pangolin_mirror/docs-v2
1
0
Fork 0
mirror of https://github.com/fosrl/docs-v2.git synced 2026-02-08 05:56:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

test deploy

Browse Source
This commit is contained in:
miloschwartz
2025-07-31 21:44:10 -07:00
parent b918f105b5
commit 647080c1d5
33 changed files with 2045 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

129
about/pangolin-vs-traditional-reverse-proxy.mdx
View File

@@ -1,56 +1,117 @@
---
title: "Pangolin vs. Reverse Proxy"
description: "Learn how Pangolin's distributed architecture eliminates single points of failure and provides global, authenticated access to your applications"
---
Pangolin shares many similarities with traditional reverse proxies, as it builds upon the same foundational principles. In fact, Pangolin leverages Traefik, one of the most popular reverse proxies, as its core component.
Like a traditional reverse proxy, Pangolin acts as an intermediary between clients and backend servers. Requests are routed through Pangolin, which determines the appropriate backend server to handle the request. This ensures that clients never directly communicate with backend servers. Pangolin also handles key reverse proxy functionalities, including:
Pangolin builds upon traditional reverse proxy principles but adds distributed architecture, tunneling, and identity-aware access control. While traditional reverse proxies are typically single-server solutions, Pangolin operates as a distributed network of points of presence that provide global, highly-available access to your applications.
- **Routing**: Directing traffic to the appropriate backend service.
- **SSL Termination**: Managing HTTPS encryption and decryption.
- **Logging**: Capturing and storing request/response data.
- **Middleware Management**: Supporting plugins and middleware for additional functionality.
## Traditional Reverse Proxy Limitations
Traditional reverse proxies operate as single-server solutions with inherent limitations:
- **Single Point of Failure**: If the reverse proxy server goes down, all applications become inaccessible
- **Geographic Limitations**: Users far from the server location experience higher latency
- **Network Dependencies**: Requires public IP addresses and open ports on your network
- **Basic Authentication**: Typically relies on network-based trust rather than user identity
## Pangolin's Dual-Layer High Availability
Pangolin provides high availability at two critical layers: ingress points and backend routing.
### Global Points of Presence (Ingress Layer)
Pangolin operates a distributed network of points of presence worldwide that serve as entry points for user traffic:
- **Automatic Failover**: If one point of presence becomes unavailable, traffic automatically routes to the next closest location
- **Geographic Optimization**: Users always connect to the nearest available point of presence for minimal latency
- **Load Distribution**: Traffic is automatically balanced across multiple locations to prevent overload
### Intelligent Backend Routing (Tunnel Layer)
Once traffic reaches a point of presence, Pangolin provides additional high availability for routing to your backend services:
- **Multiple Tunnel Connections**: Each edge network can maintain connections to multiple points of presence simultaneously
- **Automatic Tunnel Failover**: If a tunnel connection fails, traffic automatically switches to an alternative route
- **Load Balanced Tunnels**: Multiple tunnel connections can be used simultaneously to distribute load and improve performance
- **Health Monitoring**: Pangolin continuously monitors tunnel health and automatically routes around failed connections
<Info>
This dual-layer approach ensures your applications remain accessible even if individual points of presence or tunnel connections fail.
</Info>
### How Dual-Layer High Availability Works
When a user requests access to your application:
1. **Ingress Routing**: Request is routed to the closest available point of presence
2. **Authentication**: User identity is verified at the point of presence
3. **Tunnel Selection**: Pangolin selects the optimal tunnel route to your backend service
4. **Failover Handling**: If the primary tunnel fails, traffic automatically switches to an alternative route
5. **Response Delivery**: Response follows the same resilient path back to the user
<Check>
Both ingress points and tunnel connections are automatically managed, providing seamless failover without any manual intervention.
</Check>
## Key Differences
### Tunneling
### Tunneling vs. Direct Network Access
Traditional reverse proxies typically operate on the same network as the backend servers they connect to. This setup requires:
Traditional reverse proxies require direct network connectivity:
- A public IP address for the network.
- Open ports (e.g., TCP 443 and 80) to allow external traffic.
- **Public IP Required**: Your network needs a public IP address
- **Open Ports**: Must expose ports (80, 443) to the internet
- **Network Configuration**: Complex firewall and routing setup required
Pangolin eliminates these requirements by introducing tunneling, which allows it to operate on a completely separate server and network from the backend services. Key benefits of Pangolin's tunneling include:
Pangolin uses secure tunneling:
- **Centralized Management**: Multiple isolated edge networks can connect to a single Pangolin instance, meaning you only need to manage one reverse proxy server.
- **Encrypted Traffic**: All traffic between the edge network and the central Pangolin server is fully encrypted.
- **No Public IP or Open Ports**: Edge networks do not require a public IP address or open ports, reducing the attack surface and simplifying network configurations.
- **No Public IP Needed**: Your applications can run on private networks
- **No Open Ports**: Edge networks don't need to expose any ports
- **Automatic Discovery**: Newt clients automatically find and connect to the optimal point of presence
- **Encrypted Traffic**: All communication is encrypted using WireGuard
This tunneling capability makes Pangolin particularly useful for environments with restrictive network policies, such as those behind Carrier-Grade NAT (CGNAT) or firewalls.
<Tip>
This tunneling capability makes Pangolin ideal for environments behind restrictive firewalls, CGNAT, or corporate networks.
</Tip>
### Identity-Aware Proxy (IAP)
Pangolin incorporates Identity-Aware Proxy (IAP) functionality, enabling zero-trust access to backend services. Unlike traditional reverse proxies, which often rely on network-based trust, Pangolin evaluates every access request based on user identity, device, location, and other contextual factors.
Traditional reverse proxies typically rely on network-based trust, while Pangolin implements zero-trust access control:
#### How IAP Works
#### How Pangolin's IAP Works
1. **User Request**: A user attempts to access a protected internal web app, API, or resource.
2. **Request Interception**: The request is intercepted by Pangolin's IAP instead of being routed directly to the backend.
3. **Authentication & Authorization**: Pangolin verifies the users identity using OAuth2/OpenID (e.g., Google, Azure AD, Okta).
4. **Context-Aware Checks**: Additional conditions, such as IP address, group membership, or geographic location, are evaluated.
5. **Access Decision**: If all checks are passed, the request is forwarded to the backend service; otherwise, access is denied.
1. **Request Interception**: Every request is intercepted by the nearest point of presence
2. **Identity Verification**: User identity is verified using OAuth2/OpenID Connect
3. **Context Evaluation**: Additional factors like location, device, and time are assessed
4. **Access Decision**: Access is granted or denied based on identity and context
5. **Secure Delivery**: Authenticated requests are tunneled to your application
#### Access Control Features
#### Advanced Access Control Features
Pangolin provides a robust suite of access control mechanisms, including but not limited to:
Pangolin provides comprehensive access control:
- **User and Role-Based Access Control (RBAC)**: Define granular permissions for users and roles.
- **Resource-Specific Security**:
- PIN codes and passwords for individual resources.
- Shareable links with expiration dates.
- **Authentication Options**:
- Email-based One-Time Passwords (OTP).
- Single Sign-On (SSO) with external identity providers via OIDC.
- Two-Factor Authentication (2FA) and passkeys.
- **Contextual Rules**:
- IP, CIDR, and path-based access rules.
- **Multi-Factor Authentication**: Support for 2FA, passkeys, and OTP
- **Single Sign-On**: Integration with Google, Azure AD, Okta, and other identity providers
- **Granular Permissions**: User and role-based access control (RBAC)
- **Resource-Specific Security**: PIN codes, passwords, and expiring share links
- **Contextual Rules**: IP-based, geographic, and time-based access policies
<Warning>
Unlike traditional reverse proxies, Pangolin authenticates every single request, ensuring that only authorized users can access your applications.
</Warning>
## Benefits Summary
| Feature | Traditional Reverse Proxy | Pangolin |
|---------|--------------------------|----------|
| **Availability** | Single point of failure | Distributed, fault-tolerant |
| **Performance** | Limited by server location | Global, optimized routing |
| **Security** | Network-based trust | Zero-trust, identity-aware |
| **Network Requirements** | Public IP, open ports | No public IP needed |
| **Authentication** | Basic or none | Advanced, multi-factor |
| **Scalability** | Manual scaling | Automatic global distribution |
<Card title="Try Pangolin Cloud" icon="rocket" href="https://pangolin.fossorial.io/auth/signup">
Experience distributed, authenticated access to your applications with Pangolin's global network of points of presence.
</Card>