r/PangolinReverseProxy

Keeping Vaultwarden as a Private Resource but still reachable on the home LAN without the client — sane idea or overkill?

Hey folks,

I've got Pangolin running on a VPS, with Newt on a Raspberry Pi at home connecting back to it. Currently I've got Vaultwarden exposed as a public resource with SSO + path rules for the Bitwarden API endpoints (/api/*, /identity/*, /notifications/*, /icons/*, /attachments/* allowed, /admin/* denied), which works fine with the browser extension and mobile apps.

I'm now toying with switching it to a private resource instead, mainly because I like the idea of it not having any public DNS footprint at all for something as sensitive as a password vault. My worry with private resources though is that they seem to depend on the Pangolin client being connected — and for a password manager I really don't want "is my VPN client currently alive" to be a precondition for logging in, especially on mobile where background VPN apps get killed/throttled all the time.

So here's the plan I came up with, and I'd love a sanity check:

Vaultwarden stays a private resource in Pangolin (Newt on the Pi, no public domain).

At home, I run AdGuard Home on the Pi and add a DNS rewrite so vault.mydomain.tld resolves straight to the Pi's LAN IP instead of going out to the internet at all.

Also on the Pi, a small Caddy container in front of Vaultwarden gets its own valid Let's Encrypt cert via DNS-01 (my registrar has an API, so no port-80 exposure needed), so the local connection is still proper HTTPS and not just plain HTTP.

Away from home, I connect with the official Pangolin client like normal, and it resolves the private resource through the tunnel as usual.

End result: at home, Vaultwarden is a completely normal HTTPS domain that works without any client running at all, and away from home it works exactly like any other private resource. Pangolin itself never has to expose it publicly at any point.

For context, I'm doing something similar with Jellyfin (kept as a public resource since TV apps/Chromecast/other household members can't run a client, but with the same AdGuard + local Caddy trick so streaming at home doesn't round-trip through the VPS and eat my upload bandwidth).

The other thing I want to avoid on principle: I don't want a single network-wide CIDR tunnel that gives blanket access to my whole 192.168.1.0/24 just to reach a couple of services... feels like it defeats the point of Pangolin being resource-scoped in the first place, and turns one compromised laptop into "attacker is now on my whole home network." So I'd rather keep every service as its own resource (public or private depending on what it is) and only reach for a wide tunnel as a rare fallback.

Does this hold up, or is there something about how private resources/Newt handle local DNS resolution that would trip this up? Is anyone actually running Vaultwarden this way, or is there a reason people don't bother and just do public+SSO like I did originally? Genuinely curious whether I'm overthinking this or if it's a reasonable setup. Thanks in advance!

reddit.com
u/DifferentKey4886 — 1 day ago

Docker compose health check for newt

I use one newt container for multiple docker containers. I would like each container to have a healthcheck that makes sure newt is up. I can’t find any documentation that indicates there’s a way to do a docker healthcheck on newt. Is this possible or am I going about this wrong? I didn’t really want to have one newt container for each docker stack that needs pangolin but I suppose I can do that if I have to.

reddit.com
u/dbsoundman — 3 days ago

Nextcloud behind Pangolin with authentication

I'm currently trying to make my Nextcloud instance (running in my homelab) available from the internet with Pangolin.

So far, everything is working, and I can reach Nextcloud from the internet. But when I try to use Pangolin's built-in authentication feature, it starts falling apart. For sure, accessing the web interface still works after authentication, but the Nextcloud apps on my smartphone and desktop clients, as well as the calendar sync, do not work anymore. So far, that result can be expected since the API endpoints cannot be reached anymore without authentication, and that's not possible.

I've read about the bypass rules (https://docs.pangolin.net/self-host/community-guides/rules), but if I add all the rules listed in that guide for Nextcloud, I basically bypass the authentication for almost every reasonable access, and therefore it seems to be useless to use it in the first place.

Now I'm asking myself if there is any way to use the pangolin authentification feature with nextcloud without breaking all the apps, clients and other sychronisation? Or do I have to live without the authentication in order to use nextcloud properly?

I already have safety measures in place. The nextcloud domain is region-blocked (currently only accessible from my home country), and I have crowdsec running with the nextcloud collection. Additionally, Nextcloud itself allows admin features only when accessing from my home network, and the accounts have 2FA. But the additional authentication would also be great if this could work.

reddit.com
u/Dr-Technik — 8 days ago

spent 2 hours troubleshooting my homelab to find that its because pangolin potentially paywalled a feature

For the love of god please tell me I'm crazy or wrong.

I spent my entire evening thinking my opencloud instance was broken only to find pangolin and my docker VM couldn't talk anymore.

I got further down the rabbit hole and logs and see pangolin legit paywalled the wireguard connection. I see this in the console.

Thought to myself maybe a it's a bug. i already had this setup. so I went and made a new site, new credentials no enterprise prompt sweet!

hit save, page still looks good. Go over to the credentials tab and i see the enterprise edition message again.

What in the actual f*%$! I hope im wrong and messed something up. please tell me im stupid and wrong.

https://preview.redd.it/f1juwhdwlq9h1.png?width=2091&format=png&auto=webp&s=9aa82f85685af88661ae37f4cf02656f75ad34bc

reddit.com
u/Ivan_Draga_ — 9 days ago

Health check on local site not possible ?

I created a newt site and a local site on my VPS, and then, when i create a resource which is linked to the local site, it shows health status is unknown, and i cannot attach a health check to it as well, like http or tcp.

Is it possible and im just missing something ? im on 1.19 version

Example screenshot, the first entry is my site of type local, second is a remote site, the health check seems to be not allowed on the local one

https://preview.redd.it/0edhsd3xxo9h1.png?width=2094&format=png&auto=webp&s=138c539872c307203759e5e7c009bd81365c45a8

reddit.com
u/jlmanohar — 9 days ago

A resource randomly failing

TLDR, a resource would randomly stop working and gives me Gateway timeout error. I saw this happenning to other resource which ate connected to another newt agent. All newt sites are up and healthy per dashboard. How to troubleshoot this?

I have a site deployed via docker and shares network with another docker service. It worked flawlessly for months. It takes awhile to load then it shows gateway timeout. I noticed this randomly working. Out of curiosity, I tested other resources and I faced the same. I thought may be crowdsec have blocked me, I tried in mobile network with similar result.

reddit.com
u/DigiDoc101 — 9 days ago

How to handle robots.txt

I currently have a match route on every domain on my selfhosted instances which serves a basic disallow / for robots.txt , but i want to always serve this file for all subdomains so that i can prevent crawlers on my selfhosted domains

Is there a way for a global robots.txt file or any other way to prevet bots and crawlers from scraping my domains

reddit.com
u/jlmanohar — 11 days ago

How do you handle "404 page not found" for non-existant subdomains?

So far, Pangolin manages everything as I expect, except for one small point: When I navigate to an invalid or non-existent subdomain, it displays a "404 page not found" message.

OK, that is absolutely the proper message for this scenario, but can I customize it or redirect it to another URL?

Gemini provides a solution that requires additional containers, Traefik configurations, and editing configuration files.

I'm surprised that there is no simple "customize 404 page" option in Pangolin.

How do you handle this?

reddit.com
u/jbarr107 — 14 days ago