Pangolin bypass rules raise a practical security question
A setup that protects may still need some paths to skip extra login checks. The app can require paths such as /api to stay reachable so it can talk to the server. That creates a clear concern: a bypass rule may become a weak spot because it lets traffic avoid ’s added .
In this setup, and are running on the same VPS. The core issue is how to keep app access working without turning bypassed paths into an easy attack route.
Key points
- is being used as an extra protection layer in front of .
- The app may need paths like /api to bypass .
- can be risky because they skip the front-door login check.
- For a , exception paths should be kept very limited.
- ’s own still matters even when is in front.