github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-07 05:09:18 -05:00
Code Issues 564 Packages Projects Releases 72 Wiki Activity

Pangolin website no longer accessible after switching to wildcard certificates #206

New Issue
Closed
opened 2025-11-13 11:52:59 -06:00 by GiteaMirror · 12 comments
GiteaMirror commented 2025-11-13 11:52:59 -06:00
Owner
Copy Link

Originally created by @riwich on GitHub (Apr 1, 2025).

After I made the switch to "Wildcard Certificates" according to the instructions on the website (https://docs.fossorial.io/Pangolin/Configuration/wildcard-certs), my Pangolin website is no longer accessible.

Only "Cannot GET /" appears in the browser.

The logs of Pangolin and Traefik show no errors and according to acme.json the “Wildcard Certificate” was created.
I have installed Pangolin several times and initially, without "Wildcart Certificates configuration", the Pangolin website is accessible.

I have carried out the changeover to "Wildcard Certificates" several times exactly according to the online instructions and I always get the same result.

My DNS provider is Infomaniak and the whole installation is running on an Infomaniak VPS with Debian 12. And no Crowdsec installed, as it seems to be the souce of many problems...

Is there a misunderstanding with my sets, am I doing something wrong, is the documentation perhaps no longer correct, or is this even a bug?

Many thanks for your help!
Thomas

Originally created by @riwich on GitHub (Apr 1, 2025). After I made the switch to "Wildcard Certificates" according to the instructions on the website ([https://docs.fossorial.io/Pangolin/Configuration/wildcard-certs](https://docs.fossorial.io/Pangolin/Configuration/wildcard-certs)), my Pangolin website is no longer accessible. Only **"Cannot GET /"** appears in the browser. The logs of Pangolin and Traefik show no errors and according to **acme.json** the “Wildcard Certificate” was created. I have installed Pangolin several times and initially, without "Wildcart Certificates configuration", the Pangolin website is accessible. I have carried out the changeover to "Wildcard Certificates" several times exactly according to the online instructions and I always get the same result. My DNS provider is **Infomaniak** and the whole installation is running on an Infomaniak VPS with **Debian 12**. And no Crowdsec installed, as it seems to be the souce of many problems... Is there a misunderstanding with my sets, am I doing something wrong, is the documentation perhaps no longer correct, or is this even a bug? Many thanks for your help! Thomas
GiteaMirror added the stale label 2025-11-13 11:52:59 -06:00
GiteaMirror commented 2025-11-13 11:53:00 -06:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (Apr 2, 2025):

Cannot GET / means that it is sending the web requests to the express server instead of the nextjs server I think. Traefik might be routing the wrong things to the wrong place.

Could you post your traefik config files to view? You can remove anything important in them you dont want posted publicly.

@oschwartz10612 commented on GitHub (Apr 2, 2025): `Cannot GET /` means that it is sending the web requests to the express server instead of the nextjs server I think. Traefik might be routing the wrong things to the wrong place. Could you post your traefik config files to view? You can remove anything important in them you dont want posted publicly.
GiteaMirror commented 2025-11-13 11:53:00 -06:00
Author
Owner
Copy Link

@riwich commented on GitHub (Apr 2, 2025):

Hello Owen,
Many thanks for the quick reply! I would be happy to send you the configuration files you mentioned.
I have anonymized my personal Infomaniak token, email address and real domain in the files. These are actually all the files that I changed when I switched to “wildcard certificates”.

So here are the files:

docker-compose.yml:

.
.
 traefik:
    image: traefik:v3.3.3
    container_name: traefik
    restart: unless-stopped

    network_mode: service:gerbil # Ports appear on the gerbil service

    depends_on:
      pangolin:
        condition: service_healthy
    command:
      - --configFile=/etc/traefik/traefik_config.yml
    # Add the environment variables for your DNS provider.
    environment:
      INFOMANIAK_ACCESS_TOKEN: "-my-tested-and-working-Infomaniak-token"
    volumes:
      - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration
      - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
      - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs
.
.

./config/traefik/traefik_config.yml:

api:
  insecure: true
  dashboard: true

providers:
  http:
    endpoint: "http://pangolin:3001/api/v1/traefik-config"
    pollInterval: "5s"
  file:
    filename: "/etc/traefik/dynamic_config.yml"

experimental:
  plugins:
    badger:
      moduleName: "github.com/fosrl/badger"
      version: "v1.0.0"

log:
  level: "INFO"
  format: "common"

certificatesResolvers:
  letsencrypt:
    acme:
      dnsChallenge:
        provider: "infomaniak" # your DNS provider
        # see https://doc.traefik.io/traefik/https/acme/#providers
      email: "my-personal-email@somemail.com"
      storage: "/letsencrypt/acme.json"
      caServer: "https://acme-v02.api.letsencrypt.org/directory"

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
    transport:
      respondingTimeouts:
        readTimeout: "30m"
    http:
      tls:
        certResolver: "letsencrypt"

serversTransport:
  insecureSkipVerify: true

./config/traefik/dynamic_config.yml:

http:
  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: https

  routers:
    # HTTP to HTTPS redirect router
    main-app-router-redirect:
      rule: "Host(`pangolin.mydomain.com`)"
      service: next-service
      entryPoints:
        - web
      middlewares:
        - redirect-to-https

    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
      rule: "Host(`mydomain.com`) && !PathPrefix(`/api/v1`)"
      service: next-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
        domains:
          - main: "mydomain.com"
            sans:
              - "*.mydomain.com"

    # API router (handles /api/v1 paths)
    api-router:
      rule: "Host(`pangolin.mydomain.com`) && PathPrefix(`/api/v1`)"
      service: api-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

    # WebSocket router
    ws-router:
      rule: "Host(`pangolin.mydomain.com`)"
      service: api-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

  services:
    next-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3002"  # Next.js server

    api-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000"  # API/WebSocket server
@riwich commented on GitHub (Apr 2, 2025): Hello Owen, Many thanks for the quick reply! I would be happy to send you the configuration files you mentioned. I have anonymized my personal Infomaniak token, email address and real domain in the files. These are actually all the files that I changed when I switched to “wildcard certificates”. So here are the files: **docker-compose.yml:** ``` . . traefik: image: traefik:v3.3.3 container_name: traefik restart: unless-stopped network_mode: service:gerbil # Ports appear on the gerbil service depends_on: pangolin: condition: service_healthy command: - --configFile=/etc/traefik/traefik_config.yml # Add the environment variables for your DNS provider. environment: INFOMANIAK_ACCESS_TOKEN: "-my-tested-and-working-Infomaniak-token" volumes: - ./config/traefik:/etc/traefik:ro # Volume to store the Traefik configuration - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs . . ``` **./config/traefik/traefik_config.yml:** ``` api: insecure: true dashboard: true providers: http: endpoint: "http://pangolin:3001/api/v1/traefik-config" pollInterval: "5s" file: filename: "/etc/traefik/dynamic_config.yml" experimental: plugins: badger: moduleName: "github.com/fosrl/badger" version: "v1.0.0" log: level: "INFO" format: "common" certificatesResolvers: letsencrypt: acme: dnsChallenge: provider: "infomaniak" # your DNS provider # see https://doc.traefik.io/traefik/https/acme/#providers email: "my-personal-email@somemail.com" storage: "/letsencrypt/acme.json" caServer: "https://acme-v02.api.letsencrypt.org/directory" entryPoints: web: address: ":80" websecure: address: ":443" transport: respondingTimeouts: readTimeout: "30m" http: tls: certResolver: "letsencrypt" serversTransport: insecureSkipVerify: true ``` **./config/traefik/dynamic_config.yml:** ``` http: middlewares: redirect-to-https: redirectScheme: scheme: https routers: # HTTP to HTTPS redirect router main-app-router-redirect: rule: "Host(`pangolin.mydomain.com`)" service: next-service entryPoints: - web middlewares: - redirect-to-https # Next.js router (handles everything except API and WebSocket paths) next-router: rule: "Host(`mydomain.com`) && !PathPrefix(`/api/v1`)" service: next-service entryPoints: - websecure tls: certResolver: letsencrypt domains: - main: "mydomain.com" sans: - "*.mydomain.com" # API router (handles /api/v1 paths) api-router: rule: "Host(`pangolin.mydomain.com`) && PathPrefix(`/api/v1`)" service: api-service entryPoints: - websecure tls: certResolver: letsencrypt # WebSocket router ws-router: rule: "Host(`pangolin.mydomain.com`)" service: api-service entryPoints: - websecure tls: certResolver: letsencrypt services: next-service: loadBalancer: servers: - url: "http://pangolin:3002" # Next.js server api-service: loadBalancer: servers: - url: "http://pangolin:3000" # API/WebSocket server ```
GiteaMirror commented 2025-11-13 11:53:00 -06:00
Author
Owner
Copy Link

@TheSilverSadist commented on GitHub (Apr 2, 2025):

This is what I changed to my Dynamic to fix it

http:
  middlewares:
    crowdsec:
      plugin:
        crowdsec:
          clientTrustedIPs:
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16
            - 100.89.137.0/20
          crowdsecAppsecEnabled: true
          crowdsecAppsecFailureBlock: true
          crowdsecAppsecHost: crowdsec:7422
          crowdsecAppsecUnreachableBlock: true
          crowdsecLapiHost: crowdsec:8080
          crowdsecLapiKey: # YOUR KEY 
          crowdsecLapiScheme: http
          crowdsecMode: live
          defaultDecisionSeconds: 15
          enabled: true
          forwardedHeadersTrustedIPs:
            - 0.0.0.0/0
          httpTimeoutSeconds: 10
          logLevel: INFO
          updateIntervalSeconds: 15
          updateMaxFailure: 0
    default-whitelist:
      ipWhiteList:
        sourceRange:
          - 10.0.0.0/8
          - 192.168.0.0/16
          - 172.16.0.0/12
    redirect-to-https:
      redirectScheme:
        scheme: https
    security-headers:
      headers:
        contentTypeNosniff: true
        customFrameOptionsValue: SAMEORIGIN
        customResponseHeaders:
          Server: ""
          X-Forwarded-Proto: https
          X-Powered-By: ""
        forceSTSHeader: true
        hostsProxyHeaders:
          - X-Forwarded-Host
        referrerPolicy: strict-origin-when-cross-origin
        sslProxyHeaders:
          X-Forwarded-Proto: https
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 63072000
  routers:
    # HTTP to HTTPS redirect router
    main-app-router-redirect:
      rule: "Host(`pangolin.YOURDOMAIN.com`)" # REPLACE THIS WITH YOUR DOMAIN
      service: next-service
      entryPoints:
        - web
      middlewares:
        - redirect-to-https

    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
      rule: "Host(`pangolin.YOURDOMAIN.com`) && !PathPrefix(`/api/v1`)" # REPLACE THIS WITH YOUR DOMAIN
      service: next-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

    # API router (handles /api/v1 paths)
    api-router:
      rule: "Host(`pangolin.YOURDOMAIN.com`) && PathPrefix(`/api/v1`)" # REPLACE THIS WITH YOUR DOMAIN
      service: api-service
      entryPoints:
        - websecure
      middlewares:
       - security-headers
      tls:
        certResolver: letsencrypt

    # WebSocket router
    ws-router:
      rule: "Host(`pangolin.YOURDOMAIN.com`)" # REPLACE THIS WITH YOUR DOMAIN
      service: api-service
      entryPoints:
        - websecure
      middlewares:
       - security-headers        
      tls:
        certResolver: letsencrypt
  services:
    next-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3002" # Next.js server

    api-service:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000" # API/WebSocket server

Hope that helps!

@TheSilverSadist commented on GitHub (Apr 2, 2025): This is what I changed to my Dynamic to fix it ``` http: middlewares: crowdsec: plugin: crowdsec: clientTrustedIPs: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 - 100.89.137.0/20 crowdsecAppsecEnabled: true crowdsecAppsecFailureBlock: true crowdsecAppsecHost: crowdsec:7422 crowdsecAppsecUnreachableBlock: true crowdsecLapiHost: crowdsec:8080 crowdsecLapiKey: # YOUR KEY crowdsecLapiScheme: http crowdsecMode: live defaultDecisionSeconds: 15 enabled: true forwardedHeadersTrustedIPs: - 0.0.0.0/0 httpTimeoutSeconds: 10 logLevel: INFO updateIntervalSeconds: 15 updateMaxFailure: 0 default-whitelist: ipWhiteList: sourceRange: - 10.0.0.0/8 - 192.168.0.0/16 - 172.16.0.0/12 redirect-to-https: redirectScheme: scheme: https security-headers: headers: contentTypeNosniff: true customFrameOptionsValue: SAMEORIGIN customResponseHeaders: Server: "" X-Forwarded-Proto: https X-Powered-By: "" forceSTSHeader: true hostsProxyHeaders: - X-Forwarded-Host referrerPolicy: strict-origin-when-cross-origin sslProxyHeaders: X-Forwarded-Proto: https stsIncludeSubdomains: true stsPreload: true stsSeconds: 63072000 routers: # HTTP to HTTPS redirect router main-app-router-redirect: rule: "Host(`pangolin.YOURDOMAIN.com`)" # REPLACE THIS WITH YOUR DOMAIN service: next-service entryPoints: - web middlewares: - redirect-to-https # Next.js router (handles everything except API and WebSocket paths) next-router: rule: "Host(`pangolin.YOURDOMAIN.com`) && !PathPrefix(`/api/v1`)" # REPLACE THIS WITH YOUR DOMAIN service: next-service entryPoints: - websecure tls: certResolver: letsencrypt # API router (handles /api/v1 paths) api-router: rule: "Host(`pangolin.YOURDOMAIN.com`) && PathPrefix(`/api/v1`)" # REPLACE THIS WITH YOUR DOMAIN service: api-service entryPoints: - websecure middlewares: - security-headers tls: certResolver: letsencrypt # WebSocket router ws-router: rule: "Host(`pangolin.YOURDOMAIN.com`)" # REPLACE THIS WITH YOUR DOMAIN service: api-service entryPoints: - websecure middlewares: - security-headers tls: certResolver: letsencrypt services: next-service: loadBalancer: servers: - url: "http://pangolin:3002" # Next.js server api-service: loadBalancer: servers: - url: "http://pangolin:3000" # API/WebSocket server ``` Hope that helps!
GiteaMirror commented 2025-11-13 11:53:00 -06:00
Author
Owner
Copy Link

@riwich commented on GitHub (Apr 3, 2025):

Hello TheSilverSadist
Thanks for the tip!

However, I don't understand what exactly you changed to get Pangolin running again.

What strikes me is that you have not defined the “*.domain” at the “next-router:” section, which seems a bit strange to me.

Would it be possible for you to tell me the exact adjustments? Which lines did you change? I'm not overlooking the whole thing completely, in my configuration I haven't included “Crowdsec” either, which makes the two configuration files a little more difficult to distinguish.

Regards,
Thomas

@riwich commented on GitHub (Apr 3, 2025): Hello TheSilverSadist Thanks for the tip! However, I don't understand what exactly you changed to get Pangolin running again. What strikes me is that you have not defined the _“*.domain”_ at the _“next-router:”_ section, which seems a bit strange to me. Would it be possible for you to tell me the exact adjustments? Which lines did you change? I'm not overlooking the whole thing completely, in my configuration I haven't included _“Crowdsec”_ either, which makes the two configuration files a little more difficult to distinguish. Regards, Thomas
GiteaMirror commented 2025-11-13 11:53:01 -06:00
Author
Owner
Copy Link

@TheSilverSadist commented on GitHub (Apr 3, 2025):

I don't know why or how but removing it after I ran it once made the site work then I was able to re-add it like this

  tls:
    certResolver: letsencrypt
    domains:
      - main: "mydomain.com"
      - sans: "*.mydomain.com"

The only other thing I did was go through and remove any hidden spaces between all of the entries

@TheSilverSadist commented on GitHub (Apr 3, 2025): I don't know why or how but removing it after I ran it once made the site work then I was able to re-add it like this tls: certResolver: letsencrypt domains: - main: "mydomain.com" - sans: "*.mydomain.com" The only other thing I did was go through and remove any hidden spaces between all of the entries
GiteaMirror commented 2025-11-13 11:53:01 -06:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (Apr 3, 2025):

Yeah I think your next-router was wrong. All of them should be similar:

 next-router:
      rule: "Host(`{{.DashboardDomain}}`) && !PathPrefix(`/api/v1`)"
      service: next-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

    # API router (handles /api/v1 paths)
    api-router:
      rule: "Host(`{{.DashboardDomain}}`) && PathPrefix(`/api/v1`)"
      service: api-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

    # WebSocket router
    ws-router:
      rule: "Host(`{{.DashboardDomain}}`)"
      service: api-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
@oschwartz10612 commented on GitHub (Apr 3, 2025): Yeah I think your next-router was wrong. All of them should be similar: ``` next-router: rule: "Host(`{{.DashboardDomain}}`) && !PathPrefix(`/api/v1`)" service: next-service entryPoints: - websecure tls: certResolver: letsencrypt # API router (handles /api/v1 paths) api-router: rule: "Host(`{{.DashboardDomain}}`) && PathPrefix(`/api/v1`)" service: api-service entryPoints: - websecure tls: certResolver: letsencrypt # WebSocket router ws-router: rule: "Host(`{{.DashboardDomain}}`)" service: api-service entryPoints: - websecure tls: certResolver: letsencrypt ```
GiteaMirror commented 2025-11-13 11:53:01 -06:00
Author
Owner
Copy Link

@riwich commented on GitHub (Apr 3, 2025):

That solved it, thanks Owen and TheSilverSadist!

I changed "dynamic_config.yml" from:

    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
      rule: "Host(`mydomain.com`) && !PathPrefix(`/api/v1`)"
      service: next-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
        domains:
          - main: "mydomain.com"
            sans:
              - "*.mydomain.com"

to:

    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
      rule: "Host(`pangolin.mydomain.com`) && !PathPrefix(`/api/v1`)"
      service: next-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

I also had to change the addition of "pangolin." to the "rule: Host...." section.

And now Pangolin is working again!

However, in my conversion to “wildcard-certs” I followed the instructions on the website (https://docs.fossorial.io/Pangolin/Configuration/wildcard-certs) exactly and it explicitly states that the additional configuration “domains:” should be made.

Image

Have I simply misunderstood this (my native language is not English) or should the instructions be corrected?

In any case, my Pangolin works as it should and I am thrilled with this great product!

@riwich commented on GitHub (Apr 3, 2025): That solved it, thanks Owen and TheSilverSadist! I changed "dynamic_config.yml" from: ``` # Next.js router (handles everything except API and WebSocket paths) next-router: rule: "Host(`mydomain.com`) && !PathPrefix(`/api/v1`)" service: next-service entryPoints: - websecure tls: certResolver: letsencrypt domains: - main: "mydomain.com" sans: - "*.mydomain.com" ``` to: ``` # Next.js router (handles everything except API and WebSocket paths) next-router: rule: "Host(`pangolin.mydomain.com`) && !PathPrefix(`/api/v1`)" service: next-service entryPoints: - websecure tls: certResolver: letsencrypt ``` I also had to change the addition of _"pangolin."_ to the _"rule: Host...."_ section. And now Pangolin is working again! However, in my conversion to “wildcard-certs” I followed the instructions on the website (https://docs.fossorial.io/Pangolin/Configuration/wildcard-certs) exactly and it explicitly states that the additional configuration _“domains:”_ should be made. ![Image](https://github.com/user-attachments/assets/db1f51fa-2e77-419f-b9ef-7326e73e1f1b) Have I simply misunderstood this (my native language is not English) or should the instructions be corrected? In any case, my Pangolin works as it should and I am thrilled with this great product!
GiteaMirror commented 2025-11-13 11:53:02 -06:00
Author
Owner
Copy Link

@Tanhueco commented on GitHub (Apr 5, 2025):

@riwich, when you say it works, does that mean only a single certificate is generated for your several subdomains? In my case, without the following code, it does not work:

tls: certResolver: letsencrypt domains: - main: "mydomain.com" sans: - "*.mydomain.com"

It works, however, by adding it in. Odd.

@Tanhueco commented on GitHub (Apr 5, 2025): @riwich, when you say it works, does that mean only a single certificate is generated for your several subdomains? In my case, without the following code, it does not work: ` tls: certResolver: letsencrypt domains: - main: "mydomain.com" sans: - "*.mydomain.com"` It works, however, by adding it in. Odd.
GiteaMirror commented 2025-11-13 11:53:02 -06:00
Author
Owner
Copy Link

@riwich commented on GitHub (Apr 5, 2025):

@Tanhueco
Yes, as you say, the whole thing is behaving oddly and I can't figure it out at all.

When I look at my “acme.json”, I see a certificate from the initial installation for the subdomain “pangolin.mydomain.com”, and a wildcart certificate for “*.mydomain.com”.

To be honest, I have since deleted my Pangolin instance. I'm testing different approaches and I'm currently running a variant “NGINX Proxy Manager / Twingate”. This is also a promising option.

However, I like the simplicity, the independence from a third party and the structured setup of Pangolin (OK, apart from our very special problem ;-) ) and I can very well imagine that, after I have played through all my variants, Pangolin will be my final setup.

@riwich commented on GitHub (Apr 5, 2025): @Tanhueco Yes, as you say, the whole thing is behaving oddly and I can't figure it out at all. When I look at my _“acme.json”_, I see a certificate from the initial installation for the subdomain _“pangolin.mydomain.com”_, and a wildcart certificate for _“*.mydomain.com”_. To be honest, I have since deleted my Pangolin instance. I'm testing different approaches and I'm currently running a variant _“NGINX Proxy Manager / Twingate”_. This is also a promising option. However, I like the simplicity, the independence from a third party and the structured setup of Pangolin (OK, apart from our very special problem ;-) ) and I can very well imagine that, after I have played through all my variants, Pangolin will be my final setup.
GiteaMirror commented 2025-11-13 11:53:02 -06:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Apr 20, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

@github-actions[bot] commented on GitHub (Apr 20, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
GiteaMirror commented 2025-11-13 11:53:02 -06:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (May 4, 2025):

This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.

@github-actions[bot] commented on GitHub (May 4, 2025): This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.
GiteaMirror commented 2025-11-13 11:53:03 -06:00
Author
Owner
Copy Link

@shucking commented on GitHub (May 28, 2025):

for anyone else who comes to this issue: following the docs as is could lead to the same problem that @riwich had if you are using a subdomain. make sure to edit your rule and host line to the subdomain, and not the base domain.

To clarify, the docs use this line without specifying which domain should be used:

next-router:
  rule: "Host(`example.com`) && !PathPrefix(`/api/v1`)"

Here's the whole block that works:

# Next.js router (handles everything except API and WebSocket paths)
    next-router:
      rule: "Host(`proxy.example.com`) && !PathPrefix(`/api/v1`)" # REPLACE THIS WITH YOUR SUB-DOMAIN
      service: next-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
        domains:
          - main: "example.com" # USE YOUR BASE DOMAIN
            sans:
              - "*.example.com"

Accordingly, I think the docs should be a bit more clear to distinguish what to do

@shucking commented on GitHub (May 28, 2025): for anyone else who comes to this issue: following the docs as is could lead to the same problem that @riwich had if you are using a subdomain. make sure to edit your rule and host line to the subdomain, and not the base domain. To clarify, the docs use this line without specifying which domain should be used: ``` next-router: rule: "Host(`example.com`) && !PathPrefix(`/api/v1`)" ``` Here's the whole block that works: ``` # Next.js router (handles everything except API and WebSocket paths) next-router: rule: "Host(`proxy.example.com`) && !PathPrefix(`/api/v1`)" # REPLACE THIS WITH YOUR SUB-DOMAIN service: next-service entryPoints: - websecure tls: certResolver: letsencrypt domains: - main: "example.com" # USE YOUR BASE DOMAIN sans: - "*.example.com" ``` Accordingly, I think the docs should be a bit more clear to distinguish what to do
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label stale
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#206
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?