github/pangolin
1
1
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-04-05 17:01:57 +02:00
Code Issues 85 Packages Projects Releases Wiki Activity

pangolin resources are overridden when the full-domain as the base domain via blueprint #790

New Issue
Closed
opened 2026-04-05 17:43:30 +02:00 by MrUnknownDE · 0 comments
MrUnknownDE commented 2026-04-05 17:43:30 +02:00
Owner
Copy Link

Originally created by @wzsanders on 10/9/2025

Describe the Bug

When setting full-domain as a registered base domain (see below) via pangolin docker blueprints, the addresses for other docker blueprints that were applied are changed to have their address modified to the base domain, even if it was previously listed as subdomain.base.domain.
If the full-domain below is a subdomain, this works fine and the entry is created as expected.

    labels:
      - pangolin.proxy-resources.basedomain.name=basedomain
      - pangolin.proxy-resources.basedomain.full-domain=base.domain
      - pangolin.proxy-resources.basedomain.protocol=http
      - pangolin.proxy-resources.basedomain.targets[0].method=https
      - pangolin.proxy-resources.basedomain.targets[0].hostname=host.docker.internal
      - pangolin.proxy-resources.basedomain.targets[0].port=3001

Adding the resource via the Pangolin Web UI and leaving the subdomain blank results in this configuration working with no issues. It's just the addition of the new resource when coming from blueprints.

When adding via blueprint.
The tcp proxy is never started.

pangolin  | 2025-10-08T21:41:04.086Z [error]: Failed to update database from config: Error: Resource already exists: sylver.lab.redacted in org redacted

When adding via the Web UI.

newt      | INFO: 2025/10/08 21:45:07 Blueprint applied successfully!
newt      | INFO: 2025/10/08 21:45:22 Started tcp proxy to host.docker.internal:3001

Environment

  • OS Type & Version: Synology DSM 7.3
  • Pangolin Version: 1.10.1
  • Gerbil Version: 1.2.1
  • Traefik Version: 3.4.0
  • Newt Version: 1.5.1

To Reproduce

  1. Deploy a self-hosted node as follows: https://docs.digpangolin.com/self-host/manual/docker-compose
    Follow the guide and add the relevant configuration for your DNS resolver implementation, etc. Ensure that you add the blueprint labels.
services:
  pangolin:
    image: fosrl/pangolin:latest # https://github.com/fosrl/pangolin/releases
    container_name: pangolin
    restart: always
    volumes:
      - /volume1/encrypted_share/docker/pangolin/config:/app/config
      - pangolin-data:/var/certificates
      - pangolin-data:/var/dynamic
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"]
      interval: "3s"
      timeout: "3s"
      retries: 30
    labels:
      # Proxy Resource Configuration
      - pangolin.proxy-resources.x.name=x
      - pangolin.proxy-resources.x.full-domain=base.domain
      - pangolin.proxy-resources.x.protocol=http
      # Target Configuration - the port and hostname will be auto-detected
      - pangolin.proxy-resources.x.targets[0].method=https
      - pangolin.proxy-resources.x.targets[0].hostname=host.docker.internal
      - pangolin.proxy-resources.x.targets[0].port=3001

  gerbil:
    image: fosrl/gerbil:latest # https://github.com/fosrl/gerbil/releases
    container_name: gerbil
    restart: always
    depends_on:
      pangolin:
        condition: service_healthy
    command:
      - --reachableAt=http://gerbil:3003
      - --generateAndSaveKeyTo=/var/config/key
      - --remoteConfig=http://pangolin:3001/api/v1/
    volumes:
      - ./config/:/var/config
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    ports:
      - 51820:51820/udp
      - 21820:21820/udp
      - 443:443 # Port for traefik because of the network_mode
      - 80:80 # Port for traefik because of the network_mode

  traefik:
    image: traefik:v3.4.0
    container_name: traefik
    restart: always
    network_mode: service:gerbil # Ports appear on the gerbil service
    depends_on:
      pangolin:
        condition: service_healthy
    command:
      - --configFile=/etc/traefik/traefik_config.yml
    environment:
      CLOUDFLARE_DNS_API_TOKEN: "" # REPLACE WITH YOUR CLOUDFLARE API TOKEN If you’re using Cloudflare, make sure your API token has the permissions Zone/Zone/Read and Zone/DNS/Edit and make sure it applies to all zones.
    volumes:
      - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
      - ./config/traefik/logs:/var/log/traefik # Volume to store the Traefik configuration
      - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
      # Shared volume for certificates and dynamic config in file mode
      - pangolin-data:/var/certificates:ro
      - pangolin-data:/var/dynamic:ro

  newt:
    image: fosrl/newt
    container_name: newt
    restart: unless-stopped
    extra_hosts:
      - "host.docker.internal:host-gateway" # Allow access to host services from containers
    volumes:
        - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - PANGOLIN_ENDPOINT=https://pangolin.domain
      - NEWT_ID=
      - NEWT_SECRET=
      - DOCKER_SOCKET=/var/run/docker.sock

networks:
  default:
    driver: bridge
    name: pangolin
    ipam:
      config:
        - subnet: 172.18.0.0/26

volumes:
  pangolin-data:
  1. Ensure that the host is listening / accepting connections for the port 3001 specified in the resource configuration (this is a web server in my case).
  2. Bring the compose file up.

Expected Behavior

Pangolin should add the resource with the base domain and empty subdomain and not change all other blueprint addresses to the base domain.

i.e., a new resource appears with the base domain as the address to access from, and other resources have the subdomain in front of it.

*Originally created by @wzsanders on 10/9/2025* ### Describe the Bug When setting full-domain as a registered base domain (see below) via pangolin docker blueprints, the addresses for other docker blueprints that were applied are changed to have their address modified to the base domain, even if it was previously listed as subdomain.base.domain. If the full-domain below is a subdomain, this works fine and the entry is created as expected. ``` labels: - pangolin.proxy-resources.basedomain.name=basedomain - pangolin.proxy-resources.basedomain.full-domain=base.domain - pangolin.proxy-resources.basedomain.protocol=http - pangolin.proxy-resources.basedomain.targets[0].method=https - pangolin.proxy-resources.basedomain.targets[0].hostname=host.docker.internal - pangolin.proxy-resources.basedomain.targets[0].port=3001 ``` Adding the resource via the Pangolin Web UI and leaving the subdomain blank results in this configuration working with no issues. It's just the addition of the new resource when coming from blueprints. When adding via blueprint. The tcp proxy is never started. ``` pangolin | 2025-10-08T21:41:04.086Z [error]: Failed to update database from config: Error: Resource already exists: sylver.lab.redacted in org redacted ``` When adding via the Web UI. ``` newt | INFO: 2025/10/08 21:45:07 Blueprint applied successfully! newt | INFO: 2025/10/08 21:45:22 Started tcp proxy to host.docker.internal:3001 ``` ### Environment - OS Type & Version: Synology DSM 7.3 - Pangolin Version: 1.10.1 - Gerbil Version: 1.2.1 - Traefik Version: 3.4.0 - Newt Version: 1.5.1 ### To Reproduce 1. Deploy a self-hosted node as follows: https://docs.digpangolin.com/self-host/manual/docker-compose Follow the guide and add the relevant configuration for your DNS resolver implementation, etc. Ensure that you add the blueprint labels. ``` services: pangolin: image: fosrl/pangolin:latest # https://github.com/fosrl/pangolin/releases container_name: pangolin restart: always volumes: - /volume1/encrypted_share/docker/pangolin/config:/app/config - pangolin-data:/var/certificates - pangolin-data:/var/dynamic healthcheck: test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"] interval: "3s" timeout: "3s" retries: 30 labels: # Proxy Resource Configuration - pangolin.proxy-resources.x.name=x - pangolin.proxy-resources.x.full-domain=base.domain - pangolin.proxy-resources.x.protocol=http # Target Configuration - the port and hostname will be auto-detected - pangolin.proxy-resources.x.targets[0].method=https - pangolin.proxy-resources.x.targets[0].hostname=host.docker.internal - pangolin.proxy-resources.x.targets[0].port=3001 gerbil: image: fosrl/gerbil:latest # https://github.com/fosrl/gerbil/releases container_name: gerbil restart: always depends_on: pangolin: condition: service_healthy command: - --reachableAt=http://gerbil:3003 - --generateAndSaveKeyTo=/var/config/key - --remoteConfig=http://pangolin:3001/api/v1/ volumes: - ./config/:/var/config cap_add: - NET_ADMIN - SYS_MODULE ports: - 51820:51820/udp - 21820:21820/udp - 443:443 # Port for traefik because of the network_mode - 80:80 # Port for traefik because of the network_mode traefik: image: traefik:v3.4.0 container_name: traefik restart: always network_mode: service:gerbil # Ports appear on the gerbil service depends_on: pangolin: condition: service_healthy command: - --configFile=/etc/traefik/traefik_config.yml environment: CLOUDFLARE_DNS_API_TOKEN: "" # REPLACE WITH YOUR CLOUDFLARE API TOKEN If you’re using Cloudflare, make sure your API token has the permissions Zone/Zone/Read and Zone/DNS/Edit and make sure it applies to all zones. volumes: - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration - ./config/traefik/logs:/var/log/traefik # Volume to store the Traefik configuration - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates # Shared volume for certificates and dynamic config in file mode - pangolin-data:/var/certificates:ro - pangolin-data:/var/dynamic:ro newt: image: fosrl/newt container_name: newt restart: unless-stopped extra_hosts: - "host.docker.internal:host-gateway" # Allow access to host services from containers volumes: - /var/run/docker.sock:/var/run/docker.sock environment: - PANGOLIN_ENDPOINT=https://pangolin.domain - NEWT_ID= - NEWT_SECRET= - DOCKER_SOCKET=/var/run/docker.sock networks: default: driver: bridge name: pangolin ipam: config: - subnet: 172.18.0.0/26 volumes: pangolin-data: ``` 2. Ensure that the host is listening / accepting connections for the port 3001 specified in the resource configuration (this is a web server in my case). 3. Bring the compose file up. ### Expected Behavior Pangolin should add the resource with the base domain and empty subdomain and not change all other blueprint addresses to the base domain. i.e., a new resource appears with the base domain as the address to access from, and other resources have the subdomain in front of it.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Improvement
Improvement
Improvement
Improvement
Look Into
Security
Security
api
api
authentication
authentication
authentication
authentication
authentication
authentication
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
config
config
config
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
docker
docker
docker
docker
docker
documentation
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
enhancement
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
github_actions
go
go
go
go
go
go
go
go
go
go
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
good first issue
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
help wanted
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
javascript
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
needs investigating
networking
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
new feature
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
non-critical bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
potential bug
question
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
reverse proxy
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
stale
ui
ui
ui
ui
ui
ui
wontfix
No Label bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating needs investigating
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
MrUnknownDE
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github/pangolin#790
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?