mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-16 14:47:04 -05:00
[GH-ISSUE #2952] Private HTTP proxy appears to not follow redirects #13085
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Vyerni on GitHub (May 1, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2952
Describe the Bug
I'm currently trying to set up a private http proxy to be able to access my servers IDRAC console, something I definitely do not want exposed in any way.
I have it set up with the site, HTTP, using HTTPS scheme, to the IP (172.23.17.14) and port 443. I also have Enable SSL ticked.
When I browse to the domain without a client connection. I get a placeholder page. - Perfect
When I browse to the domain with one "https://idrac.domain", my browser url becomes "172.23.17.14/start.html" and it errors with "This site can't be reached. ERR_CONNECTION_REFUSED"
When I browse to "https://idrac.domain/login.html" I'm able to access the web page as required.
I'm currently on the latest Pangolin EE and Newt. I believe this was working on 1.18-rc.0 and newt 1.12-rc
Environment
To Reproduce
.
Expected Behavior
.
@AstralDestiny commented on GitHub (May 3, 2026):
Responded in discord.
@Vyerni commented on GitHub (May 5, 2026):
Ironically appears to be a problem with the only 2 services I originally tried to setup with private resources, IDRAC and my TrueNAS GUI
Will work out an alternative for these 2.
Thanks for the help.
@oschwartz10612 commented on GitHub (May 5, 2026):
What was worked out? Do we need to handle redirects in the newt proxy? I
can make sure that occurs if its needed to make these services work!
@Vyerni commented on GitHub (May 5, 2026):
I truthfully don't fully understand. Hopefually @AstralDestiny can explain it a little better.
But in the case of the IDRAC, it has a hardcoded href on the page, apparently causing problems.
Apologies I can't help explain it on a technical level.
@Vyerni commented on GitHub (May 8, 2026):
I've attempted to try and get it working to my TrueNAS GUI, and it's a similar thing.
server.vpn.domainis what I'm trying to do via VPN. And it redirects to 172.23.17.5:4430/ui with ERR_CONNECTION_REFUSED. (My GUI is served on 4430, so that's correct)But then if I do
server.vpn.domain/ui/dashboardit worksEdit:
Newt 1.12.3
Pangolin 1.18.3-EE
Gerbil 1.4.0
@LaurenceJJones commented on GitHub (May 8, 2026):
But if you curl that resource from where Newt is situated you get a redirect?
curl http://172.23.17.5:4430/uias Newt is simply proxying what the resource is responding@Vyerni commented on GitHub (May 8, 2026):
Pretty hard to do as I'm testing the private connection via my phone.
Not sure if it's a valid test, but locally on my PC that is on the same LAN as the TrueNAS and newt, I get this:
@LaurenceJJones commented on GitHub (May 8, 2026):
Apologies its https try that also that redirect is just promoting to https
You can pass
-Lto curl to follow the redirect chain@Vyerni commented on GitHub (May 8, 2026):
Updated earlier post with both commands.
If I browse in an incognito window to
https://172.23.17.5:4430it redirects me tohttps://172.23.17.5:4430/ui/signinEdit:
I didn't see your edit when running the previous commands. Passing
-Lgives me a much larger output, which, I'm going to assuming is the correct result@LaurenceJJones commented on GitHub (May 8, 2026):
Im going to see if I can replicate it, but my theory is since we dont pass a Host header (we pass
X-Forwarded-Host) the location being sent down over the private path is the IP address instead of the location being written as the private alias, so your connection refused might be because the redirect is converting to the ip address.as by this
Question do you know if truenas or the other application has a way to set trusted proxies as typically when this is configured the application should prefer
X-Forwarded-Hostinstead ofHost.@Vyerni commented on GitHub (May 8, 2026):
I don't believe there's an option for it in either TrueNAS or, Dell IDRAC. At least, I've not seen anything like "trusted proxies", etc.
@LaurenceJJones commented on GitHub (May 8, 2026):
Okay I got enough context to replicate and report back to @oschwartz10612 plus got a "fix" but need some more coffee before I am confident it doesnt introduce regressions.
@LaurenceJJones commented on GitHub (May 8, 2026):
Okay I see the regression from
1.12.2onwards for @oschwartz10612Before our proxy used to use
but now we do
as stated in the go docs
SetURL rewrites the outbound Host header to match the target's host. To preserve the inbound request's Host header (the default behavior of NewSingleHostReverseProxy)in short the host header is being rewritten from
example.vpn.domainto172....(in your example) then downstream applications that use full redirect logic are returning that.the simple fix would be to follow the go docs
I havent had time to test if it fixes it, but in theory that should be it. I am surprised there isnt more people hitting this issue in fact unless public resource through traefik are getting some sort of traefik magic 🤷🏻
@Vyerni commented on GitHub (May 8, 2026):
TrueNAS is now accessible with newt 1.12.5, but the IDRAC is still not.
Browsing to
idrac.vpn.domainleads me to172.23.17.14/start.htmland browser saying ERR_CONNECTION_REFUSED, but if I browse toidrac.vpn.domain/start.htmloridrac.vpn.domain/login.htmlit loads the IDRAC page.@LaurenceJJones commented on GitHub (May 8, 2026):
It says connection refused or 404 page not found, your curl output doesn't match what you wrote?
If it's not the right output we really need you to show or download the windows client to test as rather hard to not see debuggable info
@Vyerni commented on GitHub (May 8, 2026):
Curl.txt
pangolin-log-2026-05-09T070856_debug.txt
See the logs attached. These are run from my laptop with WIndows client.
First tried to browse to
idrac.vpn.domainon the laptop, then attempted to run the curl commands attached, first toidrac.vpn.domainthen the next toidrac.vpn.domain/start.html@LaurenceJJones commented on GitHub (May 8, 2026):
And when you previously without the VPN ran
drac.domainis that the hostname on the LAN?Reading up on idrac it seems it has lots of problems behind a reverse proxy, even dell recommend you only connect via the IP address only.
@Vyerni commented on GitHub (May 8, 2026):
Yes.
idrac.domainis resolved from pfsense to 172.23.17.14 locally.@LaurenceJJones commented on GitHub (May 8, 2026):
Yeah it seems idrac is not designed to be behind a reverse proxy, searching it seems to show a lot of people have issues. It seems idrac only knows how to return redirects for its own hostname on LAN or defaults to IP address.
So unless you can dig into their docs, there isn't much more we can do.
@Vyerni commented on GitHub (May 8, 2026):
That's fine, and makes sense given what @AstralDestiny found that there is a href hardcoded in.
Just wanted to provide all the info to make sure it was covered. Appreciate the looking into it.
@LaurenceJJones commented on GitHub (May 8, 2026):
To resolve the redirect loop or refusal, you must tell the iDRAC to allow the specific FQDN or disable the check entirely.Option 1: Disable Host Header Check (Easiest)If your environment allows it, you can disable this security check using SSH and RACADM:bashracadm set idrac.webserver.HostHeaderCheck 0
Use code with caution.Option 2: Add the FQDN to the Allow-listIf you prefer to keep the security feature active, add the specific hostname the user is typing into the ManualDNSEntry field:
racadm set idrac.webserver.ManualDNSEntry https://domain.com
Just what I found if it helps
@Vyerni commented on GitHub (May 8, 2026):
Set those, thanks.
But I have just gotten a small work around having noticed (again) that it changes to the LAN IP of 172.23.17.14.
I've since added an additional private resource of host at that IP address as well. So the proxy starts it, and then redirects me to the IP address, where the second resource then allows it. Seems to be working so far.