Bad gateway errors after adding resources in Pangolin #494

@oschwartz10612 commented on GitHub (Jul 16, 2025):

Bad gateway is typically Newt not being able to reach the target service. What target do you have programmed into the resource and are you sure newt can see it on your network?

@oschwartz10612 commented on GitHub (Jul 16, 2025): Bad gateway is typically Newt not being able to reach the target service. What target do you have programmed into the resource and are you sure newt can see it on your network?

GiteaMirror commented

@SprMario commented on GitHub (Jul 16, 2025):

Bad gateway is typically Newt not being able to reach the target service. What target do you have programmed into the resource and are you sure newt can see it on your network?

To give you a bit more context. Pangolin on VPS with a resource made to target a dashboard on the home server. In this case I use portainer as an example. The target is a docker image(portainer) running on the home server. So newt and the target are in the same VM:

Newt itself doesn't show any meaningful logs:

@SprMario commented on GitHub (Jul 16, 2025): > Bad gateway is typically Newt not being able to reach the target service. What target do you have programmed into the resource and are you sure newt can see it on your network? To give you a bit more context. Pangolin on VPS with a resource made to target a dashboard on the home server. In this case I use portainer as an example. The target is a docker image(portainer) running on the home server. So newt and the target are in the same VM: <img width="336" height="141" alt="Image" src="https://github.com/user-attachments/assets/d5ef48c5-a708-46e5-a9f8-8d180dd5df9e" /> Newt itself doesn't show any meaningful logs: <img width="354" height="38" alt="Image" src="https://github.com/user-attachments/assets/eb3107f4-1261-4afd-b48f-36363da344ed" />

GiteaMirror commented

@MorganKryze commented on GitHub (Jul 22, 2025):

Hi @SprMario

I did a working setup (not sure that this would be the right way to do it but still), between a VPS and a home server. On the server side I set up a Newt container as such:

services:
  newt:
    image: fosrl/newt
    container_name: newt
    restart: unless-stopped
    environment:
      - PANGOLIN_ENDPOINT=https://pangolin.example.xyz
      - NEWT_ID=a_super_id
      - NEWT_SECRET=a_super_secret
      - DOCKER_SOCKET=/var/run/docker.sock
    # Adding this volume will also let Newt access your docker socket and resolve your warning hopefully
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    # The container is added to the network "pangolin"
    networks:
      - pangolin

# This section creates a network called "pangolin"
networks:
  pangolin:
    name: pangolin
    driver: bridge

And here is my config for a service (e.g. Filebrowser, but could be Portainer if you like):

services:
  filebrowser:
    image: filebrowser/filebrowser:s6
    container_name: filebrowser
    restart: unless-stopped
    # Here we choose to use "expose" instead of "ports" so we just tell that the container will expose a service on its port 80 on our network
    expose:
      - 80
    volumes:
      - /some/data/folder:/srv
      - ./database:/database
      - ./config:/config
    environment:
      - PUID=1000
      - PGID=1000
    # Here this service is also added to the "pangolin" network
    networks:
      - pangolin

# We add a reference to the panolin network created earlier after having up the newt container
networks:
  pangolin:
    name: pangolin
    external: true

To sum up:

we set up a newt container that will create a network called pangolin (feel free to change the name if desired)
we added newt to this network
we created a container (filebrowser service) and added it to the network pangolin
we chose expose instead of ports to map the ports (expose is purely indicative and does not change the behavior of the container, but add clarity to your config)
we referenced the external network pangolin

Now that this is running, on the pangolin dashboard, when creating a new resource, we can use docker name resolving capabilities and target our filebrowser service as http://filebrowser:80 and this will target the filebrowser container on port 80 without any issue as they are on the same network.

Here is the view on the dashboard:

Care to save your changes!

I am no maintainer or expert, but feel free to ask if I may help in this case or if you need more detail on this

@MorganKryze commented on GitHub (Jul 22, 2025): Hi @SprMario I did a working setup (not sure that this would be the right way to do it but still), between a VPS and a home server. On the server side I set up a Newt container as such: ```yaml services: newt: image: fosrl/newt container_name: newt restart: unless-stopped environment: - PANGOLIN_ENDPOINT=https://pangolin.example.xyz - NEWT_ID=a_super_id - NEWT_SECRET=a_super_secret - DOCKER_SOCKET=/var/run/docker.sock # Adding this volume will also let Newt access your docker socket and resolve your warning hopefully volumes: - /var/run/docker.sock:/var/run/docker.sock:ro # The container is added to the network "pangolin" networks: - pangolin # This section creates a network called "pangolin" networks: pangolin: name: pangolin driver: bridge ``` And here is my config for a service (e.g. Filebrowser, but could be Portainer if you like): ```yaml services: filebrowser: image: filebrowser/filebrowser:s6 container_name: filebrowser restart: unless-stopped # Here we choose to use "expose" instead of "ports" so we just tell that the container will expose a service on its port 80 on our network expose: - 80 volumes: - /some/data/folder:/srv - ./database:/database - ./config:/config environment: - PUID=1000 - PGID=1000 # Here this service is also added to the "pangolin" network networks: - pangolin # We add a reference to the panolin network created earlier after having up the newt container networks: pangolin: name: pangolin external: true ``` To sum up: - we set up a newt container that will create a network called `pangolin` (feel free to change the name if desired) - we added newt to this network - we created a container (filebrowser service) and added it to the network `pangolin` - we chose `expose` instead of `ports` to map the ports (`expose` is purely indicative and does not change the behavior of the container, but add clarity to your config) - we referenced the external network `pangolin` Now that this is running, on the pangolin dashboard, when creating a new resource, we can use docker name resolving capabilities and target our `filebrowser` service as `http://filebrowser:80` and this will target the `filebrowser` container on port `80` without any issue as they are on the same network. Here is the view on the dashboard: <img width="1588" height="429" alt="Image" src="https://github.com/user-attachments/assets/2a90eca8-efcf-4340-b7b7-a1313b339a12" /> Care to save your changes! I am no maintainer or expert, but feel free to ask if I may help in this case or if you need more detail on this

GiteaMirror commented

@SprMario commented on GitHub (Jul 24, 2025):

Hi @SprMario

I did a working setup (not sure that this would be the right way to do it but still), between a VPS and a home server. On the server side I set up a Newt container as such:

services:
newt:
image: fosrl/newt
container_name: newt
restart: unless-stopped
environment:
- PANGOLIN_ENDPOINT=https://pangolin.example.xyz
- NEWT_ID=a_super_id
- NEWT_SECRET=a_super_secret
- DOCKER_SOCKET=/var/run/docker.sock
# Adding this volume will also let Newt access your docker socket and resolve your warning hopefully
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
# The container is added to the network "pangolin"
networks:
- pangolin

This section creates a network called "pangolin"

networks:
pangolin:
name: pangolin
driver: bridge

And here is my config for a service (e.g. Filebrowser, but could be Portainer if you like):

services:
filebrowser:
image: filebrowser/filebrowser:s6
container_name: filebrowser
restart: unless-stopped
# Here we choose to use "expose" instead of "ports" so we just tell that the container will expose a service on its port 80 on our network
expose:
- 80
volumes:
- /some/data/folder:/srv
- ./database:/database
- ./config:/config
environment:
- PUID=1000
- PGID=1000
# Here this service is also added to the "pangolin" network
networks:
- pangolin

We add a reference to the panolin network created earlier after having up the newt container

networks:
pangolin:
name: pangolin
external: true

To sum up:
* we set up a newt container that will create a network called `pangolin` (feel free to change the name if desired)

* we added newt to this network

* we created a container (filebrowser service) and added it to the network `pangolin`

* we chose `expose` instead of `ports` to map the ports (`expose` is purely indicative and does not change the behavior of the container, but add clarity to your config)

* we referenced the external network `pangolin`
Now that this is running, on the pangolin dashboard, when creating a new resource, we can use docker name resolving capabilities and target our filebrowser service as http://filebrowser:80 and this will target the filebrowser container on port 80 without any issue as they are on the same network.

Here is the view on the dashboard:

Care to save your changes!

I am no maintainer or expert, but feel free to ask if I may help in this case or if you need more detail on this

Thanks for the guide. I set this up using the install script. I will retry during the weekend to see where the issue is.

@SprMario commented on GitHub (Jul 24, 2025): > Hi [@SprMario](https://github.com/SprMario) > > I did a working setup (not sure that this would be the right way to do it but still), between a VPS and a home server. On the server side I set up a Newt container as such: > > services: > newt: > image: fosrl/newt > container_name: newt > restart: unless-stopped > environment: > - PANGOLIN_ENDPOINT=https://pangolin.example.xyz > - NEWT_ID=a_super_id > - NEWT_SECRET=a_super_secret > - DOCKER_SOCKET=/var/run/docker.sock > # Adding this volume will also let Newt access your docker socket and resolve your warning hopefully > volumes: > - /var/run/docker.sock:/var/run/docker.sock:ro > # The container is added to the network "pangolin" > networks: > - pangolin > > # This section creates a network called "pangolin" > networks: > pangolin: > name: pangolin > driver: bridge > > And here is my config for a service (e.g. Filebrowser, but could be Portainer if you like): > > services: > filebrowser: > image: filebrowser/filebrowser:s6 > container_name: filebrowser > restart: unless-stopped > # Here we choose to use "expose" instead of "ports" so we just tell that the container will expose a service on its port 80 on our network > expose: > - 80 > volumes: > - /some/data/folder:/srv > - ./database:/database > - ./config:/config > environment: > - PUID=1000 > - PGID=1000 > # Here this service is also added to the "pangolin" network > networks: > - pangolin > > # We add a reference to the panolin network created earlier after having up the newt container > networks: > pangolin: > name: pangolin > external: true > > To sum up: > > * we set up a newt container that will create a network called `pangolin` (feel free to change the name if desired) > > * we added newt to this network > > * we created a container (filebrowser service) and added it to the network `pangolin` > > * we chose `expose` instead of `ports` to map the ports (`expose` is purely indicative and does not change the behavior of the container, but add clarity to your config) > > * we referenced the external network `pangolin` > > > Now that this is running, on the pangolin dashboard, when creating a new resource, we can use docker name resolving capabilities and target our `filebrowser` service as `http://filebrowser:80` and this will target the `filebrowser` container on port `80` without any issue as they are on the same network. > > Here is the view on the dashboard: > <img alt="Image" width="1588" height="429" src="https://private-user-images.githubusercontent.com/103436411/469487530-2a90eca8-efcf-4340-b7b7-a1313b339a12.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTMzNzc1MTIsIm5iZiI6MTc1MzM3NzIxMiwicGF0aCI6Ii8xMDM0MzY0MTEvNDY5NDg3NTMwLTJhOTBlY2E4LWVmY2YtNDM0MC1iN2I3LWExMzEzYjMzOWExMi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwNzI0JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDcyNFQxNzEzMzJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1iM2QwOTk1ZjBhOGI4N2I3ODYzNDQ5Y2Y5NmIxMDJkMWI0ZTc4MmU3MmU5OWFkMzZlZmZmMGI0ZGViNjEwMTRmJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.THPjC7w1wcHY-1fLUIdoufwiGdesxXefs-5HYl5Nxxw"> > > Care to save your changes! > > I am no maintainer or expert, but feel free to ask if I may help in this case or if you need more detail on this Thanks for the guide. I set this up using the install script. I will retry during the weekend to see where the issue is.

GiteaMirror commented

@MorganKryze commented on GitHub (Jul 24, 2025):

Would you share the content of your newt and portainer containers? The issue may be in their configs. A screenshot of your proxy tab from pangolin would also help us find the root of the issue.

@MorganKryze commented on GitHub (Jul 24, 2025): Would you share the content of your `newt` and `portainer` containers? The issue may be in their configs. A screenshot of your proxy tab from pangolin would also help us find the root of the issue.

GiteaMirror commented

@SprMario commented on GitHub (Jul 27, 2025):

Hi Morgan,

The pangolin screenshot of the proxy page is:

Not sure how you want me to share the content of the containers. They are made using docker, not compose.

@SprMario commented on GitHub (Jul 27, 2025): Hi Morgan, The pangolin screenshot of the proxy page is: <img width="1554" height="506" alt="Image" src="https://github.com/user-attachments/assets/2d306d48-384d-4387-b2a1-e45a948f9585" /> Not sure how you want me to share the content of the containers. They are made using docker, not compose.

GiteaMirror commented

@MorganKryze commented on GitHub (Jul 27, 2025):

Hi @SprMario,
Thanks, can you send me the docker run commands used to start the portainer and newtcontainer (care to obfuscate the credentials if there is some). Or config page inside Portainer if so, I do not particularly know portainer and its network management.

My intent here is to see what is the network configuration of your containers. My suggestion would be to create a pangolin or newt (whatever you may want to call it) network and put your containers onto it so that they can communicate between each other flawlessly. Plus that brings a feature letting us call service by internal DNS addresses like : http://filebrowser:80 or http://portainer:9000.

Note: if you intend to expose your Portainer service, please make sure to limit access to the domain with the Authentication tab.

@MorganKryze commented on GitHub (Jul 27, 2025): Hi @SprMario, Thanks, can you send me the `docker run` commands used to start the `portainer` and `newt`container (care to obfuscate the credentials if there is some). Or config page inside Portainer if so, I do not particularly know portainer and its network management. My intent here is to see what is the network configuration of your containers. My suggestion would be to create a `pangolin` or `newt` (whatever you may want to call it) network and put your containers onto it so that they can communicate between each other flawlessly. Plus that brings a feature letting us call service by internal DNS addresses like : `http://filebrowser:80` or `http://portainer:9000`. Note: if you intend to expose your Portainer service, please make sure to limit access to the domain with the `Authentication` tab.

GiteaMirror commented

@SprMario commented on GitHub (Jul 27, 2025):

Hi @SprMario, Thanks, can you send me the docker run commands used to start the portainer and newtcontainer (care to obfuscate the credentials if there is some). Or config page inside Portainer if so, I do not particularly know portainer and its network management.

My intent here is to see what is the network configuration of your containers. My suggestion would be to create a pangolin or newt (whatever you may want to call it) network and put your containers onto it so that they can communicate between each other flawlessly. Plus that brings a feature letting us call service by internal DNS addresses like : http://filebrowser:80 or http://portainer:9000.

Note: if you intend to expose your Portainer service, please make sure to limit access to the domain with the Authentication tab.

Hi @MorganKryze ,

Here is Portainer:
docker run -d -p 9000:9000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:lts

For newt I used the automatic install script of pangolin, I dont really know how that was executed. I can inspect the image if you want?

@SprMario commented on GitHub (Jul 27, 2025): > Hi [@SprMario](https://github.com/SprMario), Thanks, can you send me the `docker run` commands used to start the `portainer` and `newt`container (care to obfuscate the credentials if there is some). Or config page inside Portainer if so, I do not particularly know portainer and its network management. > > My intent here is to see what is the network configuration of your containers. My suggestion would be to create a `pangolin` or `newt` (whatever you may want to call it) network and put your containers onto it so that they can communicate between each other flawlessly. Plus that brings a feature letting us call service by internal DNS addresses like : `http://filebrowser:80` or `http://portainer:9000`. > > Note: if you intend to expose your Portainer service, please make sure to limit access to the domain with the `Authentication` tab. Hi @MorganKryze , Here is Portainer: `docker run -d -p 9000:9000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:lts` For newt I used the automatic install script of pangolin, I dont really know how that was executed. I can inspect the image if you want?

GiteaMirror commented

@MorganKryze commented on GitHub (Jul 27, 2025):

First, my guess would be to uninstall newt from your machine as you used the script as it will not be convenient to update its configuration over the time.

If you want to stay with docker run commands, here would be the updated commands to run:

docker network create --driver bridge pangolin: create the pangolin network
docker run -d -p 9000:9000 -p 9443:9443 --name portainer --restart unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data --network pangolin portainer/portainer-ce:lts: run portainer in the new network (note that you may remove the -p 9443:9443 if you intend to only use pangolin as a reverse proxy targeting port 9000)

Finally, for newt, care to replace the variables to your own:

docker run -d \
  --name newt \
  --restart unless-stopped \
  -e PANGOLIN_ENDPOINT=https://pangolin.example.xyz \
  -e NEWT_ID=a_super_id \
  -e NEWT_SECRET=a_super_secret \
  -e DOCKER_SOCKET=/var/run/docker.sock \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  --network pangolin \
  fosrl/newt

Later, once you see that your site is online on the site tab, go to the resources tab and replace the ip address 192.168.178.110 of your machine by portainer as I have shown in my first pangolin capture.

Hopefully, that should resolve your issue

@MorganKryze commented on GitHub (Jul 27, 2025): First, my guess would be to uninstall newt from your machine as you used the script as it will not be convenient to update its configuration over the time. If you want to stay with `docker run` commands, here would be the updated commands to run: - `docker network create --driver bridge pangolin`: create the pangolin network - `docker run -d -p 9000:9000 -p 9443:9443 --name portainer --restart unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data --network pangolin portainer/portainer-ce:lts`: run portainer in the new network (note that you may remove the `-p 9443:9443` if you intend to only use pangolin as a reverse proxy targeting port 9000) Finally, for newt, care to replace the variables to your own: ```bash docker run -d \ --name newt \ --restart unless-stopped \ -e PANGOLIN_ENDPOINT=https://pangolin.example.xyz \ -e NEWT_ID=a_super_id \ -e NEWT_SECRET=a_super_secret \ -e DOCKER_SOCKET=/var/run/docker.sock \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ --network pangolin \ fosrl/newt ``` Later, once you see that your site is online on the site tab, go to the resources tab and replace the ip address `192.168.178.110` of your machine by `portainer` as I have shown in my first pangolin capture. Hopefully, that should resolve your issue

GiteaMirror commented

@MorganKryze commented on GitHub (Aug 3, 2025):

Hey @SprMario,

Could you get your service to work?

@MorganKryze commented on GitHub (Aug 3, 2025): Hey @SprMario, Could you get your service to work?

GiteaMirror commented

@SprMario commented on GitHub (Aug 4, 2025):

No I didn't. I am going to abandon getting this to work.

@SprMario commented on GitHub (Aug 4, 2025): No I didn't. I am going to abandon getting this to work.

GiteaMirror commented

@MorganKryze commented on GitHub (Aug 6, 2025):

Sorry to hear that, would you describe the issue you are facing, provide some logs, context?

@MorganKryze commented on GitHub (Aug 6, 2025): Sorry to hear that, would you describe the issue you are facing, provide some logs, context?

GiteaMirror commented

@SprMario commented on GitHub (Aug 6, 2025):

The issue is in the first post. I get bad gateway errors. I did not rebuild everything as you suggested in your response, I re-ran the install script from Pangolin and restarted all the services. Didnt work > uninstall.

@SprMario commented on GitHub (Aug 6, 2025): The issue is in the first post. I get bad gateway errors. I did not rebuild everything as you suggested in your response, I re-ran the install script from Pangolin and restarted all the services. Didnt work > uninstall.

GiteaMirror commented

@Lokowitz commented on GitHub (Aug 6, 2025):

Hi @SprMario

Portainer UI is listening on https and port 9443.
So if you want to access the Portainer Ui you have to change it in your pangolin target, currently i see http and port 9000 in your post.
Portainer documentation

@Lokowitz commented on GitHub (Aug 6, 2025): Hi @SprMario Portainer UI is listening on https and port 9443. So if you want to access the Portainer Ui you have to change it in your pangolin target, currently i see http and port 9000 in your [post](https://github.com/fosrl/pangolin/issues/1070#issuecomment-3124287677). [Portainer documentation](https://docs.portainer.io/start/install-ce/server/docker/linux#logging-in)

GiteaMirror commented

@SprMario commented on GitHub (Aug 6, 2025):

Hi @SprMario

Portainer UI is listening on https and port 9443. So if you want to access the Portainer Ui you have to change it in your pangolin target, currently i see http and port 9000 in your post. Portainer documentation

You're right. I tried both ports as portainer listens to 9000 for http and adjusted to 9443 for https, bad gateway when I tried.

@SprMario commented on GitHub (Aug 6, 2025): > Hi [@SprMario](https://github.com/SprMario) > > Portainer UI is listening on https and port 9443. So if you want to access the Portainer Ui you have to change it in your pangolin target, currently i see http and port 9000 in your [post](https://github.com/fosrl/pangolin/issues/1070#issuecomment-3124287677). [Portainer documentation](https://docs.portainer.io/start/install-ce/server/docker/linux#logging-in) You're right. I tried both ports as portainer listens to 9000 for http and adjusted to 9443 for https, bad gateway when I tried.

GiteaMirror commented

@Lokowitz commented on GitHub (Aug 6, 2025):

Just tried it with my server and it is working.

So could you please double check:

Port 80 and 443 is open on vps firewall (server with pangolin installation)
192.168.178.110 is the ip of your local machine running portainer (use ip a to check)
you have a wildcard A record for your domain pointing to your vps (*.your.domain -> vps ip) -> just had this issue that i used the domain which is pointing to my home and not to the vps)

Did you tried to reach other sites or services or is portainer the only one?

@Lokowitz commented on GitHub (Aug 6, 2025): Just tried it with my server and it is working. So could you please double check: - Port 80 and 443 is open on vps firewall (server with pangolin installation) - 192.168.178.110 is the ip of your local machine running portainer (use `ip a` to check) - you have a wildcard A record for your domain pointing to your vps (*.your.domain -> vps ip) -> just had this issue that i used the domain which is pointing to my home and not to the vps) Did you tried to reach other sites or services or is portainer the only one?

GiteaMirror commented

@oschwartz10612 commented on GitHub (Aug 6, 2025):

^^^ this is all good to check. I do suspect usually bad gateway comes
means you are at least getting to pangolin and through traefik.

Double check the IP info and that its reachable from where newt is
installed. You could do a curl command to test!

Also this has tripped me up a couple of times and its super stupid haha:
Make sure you have the resource on the right site!

You can see the newt logs and if it cant make it to portainer you should
see some errors.

@oschwartz10612 commented on GitHub (Aug 6, 2025): ^^^ this is all good to check. I do suspect usually bad gateway comes means you are at least getting to pangolin and through traefik. Double check the IP info and that its reachable from where newt is installed. You could do a curl command to test! Also this has tripped me up a couple of times and its super stupid haha: Make sure you have the resource on the right site! You can see the newt logs and if it cant make it to portainer you should see some errors.

GiteaMirror commented

@mvkotowski commented on GitHub (Aug 6, 2025):

Hi @SprMario

I did a working setup (not sure that this would be the right way to do it but still), between a VPS and a home server. On the server side I set up a Newt container as such:

services:
newt:
image: fosrl/newt
container_name: newt
restart: unless-stopped
environment:
- PANGOLIN_ENDPOINT=https://pangolin.example.xyz
- NEWT_ID=a_super_id
- NEWT_SECRET=a_super_secret
- DOCKER_SOCKET=/var/run/docker.sock
# Adding this volume will also let Newt access your docker socket and resolve your warning hopefully
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
# The container is added to the network "pangolin"
networks:
- pangolin

This section creates a network called "pangolin"

networks:
pangolin:
name: pangolin
driver: bridge

And here is my config for a service (e.g. Filebrowser, but could be Portainer if you like):

services:
filebrowser:
image: filebrowser/filebrowser:s6
container_name: filebrowser
restart: unless-stopped
# Here we choose to use "expose" instead of "ports" so we just tell that the container will expose a service on its port 80 on our network
expose:
- 80
volumes:
- /some/data/folder:/srv
- ./database:/database
- ./config:/config
environment:
- PUID=1000
- PGID=1000
# Here this service is also added to the "pangolin" network
networks:
- pangolin

We add a reference to the panolin network created earlier after having up the newt container

networks:
pangolin:
name: pangolin
external: true

To sum up:
* we set up a newt container that will create a network called `pangolin` (feel free to change the name if desired)

* we added newt to this network

* we created a container (filebrowser service) and added it to the network `pangolin`

* we chose `expose` instead of `ports` to map the ports (`expose` is purely indicative and does not change the behavior of the container, but add clarity to your config)

* we referenced the external network `pangolin`
Now that this is running, on the pangolin dashboard, when creating a new resource, we can use docker name resolving capabilities and target our filebrowser service as http://filebrowser:80 and this will target the filebrowser container on port 80 without any issue as they are on the same network.

Here is the view on the dashboard:

Care to save your changes!

I am no maintainer or expert, but feel free to ask if I may help in this case or if you need more detail on this

I am experiencing sporadic Bad Gateway error messages whenever I try to add a new stack to portainer, but can access it through legacy 9000 port. I will report back on what my logs are saying and implementing your guide for network. Guacamole is also kicking me out. I initially thought it was Home Assistant getting paired with Pangolin, but after I removed it, the errors persisted. It was not this bad at initial install.

Edit 3: ports are opened:

Edit 4: Tinyfiles gives the same bad gateway error, but refreshing page gets me back in.
Edit 5: Still experiencing the gateway issues even after using your format

Edit 6: The only container doing anything interesting is the newt container and the gerbil container. It reconnects every minute after the following error from newt. Gerbil is simply adding and removing the same peer successfully.

Edit 7: Got it Fixed!!

@mvkotowski commented on GitHub (Aug 6, 2025): > Hi [@SprMario](https://github.com/SprMario) > > I did a working setup (not sure that this would be the right way to do it but still), between a VPS and a home server. On the server side I set up a Newt container as such: > > services: > newt: > image: fosrl/newt > container_name: newt > restart: unless-stopped > environment: > - PANGOLIN_ENDPOINT=https://pangolin.example.xyz > - NEWT_ID=a_super_id > - NEWT_SECRET=a_super_secret > - DOCKER_SOCKET=/var/run/docker.sock > # Adding this volume will also let Newt access your docker socket and resolve your warning hopefully > volumes: > - /var/run/docker.sock:/var/run/docker.sock:ro > # The container is added to the network "pangolin" > networks: > - pangolin > > # This section creates a network called "pangolin" > networks: > pangolin: > name: pangolin > driver: bridge > > And here is my config for a service (e.g. Filebrowser, but could be Portainer if you like): > > services: > filebrowser: > image: filebrowser/filebrowser:s6 > container_name: filebrowser > restart: unless-stopped > # Here we choose to use "expose" instead of "ports" so we just tell that the container will expose a service on its port 80 on our network > expose: > - 80 > volumes: > - /some/data/folder:/srv > - ./database:/database > - ./config:/config > environment: > - PUID=1000 > - PGID=1000 > # Here this service is also added to the "pangolin" network > networks: > - pangolin > > # We add a reference to the panolin network created earlier after having up the newt container > networks: > pangolin: > name: pangolin > external: true > > To sum up: > > * we set up a newt container that will create a network called `pangolin` (feel free to change the name if desired) > > * we added newt to this network > > * we created a container (filebrowser service) and added it to the network `pangolin` > > * we chose `expose` instead of `ports` to map the ports (`expose` is purely indicative and does not change the behavior of the container, but add clarity to your config) > > * we referenced the external network `pangolin` > > > Now that this is running, on the pangolin dashboard, when creating a new resource, we can use docker name resolving capabilities and target our `filebrowser` service as `http://filebrowser:80` and this will target the `filebrowser` container on port `80` without any issue as they are on the same network. > > Here is the view on the dashboard: > <img alt="Image" width="1588" height="429" src="https://private-user-images.githubusercontent.com/103436411/469487530-2a90eca8-efcf-4340-b7b7-a1313b339a12.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTQ1MjM5MjgsIm5iZiI6MTc1NDUyMzYyOCwicGF0aCI6Ii8xMDM0MzY0MTEvNDY5NDg3NTMwLTJhOTBlY2E4LWVmY2YtNDM0MC1iN2I3LWExMzEzYjMzOWExMi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwODA2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDgwNlQyMzQwMjhaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT03MmNjZmRmMDQ3MWFjNTBhYjM5OTcyMmQ2NDNhOGVjMGE2MTRjNjk1NWQ2NmFiNzczZjdkODliZTAxMzhhNDQ5JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.Ckhw4fDDBQR89nROR9mVkaCHS0VKZoVMO34LaO9UGgg"> > > Care to save your changes! > > I am no maintainer or expert, but feel free to ask if I may help in this case or if you need more detail on this I am experiencing sporadic Bad Gateway error messages whenever I try to add a new stack to portainer, but can access it through legacy 9000 port. I will report back on what my logs are saying and implementing your guide for network. Guacamole is also kicking me out. I initially thought it was Home Assistant getting paired with Pangolin, but after I removed it, the errors persisted. It was not this bad at initial install. Edit 3: ports are opened: <img width="902" height="131" alt="Image" src="https://github.com/user-attachments/assets/d04033b1-bf8b-4070-ae17-e310c2f09759" /> Edit 4: Tinyfiles gives the same bad gateway error, but refreshing page gets me back in. Edit 5: Still experiencing the gateway issues even after using your format <img width="1502" height="581" alt="Image" src="https://github.com/user-attachments/assets/27892175-e97c-43c2-9172-e0134e2772c1" /> Edit 6: The only container doing anything interesting is the newt container and the gerbil container. It reconnects every minute after the following error from newt. Gerbil is simply adding and removing the same peer successfully. <img width="1117" height="79" alt="Image" src="https://github.com/user-attachments/assets/b4cde460-e6db-4ab9-ba66-f77ff6468f7e" /> Edit 7: Got it Fixed!! ![Image](https://github.com/user-attachments/assets/63fefcdd-651e-485c-8932-cc0b18bd4d5f)

GiteaMirror commented

@SprMario commented on GitHub (Aug 8, 2025):

Just tried it with my server and it is working.

So could you please double check:
* Port 80 and 443 is open on vps firewall (server with pangolin installation)

* 192.168.178.110 is the ip of your local machine running portainer (use `ip a` to check)

* you have a wildcard A record for your domain pointing to your vps (*.your.domain -> vps ip) -> just had this issue that i used the domain which is pointing to my home and not to the vps)
Did you tried to reach other sites or services or is portainer the only one?

Firewall rules:

Portainer IP:

Domain wildcard:

Currently I only had portainer installed as a test, I will try bitwarden as an example next.

@SprMario commented on GitHub (Aug 8, 2025): > Just tried it with my server and it is working. > > So could you please double check: > > * Port 80 and 443 is open on vps firewall (server with pangolin installation) > > * 192.168.178.110 is the ip of your local machine running portainer (use `ip a` to check) > > * you have a wildcard A record for your domain pointing to your vps (*.your.domain -> vps ip) -> just had this issue that i used the domain which is pointing to my home and not to the vps) > > > Did you tried to reach other sites or services or is portainer the only one? - Firewall rules: <img width="924" height="371" alt="Image" src="https://github.com/user-attachments/assets/fa5ef5e3-7bfe-4beb-a088-da06476ee894" /> - Portainer IP: <img width="465" height="416" alt="Image" src="https://github.com/user-attachments/assets/586ba03d-b2c4-41b1-9ea3-e8a7471e97f9" /> - Domain wildcard: <img width="814" height="89" alt="Image" src="https://github.com/user-attachments/assets/4eecaf40-87f3-4341-be8c-37acb3541da1" /> Currently I only had portainer installed as a test, I will try bitwarden as an example next.

GiteaMirror commented

@SprMario commented on GitHub (Aug 8, 2025):

^^^ this is all good to check. I do suspect usually bad gateway comes
means you are at least getting to pangolin and through traefik.

Double check the IP info and that its reachable from where newt is
installed. You could do a curl command to test!

Also this has tripped me up a couple of times and its super stupid haha:
Make sure you have the resource on the right site!

You can see the newt logs and if it cant make it to portainer you should
see some errors.

I remade the configuration and these suggestions are checked.

I am going to use Vaultwarden as example with the newt configuration from @MorganKryze

@SprMario commented on GitHub (Aug 8, 2025): > ^^^ this is all good to check. I do suspect usually bad gateway comes > means you are at least getting to pangolin and through traefik. > > Double check the IP info and that its reachable from where newt is > installed. You could do a curl command to test! > > Also this has tripped me up a couple of times and its super stupid haha: > Make sure you have the resource on the right site! > > You can see the newt logs and if it cant make it to portainer you should > see some errors. I remade the configuration and these suggestions are checked. I am going to use Vaultwarden as example with the newt configuration from @MorganKryze

GiteaMirror commented

https://docs.digpangolin.com/self-host/quick-install

@SprMario commented on GitHub (Aug 8, 2025):

Hi all,

Today I REMADE the Pangolin installation using this install script:

Everything went well on the VPS:

Seems good 💃

Install newt on edge server and check logs:

Seems good 💃

Try to reach Pangolin site.
This includes reaching Pangolin from external network(connecing from work):

Seems good 💃

Install Vaultwarden on port 8080:

Seems good 💃

Docker compose for BW using port 8080, expose didn't do anything:
Seems good 💃

Resources added in Pangolin:

Seems good 💃

Let's check the result:

Oh no, the same thing happened as before 👎

I decided to do this again so that it might help someone else in the future but I deployed Tailscale within an hour. Troubleshoot this has been a hell.

@mvkotowski here is the link you made a screenshot of:
https://github.com/fosrl/pangolin/issues/1070#issuecomment-3105131178

@SprMario commented on GitHub (Aug 8, 2025): Hi all, Today I REMADE the Pangolin installation using this install script: https://docs.digpangolin.com/self-host/quick-install Everything went well on the VPS: <img width="230" height="200" alt="Image" src="https://github.com/user-attachments/assets/9a43957d-863a-4c61-9cc3-d7e3aa9d1804" /> Seems good 💃 Install newt on edge server and check logs: <img width="430" height="432" alt="Image" src="https://github.com/user-attachments/assets/156d0b32-92cc-4d93-a766-c72f7e2d61b0" /> <img width="552" height="58" alt="Image" src="https://github.com/user-attachments/assets/0d5f3100-ad34-4573-877a-8a6331471bac" /> Seems good 💃 Try to reach Pangolin site. This includes reaching Pangolin from external network(connecing from work): <img width="258" height="102" alt="Image" src="https://github.com/user-attachments/assets/0ae4aa41-e7d3-479f-9804-1f2114a99d81" /> Seems good 💃 Install Vaultwarden on port 8080: <img width="437" height="123" alt="Image" src="https://github.com/user-attachments/assets/97032958-82d6-4020-b517-bc71b485ee31" /> Seems good 💃 Docker compose for BW using port 8080, expose didn't do anything: <img width="389" height="333" alt="Image" src="https://github.com/user-attachments/assets/e7ce1e4a-50c6-41f2-9c96-cf640883aef1" /> Seems good 💃 Resources added in Pangolin: <img width="561" height="477" alt="Image" src="https://github.com/user-attachments/assets/b66d673a-bc70-497b-b849-9159ba05b3a6" /> Seems good 💃 Let's check the result: <img width="219" height="120" alt="Image" src="https://github.com/user-attachments/assets/2521d8e9-44bc-45e5-9114-809c176bd99b" /> Oh no, the same thing happened as before 👎 I decided to do this again so that it might help someone else in the future but I deployed Tailscale within an hour. Troubleshoot this has been a hell. @mvkotowski here is the link you made a screenshot of: https://github.com/fosrl/pangolin/issues/1070#issuecomment-3105131178

GiteaMirror commented

2025-11-13 12:02:15 -06:00

@MorganKryze commented on GitHub (Aug 8, 2025):

Thanks for all the efforts @SprMario !!

But before closing this issue, I described using docker DNS: as you newt and your vaultwarden are on the same subnetwork pangolin, you will need to use the address: vaultwarden 80 on the Pangolin dashboard !

You used:

ports:
  - 8080:80

Instead of:

expose:
  - 80

ports will route the port outside the subnetwork to the docker host. That is why you can access is using http://your-ip:8080 which you should not be able to. expose will tell docker on which port the container runs, but will not get anything out of it, we want the container to be accessed by newt, not on your local network, so an SSL cert can be applied to your connection for instance.

So:

just change the ports block to expose as shown earlier;
and on the pangolin dashboard route the proxy to vaultwarden (the container_name) and port 80 (where vaultwarden is exposing inside its container).

That should solve your issue!
Let me know if that helped, but we are clooose

@MorganKryze commented on GitHub (Aug 8, 2025): Thanks for all the efforts @SprMario !! But before closing this issue, I described using docker DNS: as you newt and your vaultwarden are on the same subnetwork `pangolin`, you will need to use the address: `vaultwarden` `80` on the Pangolin dashboard ! You used: ```yaml ports: - 8080:80 ``` Instead of: ```yaml expose: - 80 ``` `ports` will route the port outside the subnetwork to the docker host. That is why you can access is using `http://your-ip:8080` which you should not be able to. `expose` will tell docker on which port the container runs, but will not get anything out of it, we want the container to be accessed by newt, not on your local network, so an SSL cert can be applied to your connection for instance. So: - just change the `ports` block to `expose` as shown earlier; - and on the pangolin dashboard route the proxy to `vaultwarden` (the container_name) and port `80` (where vaultwarden is exposing inside its container). That should solve your issue! Let me know if that helped, but we are clooose

GiteaMirror commented

@mvkotowski commented on GitHub (Aug 8, 2025):

@SprMario Sorry for being lazy. You're right and thank you for linking the screenshot link. I had hoped that changing the nomenclature to use the container names to link to proxy would have solved the bad gateway issue. So far only compose down and up seem to calm down the issue for a little while.

@miloschwartz I can confirm that the issue persists and have done the Cloudflare DNS check and port check, and am willing to help continue to troubleshoot this. I reflashed the vps yesterday and updated traefik to 3.5 and the issue seems less prevalent but still there. Maybe it's something to do with my setup at the site level? There are some things that I am not well versed enough in yet. What else can I provide to help?

@mvkotowski commented on GitHub (Aug 8, 2025): @SprMario Sorry for being lazy. You're right and thank you for linking the screenshot link. I had hoped that changing the nomenclature to use the container names to link to proxy would have solved the bad gateway issue. So far only compose down and up seem to calm down the issue for a little while. @miloschwartz I can confirm that the issue persists and have done the Cloudflare DNS check and port check, and am willing to help continue to troubleshoot this. I reflashed the vps yesterday and updated traefik to 3.5 and the issue seems less prevalent but still there. Maybe it's something to do with my setup at the site level? There are some things that I am not well versed enough in yet. What else can I provide to help?

GiteaMirror commented

2025-11-13 12:02:15 -06:00

@MorganKryze commented on GitHub (Aug 8, 2025):

@mvkotowski Would you share sample of the stacks you are trying to deploy?

My guess is that you are also bridging the ports outside the docker subnetwork, thus making them available on your local network which cannot be routed through newt. My setup isolates the services to be routed only by newt to avoid local http connections and substitute ip addresses as target to container names which is more friendly on ip change (even if you change network configuration on the pangolin subnetwork).

If you want your services to be accessible on your local network using http, you may need to change my configuration though.

Will be happy to help with the necessary data to debug

@MorganKryze commented on GitHub (Aug 8, 2025): @mvkotowski Would you share sample of the stacks you are trying to deploy? My guess is that you are also bridging the ports outside the docker subnetwork, thus making them available on your local network which cannot be routed through newt. My setup isolates the services to be routed only by newt to avoid local http connections and substitute ip addresses as target to container names which is more friendly on ip change (even if you change network configuration on the `pangolin` subnetwork). If you want your services to be accessible on your local network using http, you may need to change my configuration though. Will be happy to help with the necessary data to debug

GiteaMirror commented

2025-11-13 12:02:15 -06:00

@mvkotowski commented on GitHub (Aug 8, 2025):

@MorganKryze

services:
  portainer-ce:
    expose:
      - 9443
    container_name: portainer
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /some-directory:/data
    image: portainer/portainer-ce:lts
    networks:
      - pangolin
networks:
  pangolin:
    name: pangolin
    external: true

One thing that I had a question about.. I didn't change the defaults for the subnet or the IP Address of the site. Does that need to be changed and to what? I'm not entirely sure which IP address it's asking for. Is it asking for the IP address of the device on my local network?

@mvkotowski commented on GitHub (Aug 8, 2025): @MorganKryze ``` services: portainer-ce: expose: - 9443 container_name: portainer restart: always volumes: - /var/run/docker.sock:/var/run/docker.sock - /some-directory:/data image: portainer/portainer-ce:lts networks: - pangolin networks: pangolin: name: pangolin external: true ``` One thing that I had a question about.. I didn't change the defaults for the subnet or the IP Address of the site. Does that need to be changed and to what? I'm not entirely sure which IP address it's asking for. Is it asking for the IP address of the device on my local network? <img width="1575" height="185" alt="Image" src="https://github.com/user-attachments/assets/268bd7bc-dab2-49cf-b929-db9ce177d130" />

GiteaMirror commented

@MorganKryze commented on GitHub (Aug 8, 2025):

@MorganKryze
services:
  portainer-ce:
    expose:
      - 9443
    container_name: portainer
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /some-directory:/data
    image: portainer/portainer-ce:lts
    networks:
      - pangolin
networks:
  pangolin:
    name: pangolin
    external: true
One thing that I had a question about.. I didn't change the defaults for the subnet or the IP Address of the site. Does that need to be changed and to what? I'm not entirely sure which IP address it's asking for. Is it asking for the IP address of the device on my local network?

So, with this configuration and a target proxy on the pangolin dashboard set to: https portainer 9443 you are having a bad gateway? Are your certs valid?

I would not recommend changing the address ip of the site. It is a generated ip address for your site itself to route traffic correctly. On this topic I am no expert though. I am having a correct setup with multiple working sites, and did not change these addresses once.

@MorganKryze commented on GitHub (Aug 8, 2025): > [@MorganKryze](https://github.com/MorganKryze) > > ``` > services: > portainer-ce: > expose: > - 9443 > container_name: portainer > restart: always > volumes: > - /var/run/docker.sock:/var/run/docker.sock > - /some-directory:/data > image: portainer/portainer-ce:lts > networks: > - pangolin > networks: > pangolin: > name: pangolin > external: true > ``` > > One thing that I had a question about.. I didn't change the defaults for the subnet or the IP Address of the site. Does that need to be changed and to what? I'm not entirely sure which IP address it's asking for. Is it asking for the IP address of the device on my local network? > <img alt="Image" width="1575" height="185" src="https://private-user-images.githubusercontent.com/187559125/476109499-268bd7bc-dab2-49cf-b929-db9ce177d130.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTQ2NzI4MTYsIm5iZiI6MTc1NDY3MjUxNiwicGF0aCI6Ii8xODc1NTkxMjUvNDc2MTA5NDk5LTI2OGJkN2JjLWRhYjItNDljZi1iOTI5LWRiOWNlMTc3ZDEzMC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwODA4JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDgwOFQxNzAxNTZaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1mYzMxYzM1MWNiYjRjOGUyZGI4OTgxMzljZTg4YzQ1NGRhNWFlNjJiZGUwMDgxNTc5MTQyYzg4NDliM2EwYzBjJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.fJcyr02qiiwUMF7_OhGzfn2qFzI5vY5KfMeaj_Hrces"> So, with this configuration and a target proxy on the pangolin dashboard set to: `https` `portainer` `9443` you are having a bad gateway? Are your certs valid? I would not recommend changing the address ip of the site. It is a generated ip address for your site itself to route traffic correctly. On this topic I am no expert though. I am having a correct setup with multiple working sites, and did not change these addresses once.

GiteaMirror commented

@SprMario commented on GitHub (Aug 8, 2025):

Thanks for all the efforts @SprMario !!

But before closing this issue, I described using docker DNS: as you newt and your vaultwarden are on the same subnetwork pangolin, you will need to use the address: vaultwarden 80 on the Pangolin dashboard !

You used:

ports:

8080:80

Instead of:

expose:

80

ports will route the port outside the subnetwork to the docker host. That is why you can access is using http://your-ip:8080 which you should not be able to. expose will tell docker on which port the container runs, but will not get anything out of it, we want the container to be accessed by newt, not on your local network, so an SSL cert can be applied to your connection for instance.

So:
* just change the `ports` block to `expose` as shown earlier;

* and on the pangolin dashboard route the proxy to `vaultwarden` (the container_name) and port `80` (where vaultwarden is exposing inside its container).
That should solve your issue! Let me know if that helped, but we are clooose

@MorganKryze I am sending a virtual beer to your location. This works however I cant make sense why because of my bad routing skills. To me approaching something within the network from the same network should not be unapproachable. I am going to dive into docker networking a little more.

I would like to understand if my thought process was off, is there anything I should be thinking differently about?

End result:


services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    volumes:
      - /home/mario/docker-compose/bw/:/data/
    expose:
      - 80
    networks:
      - pangolin
      
networks:
  pangolin:
    name: pangolin
    external: true

And the resources:

@SprMario commented on GitHub (Aug 8, 2025): > Thanks for all the efforts [@SprMario](https://github.com/SprMario) !! > > But before closing this issue, I described using docker DNS: as you newt and your vaultwarden are on the same subnetwork `pangolin`, you will need to use the address: `vaultwarden` `80` on the Pangolin dashboard ! > > You used: > > ports: > - 8080:80 > > Instead of: > > expose: > - 80 > > `ports` will route the port outside the subnetwork to the docker host. That is why you can access is using `http://your-ip:8080` which you should not be able to. `expose` will tell docker on which port the container runs, but will not get anything out of it, we want the container to be accessed by newt, not on your local network, so an SSL cert can be applied to your connection for instance. > > So: > > * just change the `ports` block to `expose` as shown earlier; > > * and on the pangolin dashboard route the proxy to `vaultwarden` (the container_name) and port `80` (where vaultwarden is exposing inside its container). > > > That should solve your issue! Let me know if that helped, but we are clooose @MorganKryze I am sending a virtual beer to your location. This works however I cant make sense why because of my bad routing skills. To me approaching something within the network from the same network should not be unapproachable. I am going to dive into docker networking a little more. I would like to understand if my thought process was off, is there anything I should be thinking differently about? End result: ``` services: vaultwarden: image: vaultwarden/server:latest container_name: vaultwarden restart: unless-stopped volumes: - /home/mario/docker-compose/bw/:/data/ expose: - 80 networks: - pangolin networks: pangolin: name: pangolin external: true ``` And the resources: <img width="1259" height="106" alt="Image" src="https://github.com/user-attachments/assets/d7e3583d-1cbc-414d-8303-6026736acf2c" />

GiteaMirror commented

@mvkotowski commented on GitHub (Aug 8, 2025):

So, with this configuration and a target proxy on the pangolin dashboard set to: https portainer 9443 you are having a bad gateway? Are your certs valid?

I would not recommend changing the address ip of the site. It is a generated ip address for your site itself to route traffic correctly. On this topic I am no expert though. I am having a correct setup with multiple working sites, and did not change these addresses once.

No wonder it was upset. I had routed portainer to http portainer 9000 because of the http error it gives when you leave it default.
Sorry for the question, but how do I check my certs?

Thank you so much for your help again! I am also running close to 70 services as well and it works, the bad gateway messages are sporadic and only on certain requests.

@mvkotowski commented on GitHub (Aug 8, 2025): > So, with this configuration and a target proxy on the pangolin dashboard set to: `https` `portainer` `9443` you are having a bad gateway? Are your certs valid? > > I would not recommend changing the address ip of the site. It is a generated ip address for your site itself to route traffic correctly. On this topic I am no expert though. I am having a correct setup with multiple working sites, and did not change these addresses once. No wonder it was upset. I had routed portainer to `http` `portainer` `9000` because of the http error it gives when you leave it default. Sorry for the question, but how do I check my certs? Thank you so much for your help again! I am also running close to 70 services as well and it works, the bad gateway messages are sporadic and only on certain requests.

GiteaMirror commented