Secure Pangolin Integration with Traefik
Overview
This guide covers setting up Pangolin with Traefik, including comprehensive security measures like CrowdSec integration, malicious request blocking, and proper header management.
Configuration Components
Basic Traefik Setup
http:
middlewares:
# Basic HTTPS redirection
redirect-to-https:
redirectScheme:
scheme: https
# Internal network whitelist
default-whitelist:
ipWhiteList:
sourceRange:
- "10.0.0.0/8"
- "192.168.0.0/16"
- "172.16.0.0/12"
Security Headers
Essential security headers to protect against common web vulnerabilities:
security-headers:
headers:
customResponseHeaders:
Server: ""
X-Powered-By: ""
X-Forwarded-Proto: "https"
sslProxyHeaders:
X-Forwarded-Proto: "https"
hostsProxyHeaders:
- "X-Forwarded-Host"
contentTypeNosniff: true
customFrameOptionsValue: "SAMEORIGIN"
referrerPolicy: "strict-origin-when-cross-origin"
forceSTSHeader: true
stsIncludeSubdomains: true
stsSeconds: 63072000
stsPreload: true
browserXssFilter: true
Malicious Request Protection
Redirects potential attack attempts to a Rick Roll video:
security-redirects:
redirectRegex:
permanent: false
regex:
- "^.*/wp-.*"
- "^.*\.(php|asp|aspx|jsp|cgi|sql|sqlite|sq3|sh)$"
- "^.*(administrator|phpmyadmin|myadmin|mysql|wp|xmlrpc|Autodiscover|console).*"
- "^.*(\.env|\.git|\.svn|\.hg|\.DS_Store|wp-config\.php|web\.config|.htaccess).*"
- "^.*(nmap|nikto|sqlmap|xerosploit|slowloris|shell|backdoor|hack).*"
replacement: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
Router Configuration
Setting up routes for different components:
routers:
# HTTPS redirect
main-app-router-redirect:
rule: "Host(`your-domain.com`)"
service: next-service
entryPoints:
- web
middlewares:
- redirect-to-https
# Next.js application
next-router:
rule: "Host(`your-domain.com`) && !PathPrefix(`/api/v1`)"
service: next-service
entryPoints:
- websecure
middlewares:
- security-headers
- security-redirects
tls:
certResolver: letsencrypt
# API endpoints
api-router:
rule: "Host(`your-domain.com`) && PathPrefix(`/api/v1`)"
service: api-service
entryPoints:
- websecure
middlewares:
- security-headers
- security-redirects
tls:
certResolver: letsencrypt
Service Definitions
Backend service configuration:
services:
next-service:
loadBalancer:
servers:
- url: "http://pangolin:3002"
api-service:
loadBalancer:
servers:
- url: "http://pangolin:3000"
Implementation Steps
-
Prerequisites
- Traefik installed and running
- Valid SSL certificate setup (Let’s Encrypt)
- Pangolin application ready for deployment
-
Configuration File Setup
- Create a new file named
traefik-pangolin.yml
- Copy the complete configuration provided above
- Replace placeholder values:
your-domain.com
with your actual domain- Adjust IP addresses and ports as needed
- Create a new file named
-
Security Measures
- HTTPS redirection enforced
- Strict security headers implemented
- Malicious request blocking
- Internal network whitelisting
-
Validation
- Test HTTPS redirection
- Verify security headers using tools like SecurityHeaders.com
- Verify WebSocket connections
Maintenance and Monitoring
-
Regular Updates
- Keep Traefik updated
- Review and update security rules
-
Monitoring
- Monitor Traefik logs for issues
- Review access patterns regularly
-
SSL Certificate Management
- Ensure automatic renewal is working
- Monitor certificate expiration dates
Best Practices
-
Security
- Regularly rotate API keys
- Keep middleware chains minimal for performance
- Use specific routing rules to avoid conflicts
-
Performance
- Monitor response times
- Adjust buffer sizes if needed
- Consider implementing rate limiting
-
Maintenance
- Document all custom configurations
- Keep backups of working configurations
- Test changes in staging first