mTLS support

[danhusan]

Requesting mTLS support to be able to do seamless client authentication.

Example (with CF): https://kcore.org/2024/06/28/using-cloudflare-zerotrust-and-mtls-with-home-assistant-via-the-internet/

[e-minguez]

perhaps via https://plugins.traefik.io/plugins/6637c92c3f17a1aeb061e27e/mtls-or-whitelist ?

[e-minguez]

Using this approach https://forum.hhf.technology/t/security-and-performance-enhancements-in-traefik-configuration-in-pangolin/478/1 will enable adding traefik plugins and tweaks. Didn't had the chance to try it but it feels it can be accomplished.

[Steffen-MLR]

i would love this feature. is there a way to contribute here?

[floco]

Thanks. Looks like it would be possible via https://forum.hhf.technology/t/installing-and-setting-up-pangolin-and-middleware-manager/2255 and adding a mtls traefik plugin ? Anyone tried that ? Would be great though if this was available directly in Pangolin.

[l3ztum]

@hhftechnology could you maybe post a cut down version of your config with mtls?

[hhftechnology]

@hhftechnology could you maybe post a cut down version of your config with mtls?

DM me on cord or ping me on pangolin cord.

[Steffen-MLR]

@hhftechnology i would be interested too. Can you share this online? Maybe there is a way to add this as a feature to pangolin

[Nexulo]

@hhftechnology can you please post your changes to make this work with mtls?

[0xFFA500]

I'd use the hell out of this feature if it were added

Currently I need to choose between using Tailscale which limits me from using any other VPN on mobile devices, and using Cloudflare Tunnels with mTLS rules which I'm not a huge fan of because Cloudflare act as a MITM

Most of the services I use support mTLS on their clients, obviously the clients aren't able to auth with Pangolin and I'm not keen on creating bypass rules for paths because I feel as though that makes services just as vulnerable as they would be if I didn't use any auth at all

[Steffen-MLR]

Alright guys, I just tried this and it seems to work pretty good.

What I achieved so far:

• securing every request with mTLS
  What I did not:
• securing only one Domain
• error handling, if no mTLS Client Cert is provided

you can extend your dynamic conf stored in config/traefik/dynamic_config.yml like this:
I wrapped the added lines with "### NEW".

### NEW
tls:
  options:
    default:
      clientAuth:
        caFiles:
          - /etc/traefik/certs/rootCa.pem
        clientAuthType: RequireAndVerifyClientCert
### NEW

http:
  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: https


  routers:
    # HTTP to HTTPS redirect router
    main-app-router-redirect:
      rule: "Host(`pangolin.domain.de`)"
      service: next-service
      entryPoints:
        - web
      middlewares:
        - redirect-to-https

    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
      rule: "Host(`pangolin.domain.de`) && !PathPrefix(`/api/v1`)"
      service: next-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
        ### NEW
        options: default
        ### NEW

    # API router (handles /api/v1 paths)
    api-router:
      rule: "Host(`pangolin.domain.de`) && PathPrefix(`/api/v1`)"
      service: api-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

    # WebSocket router
    ws-router:
      rule: "Host(`pangolin.domain.de`)"
      service: api-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

  services:
    next-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3002"  # Next.js server

    api-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000"  # API/WebSocket server

you still need to create your own rootCa and clientCert, which i created using these commands:

# Create root CA private key
openssl genrsa -out rootCA.key 4096

# Create root CA certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem

# Create client private key
openssl genrsa -out client.key 2048

# Create client CSR
openssl req -new -key client.key -out client.csr

# Create client certificate
openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 365 -sha256

# Create client PFX file
openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile rootCA.pem

the file rootCa.pem should be placed at config/traefik/certs/rootCa.pem and the client.pfx needs to be instaled on the Client PC.

Please test this and give me Feedback. If it works for you too, I will look into how to secure specific Domains/Urls only.

regards
Steffen

[Steffen-MLR]

let me reply to my own topic here: this will only work for all connections. if you are using newt you need to provide the pfx like newt --tls-client-cert client.pfx ... because it needs a tls cert in this scenario.

i think the best way would be to add the possibility to provide the config:

tls:
  options:
    mtls:
      clientAuth:
        caFiles:
          - /etc/traefik/certs/rootCa.pem
        clientAuthType: RequireAndVerifyClientCert

and the options: name: mtls via

pangolin/server/routers/traefik/getTraefikConfig.ts

Line 129 in 69b28b9

const config_output: any = {

Since you need to add a Config Field "Use mTLS" AND implement the above config, this would need more than an extended config file.
I don't know how to combine the two providers for traefik here and i am not sure how to add tls options via http, or if it is possible.

hope this helps
regards
Steffen

[WildeTechSolutions]

This feature is really needed! The sharelink with auth headers are great for mobile applications that supported it but for apples like NextCloud and Home Assistant, we really need and mTLS feature to compete with CloudFlare.

Thanks for this awesome app guys!

[dayt47]

Would like to see this implemented. That's a gamechanger for enhanced security.
Are there plans to add this? @oschwartz10612

[Rocho-EL-Locho]

I've set up mTLS in Pangolin. I have the instructions here in both German and English.

It's important to note that you can also secure domains/subdomains with mTLS once mTLS is configured for the dashboard using Pangolin SSO for the website. This allows you to decide whether or not to use mTLS for individual subdomains.

German Instructions
English instructions

For suggestions, comments, or questions, please feel free to contact me.

[hhftechnology]

mtls for individual routers coming with middleware manager next saturday.


no need for complex setup
@WildeTechSolutions @dayt47 @Steffen-MLR @Nexulo @floco @e-minguez

[e-minguez]

Can't wait for it!

[hhftechnology]

https://www.reddit.com/r/PangolinReverseProxy/s/eTMxgcxolv

Full mtls support. Per resources

https://middleware-manager.hhf.technology

[WildeTechSolutions]

Looking forward to testing it out! This would be a huge benefit. I do still wish that it could be integrated natively into Pangolin SSO so that it could be a bypass option but not an absolute requirement. But that is a task for the Pangolin team of course.

[hhftechnology]

The main issue is we have to use a middleware with mtls for a custom whitelist. I also couldn't directly use mtls. It will mess up resources if you don't have this middleware plugin