github/pangolin
1
1
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-04-06 01:11:57 +02:00
Code Issues 85 Packages Projects Releases Wiki Activity

HTTP Resources return 418 - TCP proxy not listening on internal ports via WireGuard #277

New Issue
Closed
opened 2026-04-05 17:04:27 +02:00 by MrUnknownDE · 0 comments
MrUnknownDE commented 2026-04-05 17:04:27 +02:00
Owner
Copy Link

Originally created by @remibardalen on 2/5/2026

Environment

  • Pangolin Server: 1.15.1
  • Newt: 1.9.0
  • Traefik: 3.6.7
  • Newt running with --network host

Description

HTTP Resources configured with sso=0 (public access) return HTTP 418 instead of reaching the backend. The TCP proxy starts according to Newt logs, but connections to the internal ports via WireGuard are refused.

Steps to Reproduce

  1. Create HTTPS Resource in Pangolin Dashboard
  2. Set target to internal server (e.g., 192.168.1.100:80)
  3. Disable "Use Platform SSO" (sso=0 in database)
  4. Access resource externally via browser or curl
  5. Result: HTTP 418 with empty body

Expected Behavior

Request should pass through WireGuard tunnel to backend and return content from the target server.

Actual Behavior

  • Badger middleware validates successfully (Traefik debug log: Badger: Valid session)
  • Traefik load balancer selects backend: http://100.89.128.4:<internalPort>
  • TCP connection to WireGuard IP on internal port is refused
  • HTTP 418 returned to client (empty body)

Debugging Done

1. WireGuard tunnel connectivity

# From Gerbil container - WORKS
ping 100.89.128.4
# 64 bytes from 100.89.128.4: seq=0 ttl=64 time=12ms

2. Pangolin API verify-session

curl -X POST 'http://localhost:3001/api/v1/badger/verify-session' \
  -H 'Content-Type: application/json' \
  -d '{"scheme":"https","host":"app.example.com","path":"/","method":"GET"}'
# Returns: {"valid":true,"message":"Access allowed"}

3. Newt logs show TCP proxy starting

INFO: Started tcp proxy to 192.168.1.100:80
INFO: Started tcp proxy to 192.168.1.100:80

4. But connection to internal port fails

# From Gerbil container - FAILS
wget http://100.89.128.4:<internalPort>
# wget: can't connect to remote host: Connection refused

5. Database configuration verified correct

SELECT name, sso, blockAccess, enabled FROM resources;
-- myapp|0|0|1

SELECT name, ip, port, internalPort FROM targets JOIN resources...;
-- myapp|192.168.1.100|80|57803

Attempted Fixes (none worked)

  • Restarted all containers (Pangolin, Gerbil, Traefik, Newt)
  • Recreated Newt container from scratch
  • Deleted and recreated HTTP resources in Dashboard
  • Toggled targets enabled=0 then enabled=1 to force resync
  • Verified Newt is latest version (1.9.0)

Additional Notes

  • Site Resources work correctly - VPN-style Layer 3 access functions as expected
  • Only HTTP Resources exhibit this behavior
  • The TCP proxy appears to start but doesn't bind to the WireGuard userspace netstack properly
  • Internal access (bypassing Pangolin, going directly to backend) works perfectly
*Originally created by @remibardalen on 2/5/2026* ## Environment - Pangolin Server: 1.15.1 - Newt: 1.9.0 - Traefik: 3.6.7 - Newt running with `--network host` ## Description HTTP Resources configured with `sso=0` (public access) return HTTP 418 instead of reaching the backend. The TCP proxy starts according to Newt logs, but connections to the internal ports via WireGuard are refused. ## Steps to Reproduce 1. Create HTTPS Resource in Pangolin Dashboard 2. Set target to internal server (e.g., 192.168.1.100:80) 3. Disable "Use Platform SSO" (sso=0 in database) 4. Access resource externally via browser or curl 5. Result: HTTP 418 with empty body ## Expected Behavior Request should pass through WireGuard tunnel to backend and return content from the target server. ## Actual Behavior - Badger middleware validates successfully (Traefik debug log: `Badger: Valid session`) - Traefik load balancer selects backend: `http://100.89.128.4:<internalPort>` - TCP connection to WireGuard IP on internal port is refused - HTTP 418 returned to client (empty body) ## Debugging Done ### 1. WireGuard tunnel connectivity ```bash # From Gerbil container - WORKS ping 100.89.128.4 # 64 bytes from 100.89.128.4: seq=0 ttl=64 time=12ms ``` ### 2. Pangolin API verify-session ```bash curl -X POST 'http://localhost:3001/api/v1/badger/verify-session' \ -H 'Content-Type: application/json' \ -d '{"scheme":"https","host":"app.example.com","path":"/","method":"GET"}' # Returns: {"valid":true,"message":"Access allowed"} ``` ### 3. Newt logs show TCP proxy starting ``` INFO: Started tcp proxy to 192.168.1.100:80 INFO: Started tcp proxy to 192.168.1.100:80 ``` ### 4. But connection to internal port fails ```bash # From Gerbil container - FAILS wget http://100.89.128.4:<internalPort> # wget: can't connect to remote host: Connection refused ``` ### 5. Database configuration verified correct ```sql SELECT name, sso, blockAccess, enabled FROM resources; -- myapp|0|0|1 SELECT name, ip, port, internalPort FROM targets JOIN resources...; -- myapp|192.168.1.100|80|57803 ``` ## Attempted Fixes (none worked) - Restarted all containers (Pangolin, Gerbil, Traefik, Newt) - Recreated Newt container from scratch - Deleted and recreated HTTP resources in Dashboard - Toggled targets enabled=0 then enabled=1 to force resync - Verified Newt is latest version (1.9.0) ## Additional Notes - **Site Resources work correctly** - VPN-style Layer 3 access functions as expected - Only HTTP Resources exhibit this behavior - The TCP proxy appears to start but doesn't bind to the WireGuard userspace netstack properly - Internal access (bypassing Pangolin, going directly to backend) works perfectly
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Improvement
Improvement
Improvement
Improvement
Look Into
Security
Security
api
api
authentication
authentication
authentication
authentication
authentication
authentication
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
config
config
config
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
docker
docker
docker
docker
docker
documentation
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
go
go
go
go
go
go
go
go
go
go
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
networking
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
question
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
ui
ui
ui
ui
ui
ui
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
MrUnknownDE
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github/pangolin#277
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?