Secure Pangolin Integration with Traefik(Rick and roll)

Secure Pangolin Integration with Traefik

Overview

This guide covers setting up Pangolin with Traefik, including comprehensive security measures like CrowdSec integration, malicious request blocking, and proper header management.

Configuration Components

Basic Traefik Setup

http:
  middlewares:
    # Basic HTTPS redirection
    redirect-to-https:
      redirectScheme:
        scheme: https

    # Internal network whitelist
    default-whitelist:
      ipWhiteList:
        sourceRange:
        - "10.0.0.0/8"
        - "192.168.0.0/16"
        - "172.16.0.0/12"

Security Headers

Essential security headers to protect against common web vulnerabilities:

    security-headers:
      headers:
        customResponseHeaders:
          Server: ""
          X-Powered-By: ""
          X-Forwarded-Proto: "https"
        sslProxyHeaders:
          X-Forwarded-Proto: "https"
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        contentTypeNosniff: true
        customFrameOptionsValue: "SAMEORIGIN"
        referrerPolicy: "strict-origin-when-cross-origin"
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 63072000
        stsPreload: true
        browserXssFilter: true

Malicious Request Protection

Redirects potential attack attempts to a Rick Roll video:

    security-redirects:
      redirectRegex:
        permanent: false
        regex:
          - "^.*/wp-.*"
          - "^.*\.(php|asp|aspx|jsp|cgi|sql|sqlite|sq3|sh)$"
          - "^.*(administrator|phpmyadmin|myadmin|mysql|wp|xmlrpc|Autodiscover|console).*"
          - "^.*(\.env|\.git|\.svn|\.hg|\.DS_Store|wp-config\.php|web\.config|.htaccess).*"
          - "^.*(nmap|nikto|sqlmap|xerosploit|slowloris|shell|backdoor|hack).*"
        replacement: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"

Router Configuration

Setting up routes for different components:

  routers:
    # HTTPS redirect
    main-app-router-redirect:
      rule: "Host(`your-domain.com`)"
      service: next-service
      entryPoints:
        - web
      middlewares:
        - redirect-to-https

    # Next.js application
    next-router:
      rule: "Host(`your-domain.com`) && !PathPrefix(`/api/v1`)"
      service: next-service
      entryPoints:
        - websecure
      middlewares:
        - security-headers
        - security-redirects
      tls:
        certResolver: letsencrypt

    # API endpoints
    api-router:
      rule: "Host(`your-domain.com`) && PathPrefix(`/api/v1`)"
      service: api-service
      entryPoints:
        - websecure
      middlewares:
        - security-headers
        - security-redirects
      tls:
        certResolver: letsencrypt

Service Definitions

Backend service configuration:

  services:
    next-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3002"

    api-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000"

Implementation Steps

  1. Prerequisites

    • Traefik installed and running
    • Valid SSL certificate setup (Let’s Encrypt)
    • Pangolin application ready for deployment
  2. Configuration File Setup

    • Create a new file named traefik-pangolin.yml
    • Copy the complete configuration provided above
    • Replace placeholder values:
      • your-domain.com with your actual domain
      • Adjust IP addresses and ports as needed
  3. Security Measures

    • HTTPS redirection enforced
    • Strict security headers implemented
    • Malicious request blocking
    • Internal network whitelisting
  4. Validation

    • Test HTTPS redirection
    • Verify security headers using tools like SecurityHeaders.com
    • Verify WebSocket connections

Maintenance and Monitoring

  1. Regular Updates

    • Keep Traefik updated
    • Review and update security rules
  2. Monitoring

    • Monitor Traefik logs for issues
    • Review access patterns regularly
  3. SSL Certificate Management

    • Ensure automatic renewal is working
    • Monitor certificate expiration dates

Best Practices

  1. Security

    • Regularly rotate API keys
    • Keep middleware chains minimal for performance
    • Use specific routing rules to avoid conflicts
  2. Performance

    • Monitor response times
    • Adjust buffer sizes if needed
    • Consider implementing rate limiting
  3. Maintenance

    • Document all custom configurations
    • Keep backups of working configurations
    • Test changes in staging first
2 Likes