Skip to main content
Blueprints provide a way to define your Pangolin resources and their configurations in a structured, declarative format. This allows for easier management, version control, and automation of your resource setups.

Overview

Pangolin supports two blueprint formats:
  1. YAML Configuration Files: Standalone configuration files
  2. Docker Labels: Configuration embedded in Docker Compose files
Some features in this documentation are marked with (EE), indicating they are available only in the Enterprise Edition of Pangolin.

YAML Configuration Format

YAML config can be applied using Docker labels, API, from a Newt site, or in the UI. Application through a CLI tool is planned.

Newt YAML

Newt automatically discovers and applies blueprints defined in YAML format when passing the --blueprint-file argument. For example
newt --blueprint-file /path/to/blueprint.yaml <other-args>

UI YAML

You can also apply blueprints directly in the Pangolin UI. Navigate to Settings > Blueprints and paste your YAML configuration into the provided text area.

API YAML

You can also apply blueprints directly through the Pangolin API with an API key. Take a look at the API documentation for more details.PUT to /org/{orgId}/blueprint with a base64 encodes JSON body like the following:
{
  "blueprint": "base64-encoded-json-content"
}
See this python example

Public Resources

Public resources are used to expose HTTP, TCP, or UDP services through Pangolin. Below is an example configuration for public resources: 
public-resources:
  resource-nice-id-uno:
    name: this is a http resource
    protocol: http
    full-domain: uno.example.com
    host-header: example.com
    tls-server-name: example.com
    headers:
      - name: X-Example-Header
        value: example-value
      - name: X-Another-Header
        value: another-value
    rules:
      - action: allow
        match: ip
        value: 1.1.1.1
      - action: deny
        match: cidr
        value: 2.2.2.2/32
      - action: pass
        match: path
        value: /admin
    targets:
    - site: lively-yosemite-toad
      hostname: localhost
      method: http
      port: 8000
    - site: slim-alpine-chipmunk
      hostname: localhost
      path: /admin
      path-match: exact
      method: https
      port: 8001
  resource-nice-id-dos:
    name: this is a raw resource
    protocol: tcp
    proxy-port: 3000
    targets:
    - site: lively-yosemite-toad
      hostname: localhost
      port: 3000

Authentication Configuration

Authentication is off by default. You can enable it by adding the relevant fields in the auth section as shown in the example below.
public-resources:
  secure-resource:
    name: Secured Resource
    protocol: http
    full-domain: secure.example.com
    auth:
      pincode: 123456
      password: your-secure-password
      basic-auth:
        user: asdfa
        password: sadf
      sso-enabled: true
      sso-roles:
        - Member
        - Admin
      sso-users:
        - [email protected]
      whitelist-users:
        - [email protected]

Targets-Only Resources

You can define simplified resources that contain only target configurations. This is useful for adding targets to existing resources or for simple configurations: 
public-resources:
  additional-targets:
    targets:
    - site: another-site
      hostname: backend-server
      method: https
      port: 8443
    - site: another-site
      hostname: backup-server
      method: http
      port: 8080
When using targets-only resources, the name and protocol fields are not required. All other resource-level validations are skipped for these simplified configurations.

Maintenance Page Configuration (EE)

This is an Enterprise Edition (EE) feature only. It allows you to display a maintenance page for a public resource when it’s under maintenance or when targets are unhealthy.
public-resources:
  production-app:
    name: Production Application
    protocol: http
    full-domain: app.example.com
    maintenance:
      enabled: true
      type: forced
      title: Scheduled Maintenance
      message: We are performing system upgrades to improve performance. The service will be back online shortly.
      estimated-time: 2 hours
    targets:
    - site: my-site
      hostname: app-server
      method: https
      port: 443
Maintenance Types:
  • forced: Always displays the maintenance page regardless of target health status
  • automatic: Displays the maintenance page only when all targets are unhealthy or the sites are offline

Private Resources

Private resources define proxied resources accessible when connected via an client: 
private-resources:
  private-resource-nice-id-uno:
    name: SSH Server
    mode: host
    destination: 192.168.1.100
    site: lively-yosemite-toad
    roles:
      - Developer
      - DevOps
    users:
      - [email protected]
    machines:
      - machine-id-1
      - machine-id-2
  private-resource-nice-id-duo:
    name: Internal Network
    mode: cidr
    destination: 10.0.0.0/24
    site: lively-yosemite-toad
    users:
      - [email protected]

Docker Labels Format

For containerized applications, you can define blueprints using Docker labels.
Blueprints will continuously apply from changes in the docker stack, newt restarting, or when viewing the resource in the dashboard.

Enabling Docker Socket Access

To use Docker labels, enable the Docker socket when running Newt: 
newt --docker-socket /var/run/docker.sock <other-args>
or using the environment variable: 
DOCKER_SOCKET=/var/run/docker.sock

Docker Compose Example

The compose file will be the source of truth, any edits through the resources dashboard will be overwritten by the blueprint labels defined in the compose stack.
services:
  newt:
    image: fosrl/newt
    container_name: newt
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - PANGOLIN_ENDPOINT=https://app.pangolin.net
      - NEWT_ID=h1rbsgku89wf9z3
      - NEWT_SECRET=z7g54mbcwkglpx1aau9gb8mzcccoof2fdbs97keoakg2pp5z
      - DOCKER_SOCKET=/var/run/docker.sock

  nginx1:
    image: nginxdemos/hello
    container_name: nginx1
    labels:
      # Public Resource Configuration
      - pangolin.public-resources.nginx.name=nginx
      - pangolin.public-resources.nginx.full-domain=nginx.fosrl.io
      - pangolin.public-resources.nginx.protocol=http
      - pangolin.public-resources.nginx.headers[0].name=X-Example-Header
      - pangolin.public-resources.nginx.headers[0].value=example-value
      # Target Configuration - the port and hostname will be auto-detected
      - pangolin.public-resources.nginx.targets[0].method=http
      - pangolin.public-resources.nginx.targets[0].path=/path
      - pangolin.public-resources.nginx.targets[0].path-match=prefix

  nginx2:
    image: nginxdemos/hello
    container_name: nginx2
    labels:
        # Additional target for the same resource where the port and hostname are explicit
      - pangolin.public-resources.nginx.targets[1].method=http
      - pangolin.public-resources.nginx.targets[1].hostname=nginx2
      - pangolin.public-resources.nginx.targets[1].port=80

networks:
  default:
    name: pangolin_default
This will create a resource that looks like the following:
Example resource

Pangolin UI showing Docker Compose blueprint example

Docker Labels Considerations

Automatic Discovery

When hostname and internal port are not explicitly defined in labels, Pangolin will automatically detect them from the container configuration.

Site Assignment

If no site is specified in the labels, the resource will be assigned to the Newt site that discovered the container.

Configuration Merging

Configuration across different containers is automatically merged to form complete resource definitions. This allows you to distribute targets across multiple containers while maintaining a single logical resource.

Configuration Properties

Public Resources

PropertyTypeRequiredDescriptionConstraints
namestringConditionalHuman-readable name for the resourceRequired unless targets-only resource
protocolstringConditionalProtocol type (http, tcp, or udp)Required unless targets-only resource
full-domainstringHTTP onlyFull domain name for HTTP resourcesRequired for HTTP protocol, must be unique
proxy-portnumberTCP/UDP onlyPort for raw TCP/UDP resourcesRequired for TCP/UDP, 1-65535, must be unique within public-resources
sslbooleanNoEnable SSL/TLS for the resource-
enabledbooleanNoWhether the resource is enabledDefaults to true
host-headerstringNoCustom Host header for requests-
tls-server-namestringNoSNI name for TLS connections-
headersarrayNoCustom headers to add to requestsEach header requires name and value (min 1 char each)
rulesarrayNoAccess control rulesSee Rules section below
authobjectHTTP onlyAuthentication configurationSee Authentication section below
maintenanceobjectNoMaintenance page configuration (EE)Enterprise Edition only. See Maintenance Configuration section below
targetsarrayYesTarget endpoints for the resourceSee Targets section below

Target Configuration

PropertyTypeRequiredDescriptionConstraints
sitestringNoSite identifier where the target is located-
hostnamestringYesTarget hostname or IP address-
portnumberYesPort on the target system1-65535
methodstringHTTP onlyProtocol method (http, https, or h2c)Required for HTTP protocol targets
enabledbooleanNoWhether the target is enabledDefaults to true
internal-portnumberNoInternal port mapping1-65535
pathstringHTTP onlyPath prefix, exact path, or regex pattern-
path-matchstringHTTP onlyPath matching type (prefix, exact, or regex)-
rewrite-pathstringNoPath to rewrite the request to-
rewrite-matchstringNoRewrite matching type (exact, prefix, regex, or stripPrefix)-
prioritynumberNoTarget priority for load balancing1-1000, defaults to 100
healthcheckobjectNoHealth check configuration for the targetSee Health Check Configuration below

Health Check Configuration

Health checks can be configured for individual targets to monitor their availability. Add a healthcheck object to any target: 
public-resources:
  monitored-service:
    name: Monitored Service
    protocol: http
    full-domain: service.example.com
    targets:
    - site: my-site
      hostname: backend-server
      method: https
      port: 8443
      healthcheck:
        hostname: backend-server
        port: 8443
        enabled: true
        path: /health
        interval: 30
        timeout: 5
        method: GET
        status: 200
        headers:
          - name: X-Health-Check
            value: true
PropertyTypeRequiredDescriptionConstraints
hostnamestringYesHostname for health check-
portnumberYesPort for health check1-65535
enabledbooleanNoWhether health check is enabledDefaults to true
pathstringNoPath to check-
schemestringNoProtocol scheme for the health check-
modestringNoHealth check modeDefaults to http
intervalnumberNoSeconds between health checksDefaults to 30
unhealthy-intervalnumberNoSeconds between checks when unhealthyDefaults to 30
timeoutnumberNoTimeout in secondsDefaults to 5
headersarrayNoHeaders to send with health checkArray of objects with name and value
follow-redirectsbooleanNoWhether to follow redirectsDefaults to true
methodstringNoHTTP method for health checkDefaults to GET
statusnumberNoExpected HTTP status code-

Authentication Configuration

Not allowed on TCP/UDP resources.
PropertyTypeRequiredDescriptionConstraints
pincodenumberNo6-digit PIN for accessMust be exactly 6 digits
passwordstringNoPassword for access-
basic-authobjectNoBasic authentication configurationRequires user and password fields
sso-enabledbooleanNoEnable SSO authenticationDefaults to false
sso-rolesarrayNoAllowed SSO rolesCannot include “Admin” role
sso-usersarrayNoAllowed SSO usernamesMust be valid usernames
whitelist-usersarrayNoWhitelisted user emailsMust be valid email addresses
auto-login-idpnumberNoAutomatic login identity provider IDMust be a positive integer

Maintenance Configuration (EE)

This is an Enterprise Edition (EE) feature only. It allows you to display a maintenance page for a public resource.
The maintenance object can be added to any public resource to display a maintenance page to users: 
public-resources:
  my-service:
    name: My Service
    protocol: http
    full-domain: service.example.com
    maintenance:
      enabled: true
      type: automatic
      title: Scheduled Maintenance
      message: We are performing scheduled maintenance. Service will resume shortly.
      estimated-time: 2 hours
    targets:
    - site: my-site
      hostname: backend-server
      method: https
      port: 8443
PropertyTypeRequiredDescriptionConstraints
enabledbooleanNoWhether the maintenance page is enabledDefaults to false
typestringNoMaintenance type (forced or automatic)forced always shows maintenance page; automatic shows only when all targets are unhealthy or sites offline
titlestringNoTitle text for the maintenance pageMaximum 255 characters, can be null
messagestringNoMessage text explaining the maintenanceMaximum 2000 characters, can be null
estimated-timestringNoEstimated time for maintenance completionMaximum 100 characters, can be null
Maintenance Types:
  • forced: Always displays the maintenance page regardless of target health status
  • automatic: Displays the maintenance page only when all targets are unhealthy

Rules Configuration

PropertyTypeRequiredDescriptionConstraints
actionstringYesRule action (allow, deny, or pass)-
matchstringYesMatch type (cidr, path, ip, or country)-
valuestringYesValue to match againstFormat depends on match type. For country match, use ALL to match all countries

Private Resources

These are resources used with Pangolin clients (e.g., SSH, RDP).
PropertyTypeRequiredDescriptionConstraints
namestringYesHuman-readable name for the resource1-255 characters
modestringYesResource mode (host or cidr)-
destinationstringYesTarget IP address, hostname, or CIDR blockFor host mode: IP address or domain. For cidr mode: valid CIDR notation
sitestringYesSite identifier where the resource is located-
aliasstringNoFully qualified domain name aliasMust be a valid FQDN (e.g., example.com). Required when destination is a domain in host mode
rolesarrayNoAllowed SSO rolesCannot include “Admin” role
usersarrayNoAllowed user emailsMust be valid email addresses
machinesarrayNoAllowed machine identifiersArray of strings

Validation Rules and Constraints

Resource-Level Validations

  1. Targets-Only Resources: A resource can contain only the targets field, in which case name and protocol are not required.
  2. Protocol-Specific Requirements:
    • HTTP Protocol: Must have full-domain and all targets must have method field
    • TCP/UDP Protocol: Must have proxy-port and targets must NOT have method field
    • TCP/UDP Protocol: Cannot have auth configuration
  3. Alias Uniqueness: alias values must be unique across all private resources within the same blueprint and in the org
  4. Domain Uniqueness: full-domain values must be unique across all public resources
  5. Proxy Port Uniqueness: proxy-port values must be unique per protocol within public resources (e.g., TCP port 3000 and UDP port 3000 can coexist)
  6. Target Method Requirements: When protocol is http, all non-null targets must specify a method

Common Validation Errors

When working with blueprints, you may encounter these validation errors:

“Admin role cannot be included in sso-roles”

The Admin role is reserved and cannot be included in the sso-roles array for authentication configuration.

”Duplicate ‘full-domain’ values found”

Each full-domain must be unique across all public resources. If you need multiple resources for the same domain, use different subdomains or paths.

”Duplicate ‘proxy-port’ values found in public-resources”

Port numbers in proxy-port must be unique per protocol within public-resources (e.g., you can’t have two TCP resources using port 3000, but TCP port 3000 and UDP port 3000 can coexist).

”When protocol is ‘http’, all targets must have a ‘method’ field”

All targets in HTTP proxy resources must specify whether they use http, https, or h2c.

”When protocol is ‘tcp’ or ‘udp’, targets must not have a ‘method’ field”

TCP and UDP targets should not include the method field as it’s only applicable to HTTP resources.

”When protocol is ‘tcp’ or ‘udp’, ‘auth’ must not be provided”

Authentication is only supported for HTTP resources, not TCP or UDP.

”Resource must either be targets-only or have both ‘name’ and ‘protocol’ fields”

Resources must either contain only the targets field (targets-only) or include both name and protocol for complete resource definitions.

”Duplicate ‘alias’ values found in private-resources”

Alias values in private resources must be unique within the blueprint.

”Destination must be a valid IP address or valid domain AND alias is required”

For private resources in host mode, the destination must be a valid IP address or domain. When using a domain, an alias field is required.

”Destination must be a valid CIDR notation for cidr mode”

For private resources in cidr mode, the destination must be a valid CIDR notation (e.g., 10.0.0.0/24).

”Admin role cannot be included in roles”

The Admin role is reserved and cannot be included in the roles array for private resource configuration.