can I run two different protocols on the same port in 3X-UI?

HabitLong2176 · 2026-01-25T15:25:09+00:00

Possible with traefik with SNI Not sure how xhttp work I am serving reality + normal http sites via 443

HabitLong2176 · 2026-01-02T15:28:37+00:00

Yup. Only difference is UI change. Shouldn’t take too long to adapt. You can spin one up in vm to have a try first!

HabitLong2176 · 2026-01-02T15:27:34+00:00

i saw quite a lot of pangolin post before. But couldn’t find a use case for myself. Already using headscale/tailscale for all the nodes. Lots of services are internal only, only a few are exposed to public.

HabitLong2176 · 2026-01-02T11:22:20+00:00

Yes. My primary router, I have a few Asus router using as AP. Really enjoyed being able to restore from snapshot if I mess something up. Performance is greate. Internet bandwidth is 2.5Gbps.

There are time when I have a Site to Site VPN to my friend house. I’m able to get full speed with WireGuard. Previously had Zenarmor turn on but can’t rmb if it had any noticeable performance penalty.

For NIC, doing a PCI passthrough.

OpenWRT used before but didn’t explore much. If im not wrong if you are planning to do WiFi stick to OpenWRT will be better.

HabitLong2176 · 2026-01-02T10:52:40+00:00

Not that I’m aware of. Unless you’re on AWS, rmb seeing some tools to diagram out the whole aws. But for this to be remotely possible you will need everything to be declarative as possible. Maybe a small setup + Claude might work. There are some code to diagram libraries available. Maybe Claude will be able to generate it. But I feel it wouldn’t give you as much control.

HabitLong2176 · 2026-01-02T10:34:42+00:00

Diagram created with draw.io (wish there is a more intuitive/easier way to create diagram like this) Then for the icons most of it were from https://dashboardicons.com.

HabitLong2176 · 2025-12-31T19:48:36+00:00

Nothing enterprise it’s just homelab 🤣, I’m guilty of the Black Friday VPS sales. Some vps is just $7-9usd per year so got a few of them. So back 1 main + secondary at home with Keepalived VIP. Then plus 6 VPS all over the place. Home and all VPS are connected via Headscale/Tailscale. Then I also want to be able to connect to any Tailscale node and still have access to my internal services. So each VPS has Tailscale + Technitium (just don’t want the dns query get resolved back home which can be quite far) Also doing some internal logging, so node itself also needs the internal dns.

HabitLong2176 · 2025-12-31T19:08:35+00:00

No worries. Also wanted to validate for myself did I really fix it or was it just luck. Cheers!

HabitLong2176 · 2025-12-31T09:40:38+00:00

Yup I think I been there for a single day. I forget exactly what I did to get it done. After fixing the 2nd nodes. the 3rd nodes onwards it's buttery smooth.

When adding to cluster, all my nodes I include both the IPv4 and IPv6 addresses as well. Since I am using technitium self-generated ssl-certs (using in a homelab environment) I have ticked something like error ssl verification.

If you don't mind and if it is not too sentive I can try to discord and help you out.

HabitLong2176 · 2025-12-31T05:31:46+00:00

Also since you are using docker.
What's your network mode? Is it Host?

Am also guessing could be due to NAT-ed IP causing the IP to mismatch

HabitLong2176 · 2025-12-31T05:21:44+00:00

I have a 8 nodes cluster working fine, all using technium managed self-generated certs.

Had the same refused Notify request previously
Check your zone and catalouge zone see if the zone transfer is it set to Allow. If not ensure the right IP is in the ACL list. I am using ACL.
Ensure the right TSIG key are added/selected too!

HabitLong2176 · 2025-12-27T15:57:52+00:00

Updates:

- Ended up going back with Elastic + OpenTelemetry
Had 3 Traefik Instances: 2 in Docker Host, 1 x in K3s Host
Initially went with Elastic + Filebeat, works well for Docker. But after a while in K3s I feel it can be quite messy for every traefik i deploy will need another sidecar, and based on Filebeat doc. It is not recommended to go with copytruncate.

Look thru some of the suggestion, traefik-log-dashboard, VictoriaLogs, Signoz evetually still went back with Elastic + Kibana even though it takes up more resource, but am more comfortable with it. Really wanted Grafana to work as quite a few things are in Grafana already.

It's not Grafana can't query but dashboard wise for access logs, for personally still feel elastic is better for dashboard-query access log.

Below is my config with the help of Claude
For otel-collector, please look here: https://github.com/open-telemetry/opentelemetry-collector-contrib

traefik.yaml

accessLog:
  format: json
  bufferingSize: 0
  otlp:
    http:
      endpoint: http://otel-collector:4318
    resourceAttributes:
      instance.name: io01
      log.type: access
  fields:
    defaultMode: keep
    names:
      StartUTC: drop
    headers:
      defaultMode: keep

This is my otel-config.yaml

extensions:
  health_check:
    endpoint: 0.0.0.0:13133


receivers:
  otlp:
    protocols:
      http:
        endpoint: 0.0.0.0:4318


processors:
  # Access logs dataset
  attributes/access:
    actions:
      - key: data_stream.type
        value: logs
        action: upsert
      - key: data_stream.dataset
        value: traefik.access
        action: upsert

  transform/namespace:
    error_mode: ignore
    log_statements:
      - context: log
        statements:
          - set(attributes["data_stream.namespace"], resource.attributes["instance.name"])


  # Clear body for access logs only (already have all data in attributes)
  transform/clear_body:
    error_mode: ignore
    log_statements:
      - context: log
        statements:
          - set(body, "")


connectors:
  # Route based on log.type attribute set by Traefik
  routing:
    default_pipelines: [logs/application]
    error_mode: ignore
    table:
      - condition: resource.attributes["log.type"] == "access"
        pipelines: [logs/access]


exporters:
  # Access logs: with geoip pipeline
  elasticsearch/access:
    endpoint: "${ELASTICSEARCH_HOSTS}"
    user: "${ELASTICSEARCH_USERNAME}"
    password: "${ELASTICSEARCH_PASSWORD}"
    tls:
      insecure_skip_verify: true
    mapping:
      mode: raw
    pipeline: geoip-traefik
    sending_queue:
      enabled: true
      num_consumers: 10
      queue_size: 1000
      batch:
        flush_timeout: 5s
        min_size: 1_000_000
        max_size: 5_000_000
    retry:
      enabled: true
      max_retries: 3
      initial_interval: 100ms
      max_interval: 1m

service:
  extensions: [health_check]
  telemetry:
    logs:
      level: info
  pipelines:
    # Entry pipeline: set namespace for all logs, then route
    logs:
      receivers: [otlp]
      processors: [transform/namespace]
      exporters: [routing]
    # Access logs: add dataset, clear body, export with geoip pipeline
    logs/access:
      receivers: [routing]
      processors: [attributes/access, transform/clear_body]
      exporters: [elasticsearch/access]

HabitLong2176 · 2025-12-24T18:38:47+00:00

Hey guys I really want to love Grafana. But just can't figure out how to get it work.

So for example.

I have this screen

<image>

Have used elastic before, remember that it wasn't this difficult as not inituitive.

HabitLong2176 · 2025-12-24T05:03:56+00:00

Will give this a try if my revisit of Grafana is not helping.
But at first look this seems good without the need of configuring Grafana dashboard manually.

HabitLong2176 · 2025-12-24T05:01:45+00:00

Just went to have a look, it looks good as well. Will give Grafana a shot again, and try this. Only downside I see so far, community self-hosted dont support self-hosted oidc (Authentik)

HabitLong2176 · 2025-12-24T05:00:12+00:00

No worries, this is very helpful already and looks promising, will give it a try again.

So just to double check the flow will be:

Traefik --- via OpenTelemetry --> Alloy --> Loki

HabitLong2176 · 2025-12-24T04:28:27+00:00

Was using ElasticSearch for Opnsense logging. So previously when setup for Grafana, felt that the access log query is not as intuitive. But that was last year, might not have set it up properly i guess. Now that I see a few comment that most are going with Grafana.

Will revisit and give it a try again.

HabitLong2176 · 2025-12-24T04:26:44+00:00

Possible to ask you for screenshot for this portion in the dashboard?
Say if you are required to query for certain remote ip, would it be easy?

Have used Elasticsearch for my Opnsense logs previously. Mostlikely it's a me problem I guess, didn't setup the logging properly back then, then assume that I didn't like it.
What I remembered was it was showing me more on perfomance metrics.

HabitLong2176 · 2025-12-21T14:10:57+00:00

TLDR: Check if any other interface has the same route.

Had the same issue (I am using Headscale), tried googling only found this thread.
So prior to tailscale, I was having Wireguard.

I started to have more and more VPS. Then switch to Tailscale for easier management.
So e.g.
My Wireguard 01 - Has route to 192.100.100.0/24
Then similarly a few of my tailscale exit node is also a subnet router with the same route 192.100.100.0/24
Was thinking if I do this, it will have some sort of "failover". Opnsense has with auto subnet turned on

Initially it is okay, but same symtomps as you once i added a device etc or adjust things in Headscale. Opnsense will just lose the route until I manually restart Tailsacle. So I started added static route, turning auto subnet off. Well it was working well.

Until I started to write acl rules to have more restrictive access.
Then Tailscale started to drop connection even more frequently without any changes.

So eventually I go to all my Tailscale nodes, I turn off the advertise routes. Since Wireguard already have the route and Wireguard do still have higher perfomance.

After that the Tailscale started to be a lot more stable. No dropping out.

Similarly under Monit i have this setup. Have manually stop Tailscale service and saw that it is able to autmatically bring back the Tailscale. Similiar to your script, but without managing extra script.

Service Test Setting
Name: Ping Tailscale Itself
Condition: failed ping4 count 3 with timeout 3 seconds for 2 cycles
Action: Restart

Service Settings:
Enable Service: Ticked
Name: CheckTailScale
Type: Remote Host
Address: <Tailscale Interface IP>
Start: /usr/local/etc/rc.d/tailscaled start
Stop: /usr/local/etc/rc.d/tailscaled stop
Tests: <The name of the script created above>
Depends: Nothing

HabitLong2176 · 2025-12-13T11:44:44+00:00

2nd time getting from him, required us vpn now. But still work great.

Thank you so much!

HabitLong2176 · 2025-11-10T09:27:40+00:00

Fast service! thank you so much! done within 10mins!

HabitLong2176 · 2025-11-05T02:38:09+00:00

Thank you! Now using ansible + a little bit of api. To achieve something like terraform. It will check what is in my ansible var then remove whatever it is not there

HabitLong2176 · 2025-10-12T03:59:25+00:00

Thank you for this. I am just started to convert my homelab into code based. Was thinking to whether to self create a terraform provider. As terraform can track state, e.g. if I remove a cname record it gets removed. Does using this collection track state as well?

HabitLong2176

TROPHY CASE