Setting up Pangolin on a VPS¶
A couple of people expressed concerns about Oracle snooping in on their unecrypted traffic between SSL termination on pangolin and the Gerbil tunnel to their home server. In this post I will explore the prox and cons of using a Raw TCP tunnel to pass encrypted traffic through the tunnel without decrypting it.
The setup¶
To accomplish this, we cannot use the HTTPS Resource in Pangolin, we must use the Raw TCP/UDP Resource. With HTTPS Resource, Pangolin will always terminate and http/https connection, even if it is tunneling via https to your own instance of Nginx, if you disable https from Pangolin, you will connect to your resource with just http. Nginx will still still that pangolin is connecting to it with https.
To set this up, we can follow the Raw TCP/UDP Resource guide here (https://docs.digpangolin.com/manage/resources/tcp-udp-resources). What I've done is used port 4433 to connect to Immich.
- In
docker-compose.yml, add- 4433:4433to the port mappings. -
In
traefik_config.yml, add the following
Make sure to open the 4433 port on the VPS as well.
Now in Pangolin, you can create a Raw TCP/UDP resource using the TCP Protocol and set the port number to 4433. Then in the targets, use your servers local IP address the https port, 443.
You can now connect to Immich using https://immich.thomaswildetech.com:4433.
Downsides¶
There are a couple of downsides to this.
- Logging
You cannot get the real ip of connections in your home server reverse proxy. You will only see your Gerbil's Docker IP address. If Pangolin supports the PROXY protocol in the future, this might be able to be accomplished, but for now, I do not see a solution.
In the Traefik logs in Pangolin, you will see an initial connection from the real-ip, but that's it. You won't see access logs for each request.
- Traefik Middleware
You no longer get the benefits of the Traefik middleware like Crowdsec or GeoIP blocking.
In summary, these downsides really outweigh any benefit to not terminating https in Pangolin. If we could in fact see real ip connections, we could likely do a Crowdsec workaround where we have our local Crowdsec communicate with a bouncer on the VPS so we still get bouncing at the VPS layer.