Pangolin is an open source self-hosted tunneled reverse proxy management server with identity and access control, designed to securely expose private resources through encrypted WireGuard tunnels running in user space.
We made Pangolin so you retain full control over your infrastructure while providing a user-friendly and feature-rich solution for managing proxies, authentication, and access, all with a clean and simple dashboard web UI.
GitHub: https://github.com/fosrl/pangolin
Deployment takes about 5 minutes on a VPS: https://docs.fossorial.io/Getting%20Started/quick-install
Demo by Lawrence Systems (YouTube): https://youtu.be/g5qOpxhhS7M?si=M1XTWLGLUZW0WzTv&t=723
Some use cases:
- Grant users access to your apps from anywhere using just a web-browser
- Proxy behind CGNAT
- One application load balancer across multiple clouds and on-premises
- Easily expose services on IoT and edge devices for field monitoring
- Bring localhost online for easy access
- No port forwarding and hide your public IP for self-hosting
- Create proxies to multiple different private networks
- OAuth2/OIDC identity providers
- Role-based access control
- Raw TCP and UDP support
- Resource-specific pin codes, passwords, email OTP
- Self-destructing shareable links
- API for automation
- WAF with CrowdSec and Geoblocking
https://aazar.me/posts/reincarnating-a-raspberry-pi
so, kind of an uneducated question (from someone who isn't heavily involved in actual infrastructure)... I haven't used CF tunnels, and the extent of my proxying private services has pretty much been either reverse proxy tunnels over SSH, or Tailscale. Where pretty much any service I want to test privately is located on some particular device, like, a single EC2 instance, or my laptop that's at home while I'm out on my phone. Could you explain in layman's terms what this solves that e.g. tailscale doesn't?
I think what you are using (SSH, Tailscale) is great for your use case! We see this as more of a static and permanent tunnel to a service - less ephemeral than a ssh tunnel - and more to get public users into your application. Meaning if you had a internal app for your business or some homelab application like Immich or Grafana at home/work that you want to expose to your family in their browser this could be a good tool to use. Does that make sense?
I get there's a tunnel provided by this sort of software, I just don't understand how so many people actually need one.
Cloudflare tunnels help expose a service to the internet with a bit more protection.
I have seen folks use both tailscale to access the backend and the public side is only Cloudflare tunnels.
It’s not unreasonable to point Cloudflare tunnels to a central and internal nginx proxy manager.
Tailscale can route the public internet into your services too can do this too but the protections in Cloudflare are likely a little more robust.
Panagolin looks interesting enough to try out, it could sit run behind Cloudflare tunnels while testing and then moved out.
The TL;DR is this - there are certain apps I host that I want to be public and don't want to onboard a Tailscale node (for example my sister uses my Plex server). So, instead of setting up a reverse proxy, I simply create a subdomain in DNS (via CF) and then route that subdomain to the CF tunnel.
It's like 3 form entries to do all of this for one site/service and automatically creates an SSL cert for me. I love it.
Deleted Comment
Pangolin uses Traefik under the hood to do the actual HTTP proxying. A plugin, Badger, provides a way to authenticate every request with Pangolin. A second service, Gerbil, provides a WireGuard management server that Pangolin can use to create peers for connectivity. And finally, there is Newt, a CLI tool and Docker container that connects back to Gerbil with WireGuard fully in user space and proxies your local resources. This means that you do not need to run a privileged process or container in order to expose your services!
My experience went very smooth and stable. The one issue I thought I had turned out to be not related to Pangolin at all.
https://github.com/orgs/fosrl/discussions/950
Traefik is awesome, and one of the biggest reasons is it's extensibility and robustness.
It absolutely does not get enough attention!
The one thing I haven’t been able to figure out how to do with it is do compression (gzip/br/zstd) there, so I’m handling it in the application layer, which feels suboptimal.
Any tips? Seems like a table stakes sort of feature in the space that shouldn’t be too hard to implement.
https://github.com/traefik/traefik/releases/expanded_assets/...
That being said, I believe Pangolin is one of the better and polished ones.
In other words: Let's say I have a VPS with eg. Keycloak running on it. I want to be able to access it for management purposes but don't want it exposed to other people on the internet. Would Pangolin be a way for me to do this?
I use authentik and as far as I know the management is on the same web port so I have to allow some paths to be accessible to the world.
The thing is, I don't have any prior experience with hosting at all. So I am wondering if I can reduce attack surface by making "management" services (Keycloak admin console, the headless CMS admin interface etc.) accessible only to me...
But pangolin seems to be similar to that setup with a good UI, and more control. Definitely trying it out.
Quick question: Can it handle multiple domain names? I point multiple domain to the vps hosting my npm it proxy's them from there. Does Pangolin, also support multiple domains pointing to it?
While CF tunnels were nice and solved my ISP imposed issue with exposing ports via their crappy fiber gateway for couple of years. But I wanted more control. Specifically control over what I can expose without worrying about violating cloudflare’s TOS and ambiguity around media streaming. (Jellyfin/Emby).