r/PangolinReverseProxy

Hi all - looking for guidance on how a non-browser native client should authenticate against a Pangolin SSO protected resource. This setup worked for well over a month and stopped at some point after May 11.

(note: I used AI to clean up my notes and make them more coherent)

Setup

- Pangolin 1.18.4 (also reproduced on 1.17.0), Gerbil 1.4.0, Traefik v3.6, single Newt site

- Resource: OpenWebUI at app.example.com with sso = true, no other auth methods (password / pincode / whitelist / header / access token are unset)

- Client: Conduit (official iOS client for OpenWebUI), a Flutter app - Dart HTTP client for API calls + WKWebView for the SSO step

Timeline

- February → May 11: Conduit worked. Traefik access logs show its Dart HTTP client successfully reaching the OpenWebUI backend service across that whole window - hundreds of 200s on /api/v1/... endpoints, no cookies visible in the logs.

- Gap of ~9 days where I didn't use Conduit because I was on vacation.

- May 20 onward: completely broken. Same Dart client, same iOS device, but every request now stops at Pangolin's auth page - zero traffic reaches the OpenWebUI backend service.

- Closest discrete event in the gap: the Pangolin container restarted on May 14. No image version change, no config file edits, no DB migrations. I cannot definitively identify what changed.

Current behavior

- Conduit opens a WKWebView to perform login. The user successfully signs in on proxy.example.com - I can see a valid user session in the session table and dozens of short-lived resourceSessions entries (isRequestToken=1, sessionLength 30000) being issued for the resource.

- The webview then loops on /auth/resource/<guid>?redirect=https://app.example.com/api/..., never reaching the OpenWebUI backend.

- Conduit surfaces: "SSO authentication failed - Invalid token or insufficient permissions"

What the traefik access log shows

The webview makes a CORS preflight OPTIONS https://app.example.com/api/config. Pangolin's middleware responds with a 302 to https://proxy.example.com/auth/resource/<guid>?redirect=.... The webview follows the

302 preserving the OPTIONS method. The Next.js dashboard at that path returns 400 with no Access-Control-Allow-Origin, which breaks the preflight, and the browser never makes the real request. This loops forever.

What I tried

- Recreating the resource from scratch - same behavior

- Upgrading the whole stack (Pangolin 1.17 → 1.18.4, Gerbil 1.3.1 → 1.4.0) - same behavior

- Downgrading OpenWebUI to the older version that was running when this last worked - same behavior, confirming the block is upstream of OpenWebUI

- Adding https://app.example.com to server.cors.origins in config.yml and restarting Pangolin - no effect, because that setting governs the API server, not the Next.js auth page that's actually returning the 400

Question

 Is there a supported way for Conduit (or any native client whose SSO step is a WKWebView) to get through a resource gated by Pangolin SSO? Specifically:

 1. Should the SSO middleware respond directly to OPTIONS preflights with CORS headers instead of redirecting them? If so, is there a config to enable that, or is it a feature request?

 2. Are Resource Access Tokens or Resource Header Auth the intended path here? If so, how do you configure a client that only sends Authorization: Bearer <OpenWebUI-token> to also include a Pangolin token/header - Conduit doesn't expose a custom-headers field as far as I can tell.

3. Did anything change in Pangolin's SSO middleware behavior between an early-April 1.17.0 build and now that would explain a working setup quietly breaking on a container restart?

Happy to share more log excerpts or DB output if useful. Thanks!

Hello, im currently remote looking up what the errors could mean to my pangolin site. I am watching a youtube video and following the "Quick Install Guide" on their official website. I finished the Pangolin install and after I tried to navigate to the initial setup on my server - https://pangolin.example.com/auth/initial-setup

when I connect via https I am met with an error PR_CONNECT_RESET_ERROR. However when I navigate to the site using http, the site opens up just fine. I also tried https with a different browser but same result.

So is this an SSL error? I noticed on the guide "Provide an email for SSL certificates and admin login" which I did but im really not sure where to go from here.

EDIT: I should also mention I opened my firewall ports for 80, 443, 21820, and 51820

Got Pangolin set up yesterday and I'm thrilled with the development. Excited to hammer out the details and have it working smoothly.

On my home server, I'm running (among other things) Navidrome and Wallabag, both of which I connect to using mobile apps on my Android phone: Symfonium for Navidrome, and Wallabag for, well, Wallabag.

Right now, both resources are public but protected by Pangolin SSO. This is an intermediate step; my ultimate goal is to use Pocket-ID as an identity provider for SSO—but the point is that I don't want to make these private resources, nor do I want to remove the SSO and rely only on the resources' native authentication processes.

But the mobile apps, of course, need to bypass the Pangolin authentication layer altogether.

For Wallabag, I've tried adding HTTP basic auth and making a rule to bypass auth on the /api/* path, but the app still throws errors, saying "API access test failed" and showing that it was served a Pangolin redirection page.

I haven't yet tried to hammer out Navidrome/Symfonium—I don't quite know where to start.

Has anyone successfully configured these resources and apps as public services behind SSO? I'd love to learn from you how you did it. I have a hunch that forward auth might be involved, but I don't fully understand forward auth yet or know how to set it up properly.

Thanks in advance!

I have two domains one I use internally and another I use externally. I have two instances of pangolin, on premise and on vps each manages one domain. I stumbled accross the idea of pangolin nodes. Is it possible to join these now as nodes? In case I change my mind, how easy is it to detach my nodes from the cloud plane?

After some recent security concerns, I've been looking at ways to harden the external access to my publicly available services like Home Assistant and Immich.

I've got mTLS client certificates working with Cloudflare now, as what I hope is a temporary measure, but I'm trying to do the same thing with Pangolin and can't find any documentation on this.

Is it possible to generate and upload client certificates to my mobile device that then I can use over the public internet? I don't want to have to use the Pangolin client on my phone, as I find it too restrictive.

Immich does at least support header authentication, but Home Assistant app doesn't.

Any ideas would be appreciated.

My friends and I like to play old games, some of which only work over LAN.

I tried to set my friend up with a Pangolin client to access my private LAN resources (CIDR 192.168.1.0/24, TCP/UDP all ports allowed). He could ping my computer IP, but for some reason when one of us would create a game, the other person couldn't see it.

We've also tried this on an actual LAN without issue, so I'm curious what else we might try to make a VPN connection act more like a LAN connection. A couple other points:

• I made sure access controls were correct, my friend in the "friends" role, and allowing "friends" to access the private resource.

• Windows Firewall Defender allowing access to the game app. Even tried turning it off completely to test.

Any thoughts as to what might be blocking two computers one on LAN, one connected via Pangolin client from talking to each other?

A question for those selfhosting Pangolin

View Poll

Hey,

I was wondering if those of you who run Pangolin on a VPS host some other services on that VPS as well.

If you do then what is it? And is it possible to expose the other services through Pangolin just like the ones on your home network?

Thanks!

Title says it all. Looking for reasons to make the switch besides privacy.

Wrapping up the week with one last Pangolin video, this time on Wildcard Resources.

If you’re routing lots of subdomains, this feature helps you avoid creating a separate resource for every service and lets you send matching traffic through a single tunnel.

Now we need to get 1.19 out so we have more new things to cover 👀

Anything you’d like to see us cover next?

All in the title!

thanks in advance.

I made the mistake of looking at my logs and rather shocked at the number of denied requests coming in from all round the world.

most of my public resources are behind google oauth apart from home assistant where I use a shared link and token.

I thought I would be clever and also change the name of the resource to an 18 digital random combination.

however as soon I did this, guess, what, loads of new access requests are showing up from all round the world. any idea if this is pangolin healthcheck related?

any idea where these could be coming from and why? should I be worried or not?

I seem to get a lot of requests from webcrawlers looking for robots.txt too. How do they even know about my sites unless they are scraping data from my browser?

many thanks

https://preview.redd.it/u1grf6m1c41h1.png?width=2305&format=png&auto=webp&s=09a5db7b492b595d204f700b9d6efe7f5bb6a607

We put together a short video covering the new alerting feature introduced in Pangolin 1.18.

It lets you send alerts when things like sites, resources, or standalone health checks change status, so you can get notified when something goes offline instead of finding out from a user later.

We’re also curious what integrations people would find useful next.

Would you rather see Discord, Slack, or something else?

I am busy moving from a fully manual setup including traefik + TS to pangolin.

Is pangolin ready to fully replace TS?
I tried changing the default networks pangolin uses for gerbil and newt to a different range so it won't interfere with TS but am still hitting a few problems.

It looks like I can replace most of TS's functionality with pangolin but am not sure on a few key points. i.e. currently I use an adguardhome instance as my DNS for all clients and machines across TS. I basically enforce the DNS so not quite sure if this can be fully replicated with pangolin?

Any pointers are welcome.

P.S. The basic issue I have while running both is that with the TS enforced DNS, I can't seem to manage to connect to any private HTTPS resources as TS's DNS resolves to the external IP. I only get to see the "Private Placeholder Screen" even though pangolin on my client device is connected to the network but.

I want to run 2 Pangolin instances o a server. Is the following plan feasible?

• get 2 IPs
• get 2 domains (foo, bar)
• run the setup in folder "foo" with domain "foo"
• adjust the docker-compose
  • add "-foo" to all container names
  • add "-foo" to the network name
  • add "-foo" to the compose-project name
  • add the first IP for each port binding
• run the setup in folder "bar" with domain "bar"
• adjust the docker-compose
  • add "-bar" to all container names
  • add "-bar" to the network name
  • add "-bar" to the compose-project name
  • add the second IP for each port binding

Installed up to here: https://pelican.dev/docs/panel/panel-setup

Created public resource in pangolin, but /installer url shows "no available server"

Already used Claude Code to edit the Caddyfile but still not work. Here's the Caddyfile:

:80 {
    root * /var/www/pelican/public

    file_server

    php_fastcgi unix//run/php/php8.5-fpm.sock {
        root /var/www/pelican/public
        index index.php

        env PHP_VALUE "upload_max_filesize = 100M
        post_max_size = 100M"
        env HTTP_PROXY ""
        env HTTPS "on"

        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto "https"

        read_timeout 300s
        dial_timeout 300s
        write_timeout 300s
    }

    header X-Content-Type-Options "nosniff"
    header X-XSS-Protection "1; mode=block;"
    header X-Robots-Tag "none"
    header Content-Security-Policy "frame-ancestors 'self'"
    header X-Frame-Options "DENY"
    header Referrer-Policy "same-origin"

    request_body {
        max_size 100m
    }

    respond /.ht* 403

    log {
        output file /var/log/caddy/pelican.log {
            roll_size 100MiB
            roll_keep_for 7d
        }
        level INFO
    }
}

Our continued coverage of Pangolin 1.18 features next up is private HA resources!

We cover how to set it up, what it looks and what an actual failover looks like!

Hi all,

I’m running Pangolin as part of a self-hosted setup and would really like to use certificates issued by my own Smallstep CA for boundary services. I have a ... .home.arpa setup I cannot use letsencrypt for and would really like to certify my subdomains.

The goal is to keep services private, avoid exposing them publicly just for ACME/Let’s Encrypt flows, and still have clean HTTPS with certificates trusted by my own devices.

--

Use case:

Internal homelab services behind Pangolin

Private/internal DNS names

Smallstep CA issuing certificates

Pangolin using those certs for reverse proxy TLS