I installed Pangolin on my VPS when it came out two months ago. At this time, there was no OAuth protection. I immediately customized the Traefik configuration to meet my needs, specifically to protect some resources with my already self-hosted Zitadel.

Now, with the release v1.3.0 of Pangolin, OAuth2/OIDC is supported.

I believe it is still relevant to provide an implementation of the Traefik ForwardAuth Middleware alongside the out-of-the-box security provided by Pangolin.

In this part of this tutorial, we will assume you already have an IdP like Zitadel. It could also be Authelia, Authentik, Keycloak or another similar service.

We need to install Tinyauth alongside Pangolin to proxy each request we want to protect. I wrote a guide on the documentation to help with configuring Tinyauth with Zitadel.

Install Tinyauth

Add a new Project in Zitadel, and get the client id and secret.

Then connect to your VPS, and add the following lines to the compose file of Pangolin :

services:
  # ...
  tinyauth:
    image: ghcr.io/steveiliop56/tinyauth:v3.3.1
    restart: unless-stopped
    container_name: tinyauth
    environment:
      - SECRET= # https://it-tools.tech/token-generator?length=32
      - APP_URL=https://tinyauth.example.com
      - LOG_LEVEL=3
      - GENERIC_SCOPES="openid profile email preferred_username"
      - GENERIC_AUTH_URL=https://zitadel.example.com/oauth/v2/authorize
      - GENERIC_TOKEN_URL=https://zitadel.example.com/oauth/v2/token
      - GENERIC_USER_URL=https://zitadel.example.com/oidc/v1/userinfo
      - GENERIC_CLIENT_ID= # paste client id here
      - GENERIC_CLIENT_SECRET= # paste client secret here
      - GENERIC_NAME=Zitadel
      - OAUTH_AUTO_REDIRECT=generic
      - DISABLE_CONTINUE=true

We do not use the labels to configure Traefik in this case, we will modify the dynamic configuration file.

Configure Traefik ForwardAuth

Open the dynamic configuration file, and in the router section add a new one for Tinyauth :

http:
  # ...
  routers:
    tinyauth:
      entryPoints:
        - websecure
      middlewares:
        - security-headers
      rule: Host(`tinyauth.tinyauth.example.com`)
      service: tinyauth
      tls:
        certresolver: letsencrypt

Then add a new service :

http:
  # ...
  services:
    tinyauth:
      loadBalancer:
        servers:
          - url: http://tinyauth:3000

Finally, add the new middleware

http:
  # ...
  middlewares:
    tinyauth:
      forwardAuth:
        address: "http://tinyauth:3000/api/auth/traefik"
        authResponseHeaders:
          - "Remote-User"
          - "Remote-Name"
          - "Remote-Email"
          - "Remote-Groups"

You can now add a new router to protect a Pangolin resource with the new middleware, just like we did in part 2.

http:
  # ...
  routers:
  # ...
    whoami:
      entryPoints:
        - websecure
      middlewares:
        - security-headers
        - tinyauth
      rule: Host(`whoami.example.com`)
      priority: 40 # make sure it is highier than the value in the dashboard
      service: <resource-id>-service@http # find the id of the resource in the dashboard
      tls:
        certresolver: letsencrypt
whoami example

I hope this guide has been helpful in setting up and configuring Tinyauth with Pangolin to enhance your security measures. Thank you for taking the time to read through it !