Feature request: allow for more flexible middlewares

[renzos42]

Hi, I'd like the ability to not apply all optional middleware to all sites. There are cases like ForwardAuth which will be very site specific. There is no good way to achieve this at the moment. I think this feature would add a great deal of flexibility.

Atm I can think of two ways to solve this:

1. Define middlewares in the UI (name and textfield config), store them in the database, write them out to the dynamic dir, and provide a list in the resource settings (and hide the badgerMiddlewareName name).

• Pro: Very user friendly
• Con: More involved to implement
• Con: Error prone due to user errors

2. Scan the dynamic dir for extra files (maybe with a naming convention), and provide these in a list in the resource settings (and hide the badgerMiddlewareName name).

• Pro: Pretty easy to implement
• Neutral: It would be a somewhat more 'advanced' hidden feature (if there are no extra middlewares, there would be nothing to select).
• Con: File detection based on naming conventions or on expected values, is a bit jank.

The new access control rules cover some of the use-cases (which look super nice btw), but can never really cover the full flexibility of traefik itself (nor should it). For our case, having this missing means I cannot migrate due to some sites special config rules.

Would be great to hear any opinions on this.

[miloschwartz]

Hi, I think you're right this would be easy to implement and useful for some advanced users. What do you think about being able to define them in the config.yml instead of the UI for now?

Every resource has an ID which can be easily found in the URL: https://pangolin.domain.com/my-org/settings/resources/2/connectivity (resource ID is 2 in this example). We could add a section to the config.yml that lets you define middleware per resource based on the ID. Maybe something like:

resources:
  2:
    middleware: ["geoblock"]
  3:
     ...

Let me know what you think. Obviously a slick UI implementation would be best but this would expose the functionality and be quite easy for us to get out there and then improve upon later.

[adiroiban]

Thanks for considering this functionaly.

I think that this is a start

[renzos42]

Oh that also would very usable and ever simpler to implement indeed, is there a way to force it without restarting the stack / container? Because that would break the nicety of the dynamic config of traefik

Btw it would be up to you guys in how much you want to document this 'temporary' feature, and keeping it backwards compatible when iterating on it and possibly moving it to the frontend.

Edit: I realized restarting the Pangolin container (reloading the config) does not interrupt traefik, is that correct?

[renzos42]

Hi!

Congrats on the v1 release. Our initial testing is really positive (the DNS resolving being done on the remote machine is awesome).

The site specific middleware config is our only blocker atm. Are there any plans on implementing this in any of the coming releases?

Thanks!

[grokdesigns]

Adding my support for this feature. This would be very handy!

[scetu]

I would love to see this! More granular middleware (for WAF usage) controls for specific sites - for example mTLS, geoblock, crowdsec, Basic Auth etc. setup per resource.
This is currently the biggest missing feature.

[adiroiban]

I would also love to see this feature.

As a start, maybe it can be something simple like this... not the best UI, but should be better than the config text file

[miloschwartz]

Thanks for the visual @adiroiban. We need to figure out a way to get this into the dev cycle.

[adiroiban]

I tried this plugin https://github.com/hhftechnology/middleware-manager ... but it's still complicated to move between 2 UIs

---

I think that if we can do something like this in config/traefik/traefik_config.yml would be a good start:

http:
  routers:
   7-router:
     rule: "Host(`service-7.tun.example.com`)"
     service: dynamic-pangolin-service@http
     entryPoints:
       - websecure
     tls:
       certResolver: letsencrypt
     middlewares:
       - my-custom-plugin
       - other-custom-plugin

[hhftechnology]

it doesn't rely on pangolin. this is more oriented to when you have two pangolin/traefik deployment and want to manage middleware at single origin.

[wieluk]

Yea this would be awesome because otherwise it is really hard to set nextcloud headers and redirects.

[chocology]

Adding my support

[troponaut]

Was about to start a discussion on this, but came across this thread.

+1 on having the ability to attach one or more middlewares on the dynamically generated routers. Either middlewares from the file
provider or the pangolin http provider (defined on the pangolin ui, or pangolin config, per router)

[JobDoesburg]

I have an interesting case to add here. I am using authentik for identity management in my organization, and pangolin to host services. Now when I want to add a new resource, I actually want to configure authentication in authentik, as that's the place where all my access rules live.

Right now, the only way to integrate is to use Authentik OIDC to authenticate to Pangolin, and then configure in pangolin the roles a user must have to access a specific resource. But that means that in Authentik I can only see a user logged in to Pangolin, not which resource specifically.
A way to change this, is using Authentik's reverse proxy provider authentication (https://docs.goauthentik.io/add-secure-apps/providers/proxy/)

I think that using forwardAuth on a resource in Pangolin, I could relay user authentication to Authentik.

What do you think?

[sippeangelo]

Any way to manage middleware would be very useful. In my case I only use Docker labels to configure Pangolin, so implementing that feature in a private fork felt like the easiest option right now: main...sippeangelo:pangolin:middlewares

- pangolin.proxy-resources.paperless.targets[0].middlewares=sablier@file

It would be cool if it was available through the UI as well. I don't think it makes sense to write the middleware itself in Pangolin, that belongs in the Traefik config, but being able to pick available ones from a dropdown would be nice.

[endigma]

Just being able to enable/disable crowdsec per-resource would be great, some already have auth which makes it completely unnecessary.