Summary
I'm running the PasarGuard node behind an nginx reverse proxy, which is in turn behind a managed HTTPS-terminating edge proxy (negotiates HTTP/2 with clients).
The node is reachable end-to-end and responds correctly with 401 missing x-api-key header when probed with curl. But the panel cannot connect and returns:
HTTP error: Expected HTTP/, RTSP/ or ICE/:
b''
The b'' looks like a Python bytes literal, suggesting the panel's HTTP client receives a response it can't parse.
Topology
Panel ──HTTPS (HTTP/2)──> edge proxy ──HTTP/1.1──> nginx ──HTTPS (self-signed)──> pasarguard-node :62050
Node configuration
SERVICE_PORT=62050
SERVICE_PROTOCOL=rest
SERVICE_ADDRESS=0.0.0.0
SSL_CERT_FILE=/var/lib/pg-node/certs/cert.pem
SSL_KEY_FILE=/var/lib/pg-node/certs/key.pem
API_KEY=<uuid>
nginx configuration
server {
listen 8080;
server_name _;
client_max_body_size 50M;
location / {
proxy_pass https://127.0.0.1:62050;
proxy_ssl_verify off;
proxy_ssl_server_name on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 300s;
proxy_send_timeout 300s;
}
}Evidence the node IS reachable through the full chain
curl from the internet through the full chain:
$ curl -v https://<public-host>/
...
* ALPN: server accepted h2
* using HTTP/2
...
< HTTP/2 401
< content-type: text/plain; charset=utf-8
< content-length: 25
missing x-api-key header
The chain works. The node correctly returns 401 missing x-api-key header.
Notably: ALPN: server accepted h2 — the edge negotiates HTTP/2.
Sending the API key also works as expected:
$ curl -H "x-api-key: <uuid>" https://<public-host>/info
0.4.3⏎
Panel "Add Node" form
| Field |
Value |
| Node Address |
<public-host> |
| Node Port |
443 |
| API Port |
443 |
| Connection Type |
Rest |
| API Key |
<uuid> (matches node) |
| Certificate |
leaf cert of <public-host>, fetched via openssl s_client |
Clicking "Add" / "Modify" produces:
HTTP error: Expected HTTP/, RTSP/ or ICE/:
b''
What I've tried
curl with the API key returns valid responses — node is healthy- Re-fetched the leaf cert and re-pasted into the Certificate field
- Confirmed the panel's TCP connection reaches the node (node sees the request)
- Is REST mode supported behind an HTTPS-terminating edge that negotiates HTTP/2 with the client?
- For deployments where only port 443 is publicly reachable and TLS terminates at a managed edge (no TCP passthrough), what is the recommended panel → node topology?
- Could the error message surface the actual HTTP status / response rather than a Python
b'' repr? It would make this much easier to diagnose.
Environment
- Panel version: 3.1.0
- Node image:
pasarguard/node:latest
- Reverse proxy:
nginx:latest Docker image
Summary
I'm running the PasarGuard node behind an nginx reverse proxy, which is in turn behind a managed HTTPS-terminating edge proxy (negotiates HTTP/2 with clients).
The node is reachable end-to-end and responds correctly with
401 missing x-api-key headerwhen probed withcurl. But the panel cannot connect and returns:The
b''looks like a Python bytes literal, suggesting the panel's HTTP client receives a response it can't parse.Topology
Node configuration
nginx configuration
Evidence the node IS reachable through the full chain
curlfrom the internet through the full chain:The chain works. The node correctly returns
401 missing x-api-key header.Notably:
ALPN: server accepted h2— the edge negotiates HTTP/2.Sending the API key also works as expected:
Panel "Add Node" form
<public-host>443443Rest<uuid>(matches node)<public-host>, fetched via openssl s_clientClicking "Add" / "Modify" produces:
What I've tried
curlwith the API key returns valid responses — node is healthyb''repr? It would make this much easier to diagnose.Environment
pasarguard/node:latestnginx:latestDocker image