Home » Posts

Pangolin Private Resources With Domain Https

February 11, 2026 · Vik

I’ve been moving slowly away from Cloudflare tunnels and into a self hosted solution. For this, I use a self hosted instance of Pangolin. Pangolin allows to expose services from my homelab for the whole world to see, should I wish to do so. However, not all services are created equal and there are some that I’d like to only be accessible via VPN.

Thankfully, Pangolin allows for this via its private resources. You can define a resource that is only accessible when you’re connected to the network via the pangolin client. It also allows setting a DNS alias for the resource in question, so you can point a subdomain like frigate.example.com to the internal resource. When connected via the client, the DNS will be resolved by a private DNS server running in the client and pointed in the right direction. This poses a small issue though - while Pangolin will happily pass ACME domain challenges for public resources, there’s no such mechanism at the moment for private resources. What this means is that you can’t easily obtain TLS certificates for such domains.

I’ve worked around this limitation by doing the following. I’ve got a reverse proxy - in my case caddy - spun up in my homelab. It’s not exposed and is not reachable on the public internet, so it uses DNS-01 challenges by manipulating TXT records on the domain in question.

To do this, I’ve used the Caddy Cloudflare module. I build an image with it, here’s the Dockerfile:

FROM caddy:2.10.2-builder AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/cloudflare

FROM caddy:2.10.2

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

With it, my Caddyfile looks like so:

    frigate.example.com {
      reverse_proxy frigate.default.svc.cluster.local:3030
      tls {
        dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        resolvers 1.1.1.1
      }
    }

In my Pangolin configuration I can point the private resource to the reverse proxy and specify the alias of frigate.example.com. Now, when connected via the Pangolin client to the network, I can type frigate.example.com in my browser and get to view my frigate dashboard over HTTPS.

Hope you find this useful!

Comments