github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-03-12 01:44:06 -05:00
Code Issues 94 Packages Projects Releases 48 Wiki Activity

Bad Gateway when trying to access docker service with Proxmox #145

New Issue
Closed
opened 2025-11-13 11:51:19 -06:00 by GiteaMirror · 8 comments
GiteaMirror commented 2025-11-13 11:51:19 -06:00
Owner
Copy Link

Originally created by @tobiraak on GitHub (Mar 15, 2025).

I have a vps, setup everything as in the documentation stated and connected my NAS as a site successfully by installing newt on my proxmox debian vm. Now I have a service (deployed with docker compose) locally accessible on 192.168.178.104:9090 on that vm. Entering these values when creating a ressource will result in the Gateway timeout error. Do I have to configure anything in proxmox? Any help would be appreciated. Do I have to configure newt in the same compose file as my service and put them in a network?

Originally posted by @tobiraak in #302

Originally created by @tobiraak on GitHub (Mar 15, 2025). I have a vps, setup everything as in the documentation stated and connected my NAS as a site successfully by installing newt on my proxmox debian vm. Now I have a service (deployed with docker compose) locally accessible on 192.168.178.104:9090 on that vm. Entering these values when creating a ressource will result in the Gateway timeout error. Do I have to configure anything in proxmox? Any help would be appreciated. Do I have to configure newt in the same compose file as my service and put them in a network? _Originally posted by @tobiraak in [#302](https://github.com/fosrl/pangolin/issues/302#issuecomment-2726068204)_
GiteaMirror added the reverse proxy label 2025-11-13 11:51:19 -06:00
GiteaMirror commented 2025-11-13 11:51:19 -06:00
Author
Owner
Copy Link

@hhftechnology commented on GitHub (Mar 15, 2025):

I have a vps, setup everything as in the documentation stated and connected my NAS as a site successfully by installing newt on my proxmox debian vm. Now I have a service (deployed with docker compose) locally accessible on 192.168.178.104:9090 on that vm. Entering these values when creating a ressource will result in the Gateway timeout error. Do I have to configure anything in proxmox? Any help would be appreciated. Do I have to configure newt in the same compose file as my service and put them in a network?

Originally posted by @tobiraak in #302

Just an example.

This is a small snippet from my write up. this is how i handle newt.

Edit /etc/netplan/00-installer-config.yaml:

network:
  version: 2
  ethernets:
    ens18:
      addresses:
        - 192.168.20.10/24
      gateway4: 192.168.20.1
      nameservers:
        addresses: [1.1.1.1, 8.8.8.8]

Apply with:

sudo netplan apply

4. Setting Up Docker with Network Isolation

Install Docker and create isolated networks:

# Install Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh

# Create dedicated networks for exposed applications
docker network create --subnet=172.20.0.0/16 exposed-apps

Implementing Newt in a Confined Environment

Newt will run in a Docker container, isolating it from the host system and only allowing it to communicate with specific application containers.

1. Setting Up Newt Container

Create a dedicated directory for Newt:

mkdir -p /opt/newt
cd /opt/newt

Create a docker-compose.yml file:

networks:
  exposed-apps:
    external: true

services:
  newt:
    container_name: newt-client
    image: fosrl/newt:latest
    restart: unless-stopped
    environment:
      - PANGOLIN_ENDPOINT=https://pangolin.yourdomain.com
      - NEWT_ID=your_newt_id_from_pangolin
      - NEWT_SECRET=your_newt_secret_from_pangolin
    networks:
      exposed-apps:
        ipv4_address: 172.20.0.2
    cap_add:
      - NET_ADMIN
    volumes:
      - ./logs:/var/log/newt

2. Getting Configuration from Pangolin

To obtain the Newt ID and secret, you need to:

  1. Log into your Pangolin dashboard on the VPS
  2. Create a new organization if you don't have one
  3. Create a new site (select "Newt" as the connection method)
  4. Copy the generated ID and secret
  5. Update your docker-compose.yml with these values

3. Starting and Securing Newt

Start the Newt container:

docker compose up -d

Check that it's running and connecting correctly:

docker logs -f newt-client

You should see messages about establishing a connection to Pangolin and creating a WireGuard interface. If everything is working, the site status in Pangolin should change to "Online".

Connecting Exposed Applications

Now we'll set up the applications that should be exposed to the internet. We'll create a separate Docker Compose file for each application, ensuring they're isolated but accessible through Newt.

1. Example: Setting Up Nextcloud

Create directory:

mkdir -p /opt/nextcloud
cd /opt/nextcloud

Create docker-compose.yml:

networks:
  exposed-apps:
    external: true
  nextcloud-internal:
    internal: true

services:
  nextcloud-db:
    image: mariadb:10.6
    container_name: nextcloud-db
    restart: unless-stopped
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    networks:
      - nextcloud-internal
    volumes:
      - ./nextcloud-db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=secure_root_password
      - MYSQL_PASSWORD=secure_nextcloud_password
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
    
  nextcloud-app:
    image: nextcloud:latest
    container_name: nextcloud-app
    restart: unless-stopped
    depends_on:
      - nextcloud-db
    networks:
      nextcloud-internal:
      exposed-apps:
        ipv4_address: 172.20.0.10
    volumes:
      - ./nextcloud-data:/var/www/html
    environment:
      - MYSQL_HOST=nextcloud-db
      - MYSQL_PASSWORD=secure_nextcloud_password
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.yourdomain.com
      - OVERWRITEPROTOCOL=https

Start Nextcloud:

docker compose up -d

thumb rule is newt should be on the same network as the services it wants to expose to pangolin on VPS.

@hhftechnology commented on GitHub (Mar 15, 2025): > I have a vps, setup everything as in the documentation stated and connected my NAS as a site successfully by installing newt on my proxmox debian vm. Now I have a service (deployed with docker compose) locally accessible on 192.168.178.104:9090 on that vm. Entering these values when creating a ressource will result in the Gateway timeout error. Do I have to configure anything in proxmox? Any help would be appreciated. Do I have to configure newt in the same compose file as my service and put them in a network? > > _Originally posted by [@tobiraak](https://github.com/tobiraak) in [#302](https://github.com/fosrl/pangolin/issues/302#issuecomment-2726068204)_ ## Just an example. This is a small snippet from my write up. this is how i handle newt. Edit `/etc/netplan/00-installer-config.yaml`: ```yaml network: version: 2 ethernets: ens18: addresses: - 192.168.20.10/24 gateway4: 192.168.20.1 nameservers: addresses: [1.1.1.1, 8.8.8.8] ``` Apply with: ```bash sudo netplan apply ``` ### 4. Setting Up Docker with Network Isolation Install Docker and create isolated networks: ```bash # Install Docker curl -fsSL https://get.docker.com -o get-docker.sh sudo sh get-docker.sh # Create dedicated networks for exposed applications docker network create --subnet=172.20.0.0/16 exposed-apps ``` ## Implementing Newt in a Confined Environment Newt will run in a Docker container, isolating it from the host system and only allowing it to communicate with specific application containers. ### 1. Setting Up Newt Container Create a dedicated directory for Newt: ```bash mkdir -p /opt/newt cd /opt/newt ``` Create a `docker-compose.yml` file: ```yaml networks: exposed-apps: external: true services: newt: container_name: newt-client image: fosrl/newt:latest restart: unless-stopped environment: - PANGOLIN_ENDPOINT=https://pangolin.yourdomain.com - NEWT_ID=your_newt_id_from_pangolin - NEWT_SECRET=your_newt_secret_from_pangolin networks: exposed-apps: ipv4_address: 172.20.0.2 cap_add: - NET_ADMIN volumes: - ./logs:/var/log/newt ``` ### 2. Getting Configuration from Pangolin To obtain the Newt ID and secret, you need to: 1. Log into your Pangolin dashboard on the VPS 2. Create a new organization if you don't have one 3. Create a new site (select "Newt" as the connection method) 4. Copy the generated ID and secret 5. Update your `docker-compose.yml` with these values ### 3. Starting and Securing Newt Start the Newt container: ```bash docker compose up -d ``` Check that it's running and connecting correctly: ```bash docker logs -f newt-client ``` You should see messages about establishing a connection to Pangolin and creating a WireGuard interface. If everything is working, the site status in Pangolin should change to "Online". ## Connecting Exposed Applications Now we'll set up the applications that should be exposed to the internet. We'll create a separate Docker Compose file for each application, ensuring they're isolated but accessible through Newt. ### 1. Example: Setting Up Nextcloud Create directory: ```bash mkdir -p /opt/nextcloud cd /opt/nextcloud ``` Create `docker-compose.yml`: ```yaml networks: exposed-apps: external: true nextcloud-internal: internal: true services: nextcloud-db: image: mariadb:10.6 container_name: nextcloud-db restart: unless-stopped command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW networks: - nextcloud-internal volumes: - ./nextcloud-db:/var/lib/mysql environment: - MYSQL_ROOT_PASSWORD=secure_root_password - MYSQL_PASSWORD=secure_nextcloud_password - MYSQL_DATABASE=nextcloud - MYSQL_USER=nextcloud nextcloud-app: image: nextcloud:latest container_name: nextcloud-app restart: unless-stopped depends_on: - nextcloud-db networks: nextcloud-internal: exposed-apps: ipv4_address: 172.20.0.10 volumes: - ./nextcloud-data:/var/www/html environment: - MYSQL_HOST=nextcloud-db - MYSQL_PASSWORD=secure_nextcloud_password - MYSQL_DATABASE=nextcloud - MYSQL_USER=nextcloud - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.yourdomain.com - OVERWRITEPROTOCOL=https ``` Start Nextcloud: ```bash docker compose up -d ``` ## thumb rule is newt should be on the same network as the services it wants to expose to pangolin on VPS.
GiteaMirror commented 2025-11-13 11:51:19 -06:00
Author
Owner
Copy Link

@tobiraak commented on GitHub (Mar 16, 2025):

I'm sorry but I can't seem to follow your guide. Where do you specify the port? I also do not have a netplan directory.
Which IP address do you specify as a ressource in the pangolin dashboard? Thanks in advance!

@tobiraak commented on GitHub (Mar 16, 2025): I'm sorry but I can't seem to follow your guide. Where do you specify the port? I also do not have a netplan directory. Which IP address do you specify as a ressource in the pangolin dashboard? Thanks in advance!
GiteaMirror commented 2025-11-13 11:51:20 -06:00
Author
Owner
Copy Link

@tobiraak commented on GitHub (Mar 17, 2025):

Update: This seems to be a problem with a proxmox VM. I am running a debian VM in proxmox and I can't seem to find out why it would fail. The IP of my vm is reachable in my network but seems to make problems since it is just a VM. Does anyone know if I need to configure the proxmox host in order to make it work?

@tobiraak commented on GitHub (Mar 17, 2025): Update: This seems to be a problem with a proxmox VM. I am running a debian VM in proxmox and I can't seem to find out why it would fail. The IP of my vm is reachable in my network but seems to make problems since it is just a VM. Does anyone know if I need to configure the proxmox host in order to make it work?
GiteaMirror commented 2025-11-13 11:51:20 -06:00
Author
Owner
Copy Link

@tobiraak commented on GitHub (Mar 17, 2025):

Another update: I have ufw enabled on my VM of course. Disabling it made it suddenly work. If I add the port of the service that I want to expose to the ufw rules, it is working. But this is not the intended behavior, since it is tunneling it anyway and I should not need to open any ports. So the question remains, do I need to update any proxmox network settings or enable any kind of port forwarding?
I have no clue why I need to open ports in the VM but if I use newt and pango with my raspberry, I don't have to open any ports at all.

@tobiraak commented on GitHub (Mar 17, 2025): Another update: I have ufw enabled on my VM of course. Disabling it made it suddenly work. If I add the port of the service that I want to expose to the ufw rules, it is working. But this is not the intended behavior, since it is tunneling it anyway and I should not need to open any ports. So the question remains, do I need to update any proxmox network settings or enable any kind of port forwarding? I have no clue why I need to open ports in the VM but if I use newt and pango with my raspberry, I don't have to open any ports at all.
GiteaMirror commented 2025-11-13 11:51:20 -06:00
Author
Owner
Copy Link

@timmish commented on GitHub (May 19, 2025):

@tobiraak
did you solve this?
I have the same issue. When using UFW, I have to allow the port I am forwarding and tunneling with Pangolin - this should not be the case, but I don't now what to do.

@timmish commented on GitHub (May 19, 2025): @tobiraak did you solve this? I have the same issue. When using UFW, I have to allow the port I am forwarding and tunneling with Pangolin - this should not be the case, but I don't now what to do.
GiteaMirror commented 2025-11-13 11:51:21 -06:00
Author
Owner
Copy Link

@tobiraak commented on GitHub (May 19, 2025):

No I've not solved it, I have UFW disabled completely and it sucks since this issue was closed without beeing solved or explained.

@tobiraak commented on GitHub (May 19, 2025): No I've not solved it, I have UFW disabled completely and it sucks since this issue was closed without beeing solved or explained.
GiteaMirror commented 2025-11-13 11:51:21 -06:00
Author
Owner
Copy Link

@timmish commented on GitHub (May 20, 2025):

Yes 🥲
Did you switch to iptables or another firewall? No firewall is no solution for me I guess.

@timmish commented on GitHub (May 20, 2025): Yes 🥲 Did you switch to iptables or another firewall? No firewall is no solution for me I guess.
GiteaMirror commented 2025-11-13 11:51:21 -06:00
Author
Owner
Copy Link

@tobiraak commented on GitHub (May 20, 2025):

Try the Firewall option from proxmox, this might work? I ditched this solution tbh because of this. Maybe I should ask this question on reddit.com/r/selfhosted

@tobiraak commented on GitHub (May 20, 2025): Try the Firewall option from proxmox, this might work? I ditched this solution tbh because of this. Maybe I should ask this question on reddit.com/r/selfhosted
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
No Label reverse proxy
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#145
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?