Mullgate
Guides

Troubleshooting

Practical checks for configuration drift, hostname issues, and runtime validation.

This page summarizes the most important troubleshooting patterns described or implied by the Mullgate usage material.

Start with the CLI

The primary diagnostic surfaces are:

  • mullgate proxy status
  • mullgate proxy doctor
  • mullgate proxy access
  • mullgate proxy validate --refresh

Common problems

Hostname does not select the expected route

Check for:

  • the hostname resolving to the wrong bind IP
  • two hostnames resolving to the same bind IP
  • a missing local hosts block
  • published DNS records that do not match the configured exposure state

What to do:

  1. run mullgate proxy access
  2. confirm the route-to-bind-IP mapping
  3. if you are intentionally using hostname entrypoints, verify local hosts or DNS resolution
  4. run mullgate proxy doctor

In loopback mode without a base domain, direct bind-IP entrypoints are the canonical local path. Missing host-file mappings only matter when you want hostname shortcuts on that same machine.

Remote clients cannot prove hostname-based routing

Check for:

  • the wrong host IP being shared with clients, especially 0.0.0.0 instead of the real Tailscale or LAN IP
  • missing or incorrect DNS records
  • exposure changes that have not been refreshed into runtime state

What to do:

  1. use the real private-network host IP, such as the Mullgate host's Tailscale 100.x address
  2. regenerate or review exposure output
  3. publish matching DNS A records
  4. run mullgate proxy validate --refresh or mullgate proxy start

Inline selector URLs do not select the expected route

Check for:

  • the client URL using scheme://selector@host:port and dropping the empty password
  • a selector that does not match any saved route or relay filter
  • public exposure with an empty password but no explicit unsafe override

What to do:

  1. switch to the guaranteed scheme://selector:@host:port form
  2. inspect selector examples with mullgate proxy access
  3. if the listener is public and the password is empty, add --unsafe-public-empty-password or set a real password

For the supported selector families and the "must resolve to one target" rule, see Inline Selector Reference.

Saved configuration changed but runtime does not match

Likely cause:

  • exposure edits left runtime state marked unvalidated

What to do:

mullgate proxy validate --refresh
# or
mullgate proxy start

Installed command says the config version is unsupported

Likely cause:

  • the local machine still has a stale pre-v2 config/runtime bundle

What to do:

  1. back up or remove the config file and runtime directory named in the error
  2. rerun mullgate setup
  3. rerun mullgate proxy start

Do not expect the current CLI to operate on the old runtime bundle in place.

macOS or Windows behaves differently from Linux

This is expected for the shipped multi-route Docker runtime because Docker Desktop host networking is not equivalent to Linux host networking.

What to do:

  • treat config and diagnostic surfaces as supported
  • use a Linux host or Linux VM for full runtime proof

start fails before launch

Look for:

  • missing Docker Compose support
  • invalid exposure edits
  • validation failures
  • missing HTTPS material when HTTPS is enabled

Use mullgate proxy status and mullgate proxy doctor to identify which layer failed.

Troubleshooting workflow

A reliable sequence is:

  1. inspect configuration with mullgate proxy access
  2. inspect hostname guidance or selector examples with mullgate proxy access
  3. refresh derived runtime state with mullgate proxy validate --refresh
  4. check runtime truth with mullgate proxy status
  5. investigate routing or hostname drift with mullgate proxy doctor
  6. verify with a real probe such as curl through the intended proxy entrypoint

Escalation questions

If the issue remains unclear, answer these questions explicitly:

  • what exposure mode is configured?
  • what access mode is configured?
  • if this is public + published-routes, does every route have a distinct bind IP?
  • if this is private-network, are clients using the Mullgate host's real private-network IP?
  • what does the hostname resolve to from the failing client?
  • was the runtime refreshed after the last config edit?
  • are you testing on Linux, macOS, or Windows?
  • is HTTPS enabled, and if so are both the cert and key present?

See also

Inline Selector Reference

Supported selector forms, URL syntax, and practical caveats for inline-selector access.

Architecture Overview

High-level design goals, traffic flow, and trust boundaries for Mullgate.

On this page

Start with the CLICommon problemsHostname does not select the expected routeRemote clients cannot prove hostname-based routingInline selector URLs do not select the expected routeSaved configuration changed but runtime does not matchInstalled command says the config version is unsupportedmacOS or Windows behaves differently from Linuxstart fails before launchTroubleshooting workflowEscalation questionsSee also