Pangolin Proxy Protocol¶
This post shows you how to set up a fully encrypted pangolin proxy that does not get decrypted in the VPS. There are some pros and cons so choose wisely!
Nginx Configuration¶
# Immich
server {
listen 443 ssl;
listen [::]:443 ssl;
listen 4443 ssl proxy_protocol;
listen [::]:4443 ssl proxy_protocol;
server_name immich.thomaswildetech.com;
include /config/nginx/ssl.conf;
include /config/nginx/proxy.conf;
include /config/nginx/country-lan-whitelist.conf;
# 1. Tell Nginx to trust the internal IP range that will be forwarding the PROXY protocol.
# Replace the example range with your actual Docker network subnet or the IP of Pangolin.
# The IP forwarding the connection (Pangolin's local IP) is what Nginx sees as $remote_addr.
set_real_ip_from 172.16.0.0/12; # A common range for Docker/private networks. Adjust as needed.
set_real_ip_from 10.0.0.0/8;
# 2. Tell Nginx to look for the REAL IP inside the PROXY protocol header.
real_ip_header proxy_protocol;
# 3. Existing Conditional IP Logic and Overrides (from our previous conversation)
# This logic is technically for the *backend*, but we will keep it for reliability.
set $real_client_ip $remote_addr;
if ($proxy_protocol_addr != "") {
set $real_client_ip $proxy_protocol_addr;
}
# Override the headers with the determined IP
proxy_set_header X-Forwarded-For $real_client_ip;
proxy_set_header X-Real-IP $real_client_ip;
location / {
proxy_pass http://127.0.0.1:2283;
}
}