github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-08 21:59:09 -05:00
Code Issues 564 Packages Projects Releases 72 Wiki Activity

Redirect loop on additional domains #243

New Issue
Closed
opened 2025-11-13 11:54:06 -06:00 by GiteaMirror · 10 comments
GiteaMirror commented 2025-11-13 11:54:06 -06:00
Owner
Copy Link

Originally created by @bhagen55 on GitHub (Apr 17, 2025).

Originally assigned to: @miloschwartz on GitHub.

Hello!
I have been using Pangolin and it has been flawless with a single domain.
I tried adding two additional domains and have not been able to get them working.

I have set up a simple resource that points to a static HTML site hosted by a NGINX docker container.
If I point the resource at my first domain in "General Settings", the page loads fine. If I point it at one of my secondary domains, it gets into a redirect loop.

(redacted my domain and IP addresses)

--2025-04-16 17:46:46--  https://test.mydomain.com/
Resolving test.mydomain.com (test.mydomain.com)... 1.2.3.4, 1.2.3.4, 1:2:3:4, ...
Connecting to test.mydomain.com (test.mydomain.com)|1.2.3.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://test.mydomain.com/ [following]
--2025-04-16 17:46:46--  https://test.mydomain.com/
Reusing existing connection to test.mydomain.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://test.mydomain.com/ [following]
--2025-04-16 17:46:46--  https://test.mydomain.com/
Reusing existing connection to test.mydomain.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://test.mydomain.com/ [following]
...
continues until maximum of 20 redirects is hit

I do have Crowdsec enabled, but I don't see anything related in it's logs when I try to load the page.

I am running Pangolin v1.2.0 in a docker compose stack.
Here is the domains section of my config:

domains:
  domain1:
    base_domain: domain1.com
    cert_resolver: letsencrypt
  domain2:
    base_domain: mydomain.com
    cert_resolver: letsencrypt
  domain3:
    base_domain: mydomain2.com
    cert_resolver: letsencrypt
Originally created by @bhagen55 on GitHub (Apr 17, 2025). Originally assigned to: @miloschwartz on GitHub. Hello! I have been using Pangolin and it has been flawless with a single domain. I tried adding two additional domains and have not been able to get them working. I have set up a simple resource that points to a static HTML site hosted by a NGINX docker container. If I point the resource at my first domain in "General Settings", the page loads fine. If I point it at one of my secondary domains, it gets into a redirect loop. (redacted my domain and IP addresses) ``` --2025-04-16 17:46:46-- https://test.mydomain.com/ Resolving test.mydomain.com (test.mydomain.com)... 1.2.3.4, 1.2.3.4, 1:2:3:4, ... Connecting to test.mydomain.com (test.mydomain.com)|1.2.3.4|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://test.mydomain.com/ [following] --2025-04-16 17:46:46-- https://test.mydomain.com/ Reusing existing connection to test.mydomain.com:443. HTTP request sent, awaiting response... 302 Found Location: https://test.mydomain.com/ [following] --2025-04-16 17:46:46-- https://test.mydomain.com/ Reusing existing connection to test.mydomain.com:443. HTTP request sent, awaiting response... 302 Found Location: https://test.mydomain.com/ [following] ... continues until maximum of 20 redirects is hit ``` I do have Crowdsec enabled, but I don't see anything related in it's logs when I try to load the page. I am running Pangolin v1.2.0 in a docker compose stack. Here is the domains section of my config: ``` domains: domain1: base_domain: domain1.com cert_resolver: letsencrypt domain2: base_domain: mydomain.com cert_resolver: letsencrypt domain3: base_domain: mydomain2.com cert_resolver: letsencrypt ```
GiteaMirror added the needs investigating label 2025-11-13 11:54:06 -06:00
GiteaMirror commented 2025-11-13 11:54:08 -06:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (Apr 20, 2025):

If you attempt to visit the 2nd domain with an incognito window or private window does it work?

@oschwartz10612 commented on GitHub (Apr 20, 2025): If you attempt to visit the 2nd domain with an incognito window or private window does it work?
GiteaMirror commented 2025-11-13 11:54:08 -06:00
Author
Owner
Copy Link

@bhagen55 commented on GitHub (Apr 21, 2025):

It does not work in incognito or with a fresh cache.

@bhagen55 commented on GitHub (Apr 21, 2025): It does not work in incognito or with a fresh cache.
GiteaMirror commented 2025-11-13 11:54:08 -06:00
Author
Owner
Copy Link

@miloschwartz commented on GitHub (Apr 22, 2025):

A few more question to try to pin point the problem:

Are Pangolin and Badger both fully up to date?

When you start Traefik do you see any errors related to requesting and confirming a certificate? Make sure DNS is set up for those extra domains and they can gain a valid cert all through the same cert resolver (letsencrypt).

During the redirect loop, do you see any errors or anything printed in the Pangolin server logs? If you enable debug log level for Pangolin, do you see it continuously requesting session cookies during the redirect loop?

@miloschwartz commented on GitHub (Apr 22, 2025): A few more question to try to pin point the problem: Are Pangolin and Badger both fully up to date? When you start Traefik do you see any errors related to requesting and confirming a certificate? Make sure DNS is set up for those extra domains and they can gain a valid cert all through the same cert resolver (`letsencrypt`). During the redirect loop, do you see any errors or anything printed in the Pangolin server logs? If you enable `debug` log level for Pangolin, do you see it continuously requesting session cookies during the redirect loop?
GiteaMirror commented 2025-11-13 11:54:08 -06:00
Author
Owner
Copy Link

@bhagen55 commented on GitHub (Apr 23, 2025):

I am using image: fosrl/pangolin:1.2.0 and badger:

experimental:
  plugins:
    badger:
      moduleName: github.com/fosrl/badger
      version: v1.1.0

I believe those are up to date.

Good call on the SSL side of things, I turned off SSL on one of the problem domains and it loads fine via normal HTTP. I will poke around the Traefik logs to see if I can figure out what is wrong with cert requests.

@bhagen55 commented on GitHub (Apr 23, 2025): I am using `image: fosrl/pangolin:1.2.0` and badger: ``` experimental: plugins: badger: moduleName: github.com/fosrl/badger version: v1.1.0 ``` I believe those are up to date. Good call on the SSL side of things, I turned off SSL on one of the problem domains and it loads fine via normal HTTP. I will poke around the Traefik logs to see if I can figure out what is wrong with cert requests.
GiteaMirror commented 2025-11-13 11:54:08 -06:00
Author
Owner
Copy Link

@bhagen55 commented on GitHub (Apr 23, 2025):

Forgot to add that I did try setting the Pangolin log level to debug but did not see any debug output when trying to access the problem domain and getting stuck in a redirect. I did see the usual Verify Session: and Resource allowed because no auth after turning off SSL.

@bhagen55 commented on GitHub (Apr 23, 2025): Forgot to add that I did try setting the Pangolin log level to `debug` but did not see any debug output when trying to access the problem domain and getting stuck in a redirect. I did see the usual `Verify Session:` and `Resource allowed because no auth` after turning off SSL.
GiteaMirror commented 2025-11-13 11:54:08 -06:00
Author
Owner
Copy Link

@bhagen55 commented on GitHub (Apr 23, 2025):

SSL certificate fetching doesn't seem to be the issue. I looked at my acme.json and it all looks correct, including for the problem domains.
I tried deleting it, and traefik was able to re-request them all just fine.

@bhagen55 commented on GitHub (Apr 23, 2025): SSL certificate fetching doesn't seem to be the issue. I looked at my `acme.json` and it all looks correct, including for the problem domains. I tried deleting it, and traefik was able to re-request them all just fine.
GiteaMirror commented 2025-11-13 11:54:09 -06:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (May 8, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

@github-actions[bot] commented on GitHub (May 8, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
GiteaMirror commented 2025-11-13 11:54:09 -06:00
Author
Owner
Copy Link

@bhagen55 commented on GitHub (May 20, 2025):

I haven't had any luck debugging this further. I have updated to Pangolin 1.4.0 and Traefik 3.4.0, and tried removing and re-adding the extra domains.
Any thoughts on additional debugging/troubleshooting steps I can take?

@bhagen55 commented on GitHub (May 20, 2025): I haven't had any luck debugging this further. I have updated to Pangolin 1.4.0 and Traefik 3.4.0, and tried removing and re-adding the extra domains. Any thoughts on additional debugging/troubleshooting steps I can take?
GiteaMirror commented 2025-11-13 11:54:10 -06:00
Author
Owner
Copy Link

@alexandrescieux commented on GitHub (Jun 1, 2025):

I encounter the same redirect loop for every resource when 'Enable SSL' is turned on.
I deployed Pangolin in a k3s cluster with Traefik as the Ingress Controller.

It works flawlessly over HTTPS with 'Enable SSL' disabled, as long as I let the Traefik Ingress Controller handle the SSL termination alone (using plain HTTP after the Ingress).

@alexandrescieux commented on GitHub (Jun 1, 2025): I encounter the same redirect loop for every resource when 'Enable SSL' is turned on. I deployed Pangolin in a k3s cluster with Traefik as the Ingress Controller. It works flawlessly over HTTPS with 'Enable SSL' disabled, as long as I let the Traefik Ingress Controller handle the SSL termination alone (using plain HTTP after the Ingress).
GiteaMirror commented 2025-11-13 11:54:10 -06:00
Author
Owner
Copy Link

@bhagen55 commented on GitHub (Oct 16, 2025):

I am pretty sure this was a Cloudflare configuration issue, I should have investigated that first 🙃
Some combination of turning off TLS termination at Cloudflare (that I didn't even realize was enabled) and turning off Cloudflare proxying causes the redirect error to go away.

@bhagen55 commented on GitHub (Oct 16, 2025): I am pretty sure this was a Cloudflare configuration issue, I should have investigated that first 🙃 Some combination of turning off TLS termination at Cloudflare (that I didn't even realize was enabled) and turning off Cloudflare proxying causes the redirect error to go away.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label needs investigating
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#243
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?