Full-Stack Developer specializing in performance optimization, team leadership, and end-to-end product ownership. Experienced with modern tech stacks, global remote collaboration, and delivering high-impact solutions.
You can find my social media or resume below.
1 What Pangolin Does Pangolin is a lightweight edge gateway built to work with Tailscale Funnel: Exposes internal services over HTTPS on port 443 Automatically issues Let’s Encrypt certificates Adds optional OAuth 2 / OIDC log-in screens Routes by hostname or path from a clean web dashboard Minimal example: 1 2 pangolin service add grafana http://localhost:3000 tailscale funnel enable grafana You can then visit: https://grafana.apps.example.com 2 The Wildcard Collision We already had Coolify managing our apps at *.example.com with its own wildcard TLS certificate. ...
TL;DR If every Real-Debrid call suddenly bombs with\ TLS connect error: packet length too long (or invalid SSL record) and you’re on a Turkish ISP, the state DPI filter is intercepting api.real-debrid.com ( 94.140.0.0/16 ). Point your client at https://app.real-debrid.com instead—or route that /16 through a VPN—and everything works again. What Happened? Early 2025: Turkey’s national content-filtering infrastructure quietly added the entire 94.140.0.0/16 range (Real-Debrid’s API/download servers) to its block list. The filter works even on port 443. When your client starts a TLS handshake, the DPI box injects a plain-text HTTP page (“Access denied”) instead of letting the SSL packets through. OpenSSL/mbedTLS instantly bails out, surfacing cryptic errors like packet length too long or invalid SSL record. The public front-end real-debrid.com lives on Cloudflare (different IPs) and still loads fine, so Real-Debrid’s own /vpn checker says “Your IP isn’t blocked,” adding to the confusion. How We Diagnosed It Test Result Interpretation curl -I https://api.real-debrid.com/rest/1.0/user TLS connect error… Remote side sent non-TLS bytes. curl -I https://app.real-debrid.com/rest/1.0/user HTTP/1.1 200 OK Alternate host works; block is IP-based. Packet capture (tcpdump -A host 94.140.4.10) Immediately shows HTTP/1.1 403 in plain text Proof the block page is injected before TLS finishes. Mobile data (no Wi-Fi) API accessible Confirms the fixed-line IP range is affected, not user accounts. 2 Ways to Solve It 1 — Switch Hostnames (fastest) Real-Debrid mirrors every API endpoint on app.real-debrid.com. Change your client’s base URL or hijack DNS (/etc/hosts, Pi-hole, OpenWrt dnsmasq). Takes under two minutes, survives router reboots, and needs no VPN. ...