Rules allow you to either “allow” and bypass the Pangolin auth system (no pin, login, password), or “deny” and fully reject the request. After you create a resource you can select the “Rules” tab on the sidebar and enable rules.

Allow Rules

Bypass authentication completely for matching requests. Users can access resources without any login or PIN.

Deny Rules

Completely reject requests that match the rule. Useful for blocking admin paths or sensitive endpoints.

Types of Rules

Rules are processed from top to bottom in order of their priority. This means you can have multiple rules to bypass auth and to just flat deny users at the end. Right now you can match on the following items:

Path

Path match rules allow URL patterns defined with plain text and wildcards (*) that match any characters. Patterns and URLs are split into segments (using /), and each segment is matched individually.

Examples:

  • blog/posts
    Matches the exact path /blog/posts.
  • blog/*
    Matches any path under /blog (e.g., /blog/travel).
  • */2023/*
    Matches paths with /2023/ as a middle segment (e.g., /news/2023/summary).
  • article*
    Matches segments starting with “article” (e.g., /article-123).
  • *admin*
    Matches segments containing “admin” (e.g., /my-admin-panel).
  • personal-*/*
    Matches paths where the first segment starts with personal- and is followed by any segment (e.g., /personal-blog/post).

Segment-by-Segment Matching

  • Normalization:
    Both patterns and URLs are split into segments. For example, /blog/journal/entry becomes ["blog", "journal", "entry"], while /blog* becomes ["blog*"].
  • Validation:
    Each pattern segment must correspond to a URL segment, and wildcards match zero or more characters within that segment. A pattern like /blog* only matches the first segment, so URLs with extra segments require additional placeholders (e.g., /blog*/*).

CIDR

CIDR (Classless Inter-Domain Routing) notation specifies IP address ranges using an IP address and a network prefix length. The format is [IP address]/[prefix length]. Examples:
  • 144.234.11.22/24 - Matches all 256 IPs from 192.168.1.0 to 192.168.1.255
  • 10.0.0.0/8 - Matches any IP starting with 10 (16.7 million addresses)
  • 2001:db8::/32 - Matches a range of IPv6 addresses
  • 0.0.0.0/0 - Matches all IPv4 addresses
The prefix length (1-32 for IPv4, 1-128 for IPv6) determines how many bits from the left are fixed. Smaller prefix numbers match larger ranges.

IP

Pretty simple: you can match on simply an IP address like your home IP to bypass auth. This is the same as entering a /32 CIDR. Examples:
  • 23.234.134.32
  • 34.45.245.64
  • 192.168.1.1

Rules for Specific Apps

This table compiles paths that need to be allowed for various apps to work with Pangolin authentication.
AppRequired Bypass Rules
Media Management
Radarr/api/*
Sonarr/api/*
Lidarr/api/*
Media Servers
Jellyfin (iOS)/system/info/public
Jellyfin (Roku)/System/Info/Public
/Users/AuthenticateByName
/Users/Public
/QuickConnect/Initiate
/QuickConnect/Connect
/Users/AuthenticateWithQuickConnect
Audiobookshelf (Android)/api/*
/login*
/s/*
/ping*
/feed/*
/socket*
/status
Management & Monitoring
Tautulli/api/*
Harbour/api/*
Hoarder App/api/*
Uptime Kuma Manager/api/*
/socket.io/*
MeshCentral/api/*
/meshrelay.ashx
/agent.ashx
Security & Privacy
AdGuard Home/api/*
Ente Auth*api*
Vaultwarden/Bitwarden/api/*
/identity/*
/wl/*
Always Deny - Path - /admin/*
Cloud & Sync
Nextcloud/ (Main interface)
/index.php (Core handler)
/remote.php (Remote access)
/status.php (Status checks)
/ocs (Collaboration Services API)
/apps (Applications)
/remote.php/webdav (WebDAV endpoint)
/remote.php/dav (CalDAV/CardDAV)
/remote.php/caldav (Calendar sync)
/remote.php/carddav (Contacts sync)
/ocs/v1.php (API endpoints)
/ocs/v2.php (API v2 endpoints)
/login (Authentication)
/.well-known/* (Service discovery)
/.well-known/webfinger (WebFinger protocol)
/s/* (Shared files/folders)
Onlyoffice/cache/*
*/CommandService.ashx
*/converter/*
*/doc/*
*/downloadas/*
/downloadfile/*
*/fonts/*
/healthcheck
/methodology/*
*/plugins.json
*/sdkjs/*
*/sdkjs-plugins/*
*/themes.json
*/web-apps/*
Photo Management
Ente Photos*api*
Immich/api/*
/.well-known/immich
File Management
Filebrowser/static/*
/share/*
/api/public/dl/*
/api/public/share/*
Notes & Knowledge Management
Joplin Notes Server/api/*
/shares/*
/css/*
/images/*
Always Deny - Path - /login/* (optional)
Erugo/api/*
/shares/*
/build/*
/get-logo
Memos/api/*
/assets/*
/explore*
/memos.api.v1.*
/auth/callback*
/auth
/site.webmanifest
/logo.webp
/full-logo.webp
/android-chrome-192x192.png
Linkding/api/*
/bookmarks/*
Always Deny - Path - /admin/*
Communication
Matrix/Synapse (Clients)/_matrix/*
/_synapse/client/*
Matrix/Synapse (Federation)/_matrix/*
Notifications
Gotify/version
/message
/application
/client
/stream
/plugin
/health
Home Automation
Home Assistant/api/*
/auth/*
/frontend_latest/*
/lovelace*
/static/*
/hacsfile/*
/local/*
n8n/webhook-test/*/webhook
/webhook/*/webhook
Project Management
Jetbrains Youtrack/api/*
/hub/api/*
These rules are examples and may need to be adjusted based on your specific app configuration and version.