Certificate management
/:/settings - Server settings
/:/maintenance - Maintenance functions
/crash-reports - Crash reporting data
/diagnostics - Server diagnostics
2 Likes
2

This is a great list, thank you for putting it together.

If I could make a suggestion, perhaps adding some context to this would be helpful? Such as how and why you would need to use these paths? And the risks associated with those choices.

From my understanding some of these paths would only need to be allowed if you’re using an app (mostly the api paths), while others may be needed if you want to allow limited access to the webpage. In essence, choosing what bypasses Pangolin’s additonal auth. Allowing the API likely is a lower risk that allowing specific portions of the web interface, with any option balancing security with usability.

Just my 2cents.

~Spritz

3
  • You right. i just compiled all the from other cords and our discussion on pangolin discord.
  • Risk and path selection community can discuss on what to adopt and what to leave out. because it depends on user deployment.
    Now at least we know all the paths in on place.
  • I will try to test it one at a time.
  • Few i have done but mostly are from community members.
  • I will put my signature on which i have personally tested.

You also can put up a thread. You are also the owner of this forum as much as i am. It’s a close nit group.

4

Absolutely, thank you for that. While I have a ton of experience in the space (over 20 years), I tend to fight against my own imposter syndrome. That said, to your quote, it likely makes sense to keep this kind of info in a single thread so it’s easy to find.

Slight tangent, but when it comes to testing and listing options as “secure”, you know people will blindly follow what is written down. In a perfect world (where time is infinite) a list such as this would be broken down in such a manner:

App Access:
/path1
/path2
/path3 - NOTE: Only if you need to do x from the app

Web Access - Only needed if you want to give unrestricted access and/or you trust the apps built in auth
/path 4

Deny - Paths that only should be accessed locally LEAVE OPEN AT YOUR OWN RISK
/path5
/path6
/etc

Due to being primary parent to 4 young kids, my time to do testing at home is restricted, however I do have time to document between work and home. If you’d like, I can take on organizing the above information as it’s provided. Though, frankly, I would err on least privilege when allowing / denying paths.

~Spritz

5

you deem fit. no pressure. put it up when you like. same here i manage this forum after work and on Saturday nights.

I like your plan. i too will follow the pattern

6

Thanks for compiling the list. I was particularly interested in the Immich list, which is a service I self-host.
How is one supposed to read “Paths that should be denied”? Are those paths that should always be denied (e.g. in resource rules in Pangolin)?

I tried doing that for my Immich instance, and accessing via the mobile app outside of my LAN (hence, through Pangolin) the IP from my cellular connection was caught by crowdsec due to http-probing.
I reverted back to allowing ‘api/*’ and ‘.well-known/immich’ and not adding any paths as always deny and now it works again.

7

image
image636×250 21.5 KB

this depends on your configuration and files used to deploy the app.
if you have those paths they should never be exposed.

It doesn’t apply to all.