Skip to content

docs: [#234] Evaluate Pingoo as TLS proxy replacement for nginx+certbot#269

Merged
josecelano merged 6 commits into
mainfrom
234-evaluate-pingoo-for-https-termination
Jan 13, 2026
Merged

docs: [#234] Evaluate Pingoo as TLS proxy replacement for nginx+certbot#269
josecelano merged 6 commits into
mainfrom
234-evaluate-pingoo-for-https-termination

Conversation

@josecelano

@josecelano josecelano commented Jan 12, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

Research evaluation of Pingoo as a simpler alternative to nginx+certbot for automatic HTTPS/TLS termination in Torrust Tracker deployments.

Closes #234

Final Decision

❌ NOT ADOPTING Pingoo - WebSocket limitation makes it unsuitable for our full stack (Grafana Live requires WebSocket support).

Why Not Adopt?

  1. WebSocket Not Supported: Pingoo strips the Upgrade header, breaking WebSocket connections required for Grafana Live dashboards
  2. Hybrid Architecture Overkill: Using two proxies (Pingoo for Tracker + another for Grafana) adds unnecessary complexity
  3. Better Alternative Available: Caddy offers similar simplicity with full WebSocket support

We filed pingooio/pingoo#23 to confirm WebSocket support status.

Experiment Results

Experiment Status Result
1. Hello World ✅ Complete SUCCESS - Certificate auto-generated
2. Tracker API ✅ Complete SUCCESS - API working via HTTPS
3. HTTP Tracker ✅ Complete SUCCESS - BitTorrent protocol via HTTPS
4. Grafana (WebSocket) ⚠️ Complete PARTIAL - HTTP works, WebSocket FAILS

Root Cause Analysis (Experiment 4)

Pingoo's http_proxy_service.rs explicitly filters out the Upgrade header:

// From pingoo source code
let dominated_headers = &[
    "host",
    "upgrade",  // ← WebSocket upgrade stripped!
    "connection",
    ...
];

This architectural decision means WebSocket connections cannot be established through Pingoo.

Key Findings

Experiments 1-3: All Tracker Services Work ✅

  • ✅ Automatic Let's Encrypt certificate generation (~7 seconds)
  • ✅ TLS 1.3 with post-quantum key exchange (X25519MLKEM768)
  • ✅ Minimal configuration: ~10 lines YAML vs ~50+ for nginx+certbot
  • ✅ Tracker API endpoints work correctly
  • ✅ HTTP Tracker announce/scrape work with binary payloads

Experiment 4: WebSocket Failure ❌

  • ✅ Grafana HTTP interface works
  • ✅ Prometheus metrics collection works
  • Grafana Live WebSocket connections fail
  • ❌ Live dashboard updates don't work
  • Root cause: Pingoo strips Upgrade header by design

Comparison: Pingoo vs Caddy

Aspect Pingoo Caddy
WebSocket Support ❌ Not supported ✅ Full support
ACME/Let's Encrypt ✅ Automatic ✅ Automatic
TLS Versions TLS 1.3 only TLS 1.2+ (configurable)
Maturity New project (2024) Mature (since 2015)
Post-Quantum Crypto ✅ X25519MLKEM768 ❌ Not yet
Configuration Simple YAML Simple Caddyfile

Recommendation

Evaluate Caddy as an alternative - it offers:

  • Similar automatic HTTPS/certificate management
  • Full WebSocket support for Grafana Live
  • More mature and stable codebase
  • Single proxy for all services

Test Environment

  • Domain: torrust-tracker.com (with subdomains: test, api, http1, grafana)
  • Server: Hetzner ccx23, Ubuntu 24.04
  • IP: 46.224.206.37

Documentation Added

  • docs/research/pingoo-tls-proxy-evaluation/README.md
  • docs/research/pingoo-tls-proxy-evaluation/phase-1-environment-preparation.md
  • docs/research/pingoo-tls-proxy-evaluation/experiment-1-hello-world.md
  • docs/research/pingoo-tls-proxy-evaluation/experiment-2-tracker-api.md
  • docs/research/pingoo-tls-proxy-evaluation/experiment-3-http-tracker.md
  • docs/research/pingoo-tls-proxy-evaluation/experiment-4-grafana.md
  • docs/research/pingoo-tls-proxy-evaluation/conclusion.md

Next Steps

  • Create new issue to evaluate Caddy as TLS proxy
  • Run similar experiments with Caddy
  • Make final decision on nginx+certbot replacement

@josecelano
docs: [#234] add Phase 1 environment preparation documentation
3e47de1 
- Add research directory structure for Pingoo evaluation
- Document DNS configuration and propagation verification
- Create Experiment 1 (Hello World) documentation template
- Add cdmon to project dictionary
@josecelano
docs: [#234] complete Experiment 1 - Pingoo Hello World HTTPS test
117376a 
Results:
- Pingoo successfully auto-generated Let's Encrypt certificate
- TLS 1.3 with post-quantum key exchange (X25519MLKEM768)
- Minimal configuration: ~10 lines YAML vs ~50+ for nginx+certbot
- No email required (unlike certbot)

Preliminary decision: Switch to Pingoo as primary TLS proxy
Pending: WebSocket verification for Grafana (Experiment 4)

Added to dictionary: MLKEM, noout, certonly
@josecelano josecelano requested a review from da2ce7 January 12, 2026 16:46
@josecelano josecelano self-assigned this Jan 12, 2026
@josecelano
docs: [#234] Add Experiment 2 results - Tracker API with Pingoo
d395020 
- Deployed Tracker API with Pingoo TLS proxy on api.torrust-tracker.com
- Certificate auto-generated in ~7 seconds
- TLS 1.3 with X25519MLKEM768 post-quantum key exchange
- Health check endpoint working via HTTPS
- Configuration mirrors production setup for easy migration
@josecelano
docs: [#234] Add Experiment 3 results - HTTP Tracker with Pingoo
f27e476 
- Deployed HTTP Tracker with Pingoo TLS proxy on http1.torrust-tracker.com
- Certificate auto-generated in ~7 seconds
- BitTorrent announce/scrape endpoints work correctly via HTTPS
- Binary bencoded responses proxied without corruption
@josecelano josecelano mentioned this pull request Jan 12, 2026
Open
@josecelano
docs: [#234] complete Experiment 4 - WebSocket limitation discovered
289f0f2 
Experiment 4 tested Pingoo with Grafana to verify WebSocket support for
Grafana Live real-time streaming feature.

Results:
- HTTP requests work correctly (dashboard loads, login works)
- WebSocket connections FAIL (Grafana Live does not work)

Root cause: Pingoo's http_proxy_service.rs explicitly removes the 'Upgrade'
header as a hop-by-hop header, which breaks the WebSocket upgrade handshake.

Filed issue pingooio/pingoo#23 to confirm this limitation and discuss
potential solutions.

Final architecture decision: Use hybrid approach - Pingoo for Tracker
services (API + HTTP Tracker), nginx for Grafana (WebSocket support).
@josecelano josecelano marked this pull request as ready for review January 12, 2026 18:30
@josecelano
docs: [#234] close Pingoo evaluation - not adopting due to WebSocket …
c93ce45 
…limitation

- Updated README.md with CLOSED - Not Adopting status
- Added rationale: WebSocket limitation makes it unsuitable for Grafana Live
- Two proxies (Pingoo + alternative) is overkill for simple setup
- Recommend Caddy evaluation as single solution with WebSocket support
- Updated conclusion.md with full decision rationale and Caddy comparison
- All experiments (1-4) remain documented for future reference
@josecelano

josecelano commented Jan 13, 2026

Copy link
Copy Markdown
Member Author

ACK c93ce45

@josecelano josecelano merged commit 986f691 into main Jan 13, 2026
34 checks passed
@josecelano josecelano deleted the 234-evaluate-pingoo-for-https-termination branch April 15, 2026 16:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@da2ce7 da2ce7 Awaiting requested review from da2ce7

Assignees

@josecelano josecelano

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Consider pingoo instead of nginx+cerbot for the TLS proxy

1 participant

@josecelano