Solution for Private HTTP Proxy Redirect Issues with iDRAC in Pangolin (Newt)

Solution for Private HTTP Proxy Redirect Issues with iDRAC in Pangolin (Newt)

This is a known behavior. iDRAC’s web interface does aggressive redirects (HTTP → HTTPS, / → /start.html → /login.html) and is picky about Host headers, TLS, and self-signed certs. The private HTTP proxy in Pangolin/Newt doesn’t always follow chained redirects perfectly in all cases, or the backend sees the proxied request differently (e.g., IP vs. hostname).

Quick Workarounds (Recommended First)

1. Direct to the final URL (what you’re already doing)

   • Use https://idrac.vpn.domain/login.html directly.
   • This bypasses the broken redirect chain. Many iDRAC users do this.

2. Change the Private Resource Target to Port 80 (HTTP)

   • Keep Scheme: https on the Pangolin side (for the nice domain + valid cert).
   • Set Destination: 172.23.17.14, Port: 80.
   • iDRAC often redirects HTTP → HTTPS internally. This can avoid double-SSL weirdness or strict HTTPS handling on the backend.

3. Force Host Header / Use FQDN on Backend

   • In your current config you’re pointing to the IP. Try changing the private resource destination to the FQDN idrac.domain (if Newt can resolve it via your internal DNS).
     • This ensures the Host header matches what iDRAC expects.
   • iDRAC firmware (especially newer versions) enforces Host header checks. If it mismatches, you get weird redirect or “unable to connect” behavior.

Better Long-Term Fixes

Option A: Use a Raw TCP/UDP Private Resource (Full Tunnel)

• Instead of Private HTTP proxy, create a Raw private resource for the iDRAC IP:443.
• Users connect via Newt client (VPN-like) and access https://idrac.domain or the IP directly.
• This gives the cleanest experience (no proxy rewrite issues) and is recommended for management interfaces you don’t want public anyway.
• Pros: Full protocol fidelity, no redirect/proxy quirks.
• Cons: Requires client connection.

Option B: Add Custom Headers / Advanced Config

• Check if your Pangolin version supports custom headers or preserve-host options on private HTTP resources (newer builds improved this).
• On the iDRAC side (via RACADM if accessible):

  racadm set idrac.webserver.HostHeaderCheck 0
  

  This disables strict Host header enforcement (security tradeoff — only do if needed).

Option C: Internal Reverse Proxy Helper

• Put a lightweight reverse proxy (Nginx/Traefik/Caddy) in front of the iDRAC on your LAN.
• Configure it to:
  • Handle the redirects properly.
  • Rewrite URLs or inject correct Host headers.
  • Terminate/re-encrypt TLS if needed.
• Then point the Pangolin private HTTP resource at that internal proxy.

Debugging Steps

• Enable detailed logs on Newt and Pangolin server.
• Test with curl -v -L (follow redirects) from a machine using Newt.
• Compare headers between working local access and proxied access (Host, X-Forwarded-*, etc.).
• Check Newt version compatibility (you’re on 1.12.3 — ensure it’s current).

Config Recommendation (Try This)

Private Resource Settings:

• Type: Private HTTP (or switch to Raw)
• Scheme: https
• Destination: idrac.domain (preferred) or 172.23.17.14
• Port: 443 (or test 80)
• Subdomain: idrac
• Enable SSL: Yes

If it still fails on redirects, go Raw TCP or direct /login.html.

**Here’s is an iDRAC setup.

1. Sample Newt Config Flags / systemd Service

Newt is the client that runs on your TrueNAS / internal network and connects back to Pangolin.

Recommended systemd service (/etc/systemd/system/newt.service):

[Unit]
Description=Pangolin Newt Tunnel Client
After=network.target

[Service]
Type=simple
User=root
ExecStart=/usr/local/bin/newt \
  --id YOUR_NEWT_ID_HERE \
  --secret YOUR_NEWT_SECRET_HERE \
  --endpoint https://pangolin.yourdomain.com \
  --log-level info

# Optional useful flags:
# --accept-clients          # (default in recent versions) allow client connections (Olm)
# --disable-clients         # if you don't want client VPN access
# --mtu 1280                # lower if you have MTU/fragmentation issues
# --log-level debug         # for troubleshooting

Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

After creating the file:

sudo systemctl daemon-reload
sudo systemctl enable --now newt
sudo journalctl -u newt -f

You can also run it with Docker if preferred — let me know.

2. Full Nginx Helper Config for iDRAC (Recommended)

Deploy this Nginx container on the same network as your iDRAC (TrueNAS, Proxmox, or a small VM/LXC). It will clean up redirects, Host headers, and SSL weirdness.

nginx.conf or site config (/etc/nginx/conf.d/idrac.conf):

server {
    listen 80;
    server_name idrac.internal your-internal-domain.local;

    # Redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name idrac.internal;

    # Use a trusted internal cert or self-signed (you can use the same cert as iDRAC or Let’s Encrypt if you have DNS)
    ssl_certificate /etc/nginx/certs/idrac.crt;
    ssl_certificate_key /etc/nginx/certs/idrac.key;

    # Important for iDRAC
    proxy_http_version 1.1;
    proxy_set_header Host $host;                    # Critical - iDRAC checks Host header
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    # Increase buffers for iDRAC console/Java
    proxy_buffering off;
    proxy_buffer_size 128k;
    proxy_buffers 4 256k;
    proxy_busy_buffers_size 256k;
    proxy_read_timeout 300;
    proxy_send_timeout 300;

    # Disable strict transport if causing issues
    # add_header Strict-Transport-Security "max-age=0" always;

    location / {
        proxy_pass https://172.23.17.14;   # Your iDRAC IP

        # Rewrite redirects to stay within the proxy domain
        proxy_redirect https://172.23.17.14/ https://$host/;
        proxy_redirect https://idrac.domain/ https://$host/;
    }

    # Optional: Specific location for virtual console if needed
    location ~* \.(jnlp|jar|html)$ {
        proxy_pass https://172.23.17.14;
    }
}

Deployment tips:

• Use a Docker Nginx with mounted certs.
• Point your Pangolin Private HTTP Resource at this Nginx (e.g. http://nginx-ip:80 or https://nginx-ip:443).
• This usually solves the /start.html → /login.html redirect chain completely.

3. Raw Private Resource Setup (Best for iDRAC)

For management interfaces like iDRAC, Raw Private Resource (VPN-style) is often cleaner than HTTP proxy.

Steps in Pangolin Dashboard:

1. Go to Resources → Add Resource.

2. Choose Private Resource (must be on a Newt site).

3. Set:

   • Name: iDRAC-Raw
   • Site: Your Newt site
   • Type: Raw TCP/UDP
   • Protocol: TCP
   • Port: 443 (or add multiple if needed)
   • Target: 172.23.17.14:443 (or use hostname idrac.domain:443 if resolvable inside the site)
   • Optional: Add internal DNS alias (e.g. idrac.internal)

4. Save and assign access to your user/role.

How to access:

• Connect with Pangolin Client (Olm or official client) → you get full VPN-like access.
• Then open browser to https://idrac.internal or https://172.23.17.14 (depending on DNS).
• Or use the exact domain/hostname that works locally.

Advantages over HTTP proxy:

• No redirect/Host header/proxy rewrite issues.
• Full Java/iDRAC virtual console works better.
• More reliable for WebSockets / long-lived connections.

Quick Recommendation Order

1. Try the Nginx helper first (most likely to fix your current HTTP proxy setup).
2. If you still have issues → switch to Raw Private Resource.
3. As a temporary workaround, keep using /login.html directly.

Simple Example

1. Docker-Compose for the Nginx Helper (iDRAC Reverse Proxy)

Create a directory (e.g. idrac-nginx) and this docker-compose.yml:

services:
  idrac-nginx:
    image: nginx:alpine
    container_name: idrac-nginx
    restart: unless-stopped
    ports:
      - "8080:80"    # Optional: for local testing
      - "8443:443"   # Optional: for local testing
    volumes:
      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
      - ./certs:/etc/nginx/certs:ro
    networks:
      - idrac-net   # Use the same network as your iDRAC if possible

networks:
  idrac-net:
    driver: bridge

nginx.conf (place in the same folder):

server {
    listen 80;
    server_name idrac-proxy.local;

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name idrac-proxy.local;

    ssl_certificate     /etc/nginx/certs/idrac.crt;
    ssl_certificate_key /etc/nginx/certs/idrac.key;

    # iDRAC-specific settings
    proxy_http_version 1.1;
    proxy_set_header Host $host;                    # Very important for iDRAC
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    proxy_buffering off;
    proxy_buffer_size 128k;
    proxy_buffers 4 256k;
    proxy_busy_buffers_size 256k;
    proxy_read_timeout 360;
    proxy_send_timeout 360;

    location / {
        proxy_pass https://172.23.17.14;   # ← Your real iDRAC IP

        proxy_redirect https://172.23.17.14/ https://$host/;
        proxy_redirect https://idrac.domain/ https://$host/;
    }

    # Extra locations for virtual console / Java
    location ~* \.(jnlp|jar|html|js|css)$ {
        proxy_pass https://172.23.17.14;
    }
}

Usage:

• Generate or copy certs into ./certs/ (self-signed is fine internally).
• Point your Pangolin Private HTTP Resource to http://idrac-nginx:80 (or HTTPS).
• This usually fixes redirect chains completely.

---

2. Exact Pangolin Client (Olm) Setup

Olm is the client you run on your laptop/desktop to get full VPN-style access (recommended for iDRAC virtual console).

Linux Quick Install + Run

curl -fsSL https://static.pangolin.net/get-olm.sh | bash

Run with your credentials (copy from Pangolin → Clients):

olm \
  --id YOUR_OLM_ID_HERE \
  --secret YOUR_OLM_SECRET_HERE \
  --endpoint https://pangolin.yourdomain.com

Systemd Service (/etc/systemd/system/olm.service)

[Unit]
Description=Pangolin Olm Client
After=network.target

[Service]
Type=simple
User=root
ExecStart=/usr/local/bin/olm \
  --id YOUR_OLM_ID \
  --secret YOUR_OLM_SECRET \
  --endpoint https://pangolin.yourdomain.com \
  --log-level info

Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload
sudo systemctl enable --now olm
sudo journalctl -u olm -f

Docker version (if preferred):

services:
  olm:
    image: fosrl/olm:latest
    container_name: olm
    restart: unless-stopped
    network_mode: host
    cap_add:
      - NET_ADMIN
    environment:
      - OLM_ID=your_id
      - OLM_SECRET=your_secret
      - PANGOLIN_ENDPOINT=https://pangolin.yourdomain.com

Once connected, access iDRAC via the hostname/IP that works locally (https://idrac.domain or https://idrac.internal).

---

3. Debug Commands for Newt Logs

View Newt logs:

# If running as systemd
sudo journalctl -u newt -f --no-pager

# Last 200 lines
sudo journalctl -u newt -n 200 --no-pager

# With debug level
sudo journalctl -u newt -f -o cat | grep -E "DEBUG|ERROR|WARN"

If running in Docker:

docker logs -f newt
docker logs --tail 300 newt
docker compose logs -f newt

Increase verbosity (restart Newt with):

--log-level debug

Or via environment variable in Docker:

environment:
  - LOG_LEVEL=debug

Other useful debug commands:

# Check Newt status / connection
curl -I http://localhost:NEWTPORT/health   # if exposed

# Check tunnels / routes (on the Newt host)
ip route show | grep 100.   # Pangolin tunnel range

# Test connectivity from Newt host to iDRAC
curl -vk https://172.23.17.14/
curl -vk https://idrac.domain/

---

Recommended Next Step
Deploy the Nginx helper first and point your existing Private HTTP resource at it. If you still have redirect issues, switch the resource to Raw TCP on port 443.