惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Check Point Blog
S
Schneier on Security
P
Privacy & Cybersecurity Law Blog
S
Security @ Cisco Blogs
W
WeLiveSecurity
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Microsoft Azure Blog
Microsoft Azure Blog
NISL@THU
NISL@THU
T
Troy Hunt's Blog
L
LangChain Blog
L
LINUX DO - 最新话题
T
The Exploit Database - CXSecurity.com
Engineering at Meta
Engineering at Meta
N
News and Events Feed by Topic
A
About on SuperTechFans
N
Netflix TechBlog - Medium
P
Proofpoint News Feed
MyScale Blog
MyScale Blog
Martin Fowler
Martin Fowler
Y
Y Combinator Blog
H
Heimdal Security Blog
aimingoo的专栏
aimingoo的专栏
T
Threat Research - Cisco Blogs
SecWiki News
SecWiki News
Microsoft Security Blog
Microsoft Security Blog
T
Tenable Blog
P
Proofpoint News Feed
H
Hacker News: Front Page
G
GRAHAM CLULEY
I
Intezer
V
V2EX
S
Secure Thoughts
Stack Overflow Blog
Stack Overflow Blog
H
Help Net Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
人人都是产品经理
人人都是产品经理
博客园 - 聂微东
Latest news
Latest news
Recent Announcements
Recent Announcements
Hugging Face - Blog
Hugging Face - Blog
腾讯CDC
博客园_首页
Webroot Blog
Webroot Blog
博客园 - 三生石上(FineUI控件)
AI
AI
N
News | PayPal Newsroom
Google DeepMind News
Google DeepMind News
Security Archives - TechRepublic
Security Archives - TechRepublic
B
Blog RSS Feed
美团技术团队

Dizzy zone

About Redis is fast - I'll cache in Postgres n8n and large files Malicious Node install script on Google search Wrapping Go errors with caller info BLAKE2b performance on Apple Silicon State of my Homelab 2025 My homelabs power consumption On Umami ML for related posts on Hugo Probabilistic Early Expiration in Go SQLC & dynamic queries Enums in Go Streaming Netdata metrics from TrueNAS SCALE SQL string constant gotcha Moving from Jenkins to Drone My new server: MSI Cubi 3 Silent My thoughts on Ansible® Profiling gin with pprof How I host this blog, CI and tooling Refactoring Go switch statements OAuth with Gin and Goth I made my own commenting server. Here's why. Why I hate OpenApi(swagger) IDE for GO Jenkins on raspberry pi 3 How I started my professional career Kestrel vs Gin vs Iris vs Express vs Fasthttp on EC2 nano Go's defer statement Self-hosted disqus alternative for 5$ a month Why I like go Speeding hexo (or any page) for PageSpeed insights Starting a blog with hexo and AWS S3
Pangolin Private Resources With Domain Https
Vik · 2026-02-11 · via Dizzy zone

I’ve been moving slowly away from Cloudflare tunnels and into a self hosted solution. For this, I use a self hosted instance of Pangolin. Pangolin allows to expose services from my homelab for the whole world to see, should I wish to do so. However, not all services are created equal and there are some that I’d like to only be accessible via VPN.

Thankfully, Pangolin allows for this via its private resources. You can define a resource that is only accessible when you’re connected to the network via the pangolin client. It also allows setting a DNS alias for the resource in question, so you can point a subdomain like frigate.example.com to the internal resource. When connected via the client, the DNS will be resolved by a private DNS server running in the client and pointed in the right direction. This poses a small issue though - while Pangolin will happily pass ACME domain challenges for public resources, there’s no such mechanism at the moment for private resources. What this means is that you can’t easily obtain TLS certificates for such domains.

I’ve worked around this limitation by doing the following. I’ve got a reverse proxy - in my case caddy - spun up in my homelab. It’s not exposed and is not reachable on the public internet, so it uses DNS-01 challenges by manipulating TXT records on the domain in question.

To do this, I’ve used the Caddy Cloudflare module. I build an image with it, here’s the Dockerfile:

FROM caddy:2.10.2-builder AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/cloudflare

FROM caddy:2.10.2

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

With it, my Caddyfile looks like so:

    frigate.example.com {
      reverse_proxy frigate.default.svc.cluster.local:3030
      tls {
        dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        resolvers 1.1.1.1
      }
    }

In my Pangolin configuration I can point the private resource to the reverse proxy and specify the alias of frigate.example.com. Now, when connected via the Pangolin client to the network, I can type frigate.example.com in my browser and get to view my frigate dashboard over HTTPS.

Hope you find this useful!

EDIT: with the release of Pangolin 1.18, this is largely made reduntant. See release notes.