Pangolin + Cloudflare Tunnels issues accessing certain sites

DarkToad · December 29, 2025, 2:58pm

Hi folks,

Looking for a little bit of help here as i am stumped!

My current setup consists of;

Pangolin
CrowdSec
HHF Cloudflare Tunnels (automatically create entries in cloudflare for me)

I have a number of sites that are working perfectly, however some do not appear to be working when going via Pangolin/Traefik. (works fine on my standalone traefik instance).

These sites for example, Bookstack, Vikunja, Wizarr are setup and can be accessed locally, but when setup in Pangolin and accessed via external URL i get;

Bad gateway **Error code 502
**
Now, when i change where the application route in my tunnel from;

https://traefik:443

to

http://traefik:80

these sites then load properly, only issue being is that it does not appear to have the Pangolin login screen before you get access to the App, so ultimate the app is fully exposed without the Pangolin authentication in between.

I thought perhaps adding the redirect-to-https middleware to the Web entry point might help but it made no difference.

Any help is appreciated

thank you!

Resolved above issue, turns out it was bad certificates and deleting my acme.json and setting up wildcard certs fixed issue.

hhf.technoloy · December 30, 2025, 2:07pm

Use my pangolin cloudflared repo.

Use dev tag not latest.

DarkToad · December 30, 2025, 2:50pm

Thanks!

I’ve updated my compose file as i was using the latest tag for your cloudflare tunnel.

However i still appear to be having the same issue

[pangolin-cloudflare-tunnel]
time="2025-12-30T14:41:42Z" level=info msg="Loaded single zone configuration (legacy mode)"
[pangolin-cloudflare-tunnel]
time="2025-12-30T14:41:42Z" level=info msg="Configuration loaded" enable_cleanup=true entrypoints="[web websecure]" ignore_patterns=0 poll_interval=10s skip_tls=false zones=1
[pangolin-cloudflare-tunnel]
time="2025-12-30T14:41:42Z" level=info msg="Starting synchronization service"
[pangolin-cloudflare-tunnel]
time="2025-12-30T14:41:52Z" level=error msg="Failed to poll Traefik routers" error="json: cannot unmarshal object into Go struct field .tls.domains of type string"
[pangolin-cloudflare-tunnel]
time="2025-12-30T14:41:52Z" level=error msg="Error polling Traefik routers: json: cannot unmarshal object into Go struct field .tls.domains of type string"

Here is my current compose;

  ##########################################################
  # CLOUDFLARED
  #
  ##########################################################

  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    restart: unless-stopped
    command:
      - tunnel
      - --no-autoupdate
      - run
      - --token=${CLOUDFLARED_TOKEN}
    depends_on:
      - traefik
  ##########################################################
  # CLOUDFLARED-Tunnel
  #
  ##########################################################
  traefik-cloudflare-tunnel:
    image: hhftechnology/pangolin-cloudflare-tunnel:dev
    container_name: pangolin-cloudflare-tunnel
    restart: unless-stopped
    environment:
      # Required Configuration
      - CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}
      - CLOUDFLARE_ACCOUNT_ID=${CLOUDFLARE_ACCOUNT_ID}
      - CLOUDFLARE_TUNNEL_ID=${CLOUDFLARE_TUNNEL_ID}
      - TRAEFIK_SERVICE_ENDPOINT=https://traefik:443
      - TRAEFIK_API_ENDPOINT=http://traefik:8080
      - TRAEFIK_ENTRYPOINTS=web,websecure
      
      # Zone Configuration - Use either single or multi-zone
      # Single Zone (Legacy)
      - CLOUDFLARE_ZONE_ID=${CLOUDFLARE_ZONE_ID:-}
      - DOMAIN_NAME=${DOMAIN_NAME:-}
      # Multi-Zone (NEW) - Uncomment if using multiple zones
      # - CLOUDFLARE_ZONE_IDS=${CLOUDFLARE_ZONE_IDS:-}
      # - DOMAIN_NAMES=${DOMAIN_NAMES:-}

      # Optional Configuration (NEW Features)
      # Resource Exclusion - Ignore Jellyfin and media services
      - IGNORE_PATTERNS=${IGNORE_PATTERNS:-}
      # DNS Cleanup - Auto-remove deleted resources
      - ENABLE_DNS_CLEANUP=${ENABLE_DNS_CLEANUP:-true}

      # Optional Configuration (Existing)
      - POLL_INTERVAL=${POLL_INTERVAL:-10s}
      - SKIP_TLS_ROUTES=${SKIP_TLS_ROUTES:-false}
      - LOG_LEVEL=${LOG_LEVEL:-debug}
    depends_on:
      - traefik
      - cloudflared

It only starts working when i remove the following settings from my dynamic_config.yml

        domains:
          - main: "domain.com"
            sans:
              - "*.domain.com"

Thanks!

hhf.technoloy · December 30, 2025, 3:10pm

when you remove it, it works as intended?

DarkToad · December 30, 2025, 3:11pm

Yeah that is correct, when i remove it, it works as intended.

hhf.technoloy · December 30, 2025, 3:22pm

perfect. its not needed in the new versions of pangolin. check all the feature also, like removal gets reflected in tunnels etc

DarkToad · December 30, 2025, 4:04pm

So you’re saying i can remove the above from my dynamic_config.yml? Would removing this cause any issues when it is time for the certs to renew? i followed this guide when setting up the Wildcard certificates;

I’m sorry but i’m not following, on what you mean by check all the feature, like removal gets reflected in tunnels etc? explain like i’m a newbie please, which i certainly am in this case, lol.

DarkToad · December 30, 2025, 4:08pm

Sorry, i just clicked. By features you meant when deleting an entry in pangolin make sure it also deletes it in the tunnels!

hhf.technoloy · December 30, 2025, 4:09pm

domain are renewed via tokens. and each domain is individual and auto created in tunnels. you can try various permutations and combinations to create subdomains and are those created in the tunnels.

hhf.technoloy · December 30, 2025, 4:10pm

yes i was referring to this. and point to add—cf tunnels manages all the subdomains

DarkToad · December 30, 2025, 4:17pm

Can confirm that deleting and creating subdomains within pangolin are being created within Cloudflare tunnel automatically.

[pangolin-cloudflare-tunnel]
time="2025-12-30T16:10:18Z" level=debug msg="Running DNS cleanup"
[pangolin-cloudflare-tunnel]
time="2025-12-30T16:10:18Z" level=info msg="Removing stale DNS record" domain=bookstack.domain.com zone=IDHERE
[pangolin-cloudflare-tunnel]
time="2025-12-30T16:12:23Z" level=info msg="Changes detected in Traefik routers"

[pangolin-cloudflare-tunnel]
time="2025-12-30T16:12:26Z" level=info msg="Tunnel configuration updated successfully"
[pangolin-cloudflare-tunnel]
time="2025-12-30T16:12:37Z" level=info msg="DNS record created successfully" domain=bookstack.domain.com

So i effectively need to leave this out of my dynamic_config.yml ?

        domains:
          - main: "domain.com"
            sans:
              - "*.domain.com"

and certs will remain ok come renewal time?

hhf.technoloy · December 30, 2025, 4:45pm

as per my understanding they should. it renews in my setup.

DarkToad · December 30, 2025, 4:57pm

Ok, that is great. I wasn’t sure so just needed some reassurances! lol

Also, adding the following to the Pangolin config.yml

domains:
    domain1:
        base_domain: "domain.com"
        prefer_wildcard_cert: true

breaks the pangolin-cloudflare-tunnel, even if you remove or keep the section mentioned earlier in the Traefik dynamic_config.yml.

Just thought i’d let you know in case it maybe helps in anyway!

hhf.technoloy · December 30, 2025, 5:02pm

now you can directly add domains in the UI, may that’s the reason, will see if that becomes an issue, but i am sure pangolin devs have moved to Ui for domains and they will never return to config and phase it out.

DarkToad · December 30, 2025, 5:21pm

Yeah i added the above as per the Wildcard Domains doc on Pangolin, but removed it as to the issues reported here.

Thanks again hhf.technology, appreciate your help.