Timeout/freeze issue with Cloudflare Orange cloud and Traefik

[yann117]

I have an issue that I think is not caused by Pangolin but Traefik and Cloudflare, but I hope maybe someone knowledgeable from the community could help me.

When I access my services behind Pangolin and make many requests (like browsing pictures in Immich), the requests get stuck/idle for approximately one minute. Images are not displayed, the current UI session is "frozen". After that one minute, it respond again.

My setup is as follows:

1. I'm running a server at home with Pangolin and other services in Docker
2. My ISP provides only a public IPv6 address, the IPv4 is shared (CG-NAT) and not public, so not usable for DNS
3. I have my own domain, with AAAA only DNS managed in Cloudflare, pointing to the homelab IPv6 address
4. Cloudflare orange cloud is enabled, ensuring the automatic bridging to IPv4 end-users

Removing Cloudflare orange proxy and pointing directly to the homelab IPv6 fixes the issue, but then IPv4 users cannot access the server anymore.

I cannot understand exactly the underlying issue, but doing some search, I found that this is possibly caused by some kind of lack of affinity with Cloudflare servers, making the user original IPs not transferred from Cloudflare to the target. I could second that by looking at Cloudflare dashboard and noticed the number of "Unique Visitor" growing, while I was the only one accessing my server.

The solution would be to follow the instructions from this article:
https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/

Unfortunately, this article doesn’t cover the use-case, when the target service is using Traefik. There was a plugin cloudflarewarp from BetterCorp, but which is not maintained anymore.

I also found many multiple variants of it in the Traefik plugin database, but that just make it more unclear which one to choose. The description of each of them is the same, so it is not clear who offer those plugins, how officially this is supported, what difference there are between them, if they even work/are still maintained, ...

I also raised this here, as I think that is might be related to some topics I found here:

• How to set real ip header to CF-Connecting-IP for cloudflare proxy. #341
• [Bug] Default Pangolin setup with Badger not properly forwarding real IP's via Cloudflare/IP based rules not working with Cloudflare #619
• Client IP not forwarded to services #788

They are all open, and it is not clear if they will be fixed/implemented.

I'm also wondering if some of you experienced the same issue (of freezing with Cloudflare orange cloud) and could fix it ?

And even more globally, if some of you have found a better approach to address the issue of an IPv6-only server and have it reachable by IPv4-only clients. All solutions I'm reading about either have very low bandwidth limitations or require an additional fee (VPS proxy server).

I need to check the free plan from Oracle Cloud, but at this point Cloudflare orange cloud bridge was completely free and without limitation (once the initial connection is done, traffic is direct), but as described here experiencing this freeze issue.

[oschwartz10612]

Hi thanks for posting!

I think this sounds to me like it could be Cloudflare related if it goes away when you turn it off. I think you are talking about using their proxy service for your domain. Could you check out the pangolin logs when this occurs? I am wondering if Pangolin is rate limiting because CF is proxing from one source address. You should see some messages about rate limits being applied. You can try to add a rate limits section to the pangolin config and increase the values and see if it helps!

https://docs.fossorial.io/Pangolin/Configuration/config#rate_limits

You mentioned VPS - that would be a good alternative but that does cost some money obviously. Pangolin is built for that though. So instead of hosting Pangolin on your local network you would put it on the cloud and then use its tunneling and Newt to connect back to your local network.

[yann117]

Thank you for the hint! I checked my logs while the issue occurred; I don't see rate limiter warnings. I found some at another time, but they don't correspond to Immich accesses. The other messages around that time mentioning the resource, it was while I was using another service: Jellyfin, so I'll still look at it later:

2025-07-07T14:44:34.931Z [warn]: Rate limit exceeded for IP ::1 on path /api/v1/user
2025-07-07T14:44:35.104Z [info]: Resource access not allowed. Resource ID: 11. IP: 2400:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx.
2025-07-07T14:44:35.208Z [warn]: Rate limit exceeded for IP ::1 on path /api/v1/user
2025-07-07T14:44:35.214Z [warn]: Rate limit exceeded for IP ::1 on path /api/v1/user

I have the default rate limit:

rate_limits:
  global:
    window_minutes: 1
    max_requests: 500

500 requests per minute seems quite high already, I need to investigate how I could exceed this during several minutes with Jellyfin user API.

So for the main issue, as said, I definitely don't think it is related to Pangolin and rather Traefik in conjunction with Cloudflare, but knowing that many skilled network users are there, I'm hoping someone might have the knowledge or the same use-case and could suggest me some track.

The annoying thing is that Cloudflare's free plan doesn't have any logging, so it is investigating with a black box and making assumptions.