Pangolin bypass rules raise a practical security question

A setup that protects may still need some paths to skip extra login checks. The app can require paths such as /api to stay reachable so it can talk to the server. That creates a clear concern: a bypass rule may become a weak spot because it lets traffic avoid ’s added .

In this setup, and are running on the same VPS. The core issue is how to keep app access working without turning bypassed paths into an easy attack route.

Key points

  • is being used as an extra protection layer in front of .
  • The app may need paths like /api to bypass .
  • can be risky because they skip the front-door login check.
  • For a , exception paths should be kept very limited.
  • ’s own still matters even when is in front.
Read original