pangolin_mirror/docs-v2
1
0
Fork 0
mirror of https://github.com/fosrl/docs-v2.git synced 2026-02-07 21:46:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

update intro pages

Browse Source
This commit is contained in:
miloschwartz
2025-12-10 16:40:03 -05:00
parent 00b0150fea
commit bb58307502
8 changed files with 140 additions and 264 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
about/how-pangolin-works.mdx
View File

@@ -1,66 +1,81 @@
---
title: "How Pangolin Works"
description: "Learn about Pangolin's architecture and how its components work together to provide secure application access"
icon: "brain"
description: "Learn about the fundamentals of Pangolin and how they work together to provide simple and secure remote access."
---
Pangolin provides secure, application-specific ingress to your applications through a network of nodes. Users connect to the closest node, which authenticates them and routes their requests through secure tunnels to your backend.
<Frame>
<img src="/images/diagram.svg" width="400" centered/>
</Frame>
## How It Works
## Basic Steps
<Steps>
<Step title="User enters through node">
DNS automatically routes users to the closest available regional node. A node is always available because the control plane fails over between nodes.
<Step title="Link remote network via sites">
Join remote networks together using site connectors. Pangolin's lightweight connectors use intelligent routing and NAT traversal to make any network anywhere available.
</Step>
<Step title="Authentication and authorization">
The node verifies the user's identity, checks access permissions, and applies context aware rules such as IP and path based filters, geoblocking, and rate limiting.
<Step title="Define resources">
Create resources that represent services or entire network ranges available for remote access. Resources can be public or fully private.
</Step>
<Step title="Secure tunnel routing">
Authenticated requests are routed and flow through encrypted WireGuard tunnels to your applications with optional load balancing and failover for your backend servers.
</Step>
<Step title="Application delivery">
Your applications receive the requests and respond through the same secure path.
<Step title="Users access resources">
Authenticated users can access resources anywhere using a web browser or when connected with a Pangolin client on their device.
</Step>
</Steps>
## Deployment Options
## Key Concepts
<CardGroup cols={2}>
<Card title="Pangolin Cloud" icon="cloud" href="https://app.pangolin.net/auth/signup">
Large network of nodes with automatic failover and routing to your backend services. We host the Pangolin server for you.
Pangolin relies on several components that work together to provide secure remote access. Each component has a specific role in ensuring that only authenticated users can access the resources they are authorized to use.
### Pangolin Server
The Pangolin server is the central coordination component for your network. It stores configuration changes, manages access policies, and coordinates connections between clients and sites. The server handles user authentication and generates access control lists that determine what resources each user can reach.
You can use Pangolin Cloud, which is fully managed, or you can self-host your own Pangolin server for complete control over your infrastructure and data.
<Card title="Read about how to self-host Pangolin" icon="server" href="/self-host/quick-install">
Learn how to deploy your own self-hosted Pangolin server or use Pangolin Cloud.
</Card>
<Card title="Self-host Pangolin" icon="server" href="/self-host/quick-install">
Fully self-hosted, self-contained Pangolin server acting as a single node.
### Sites
Sites connect remote networks to your Pangolin server. They use Newt connectors to create secure tunnels from remote networks back to Pangolin. Sites let you expose resources on those networks to authorized users.
Sites run behind firewalls on remote networks. They maintain outbound connections to the Pangolin server. By default, sites block all traffic until you define resources and grant access. This ensures that just deploying a site does not expose any network resources.
The Newt connector handles tunnel creation, NAT traversal, and routing. It makes remote networks available without requiring complex firewall rules or public IP addresses.
<Card title="Read more about sites" icon="plug" href="/manage/sites/understanding-sites">
Learn about sites, how they work, and how to install and configure them.
</Card>
<Card title="Remote Nodes" icon="circle-nodes" href="/manage/remote-node/ha">
Self-host your own Pangolin node with cloud coordination for high availability and automatic failover. Data always transits your servers.
</Card>
</CardGroup>
### Resources
## Key Benefits
Resources are the applications, hosts, or network ranges you make available to users. They exist on sites and represent what users can access. Users connect to resources, not to sites directly.
<CardGroup cols={2}>
<Card title="No Public IPs or Ports" icon="network-wired">
Your applications can run on private networks without exposing ports.
There are two types of resources. Public resources work through web browsers and act as reverse proxies to backend services. Private resources require a client connection and function like a zero-trust VPN.
You must define resources and assign access before users can reach them. By default, no resources are available on sites. This ensures that only explicitly defined resources can be accessed.
<Card title="Read more about resources" icon="link" href="/manage/resources/understanding-resources">
Learn about public and private resources and how to create them.
</Card>
<Card title="Ingress Mesh" icon="globe">
Users always connect to the closest available node.
### Clients
Clients are software components installed on user devices or machines. They let users and automated systems connect to your Pangolin network and access private resources through a secure tunnel.
Users authenticate through the client using their accounts. Machines connect with credentials. Once connected, users can reach all resources their account has access to. The client handles routing decisions and establishes encrypted tunnels to the appropriate sites.
Clients are available for Mac, Windows, and Linux. They work transparently with applications, so no application configuration is required.
<Card title="Read more about clients" icon="desktop" href="/manage/clients/add-client">
Learn about clients and where to download them for Mac, Windows, and Linux.
</Card>
<Card title="Zero-Trust Security" icon="shield">
Every request is authenticated and authorized before reaching your applications.
</Card>
### Remote Nodes
<Card title="High Availability" icon="check-double">
Multiple nodes, failover, and load balancing between tunnels ensures there is always a way for users to access your applications.
Remote nodes are self-hosted Pangolin servers that you control while using Pangolin Cloud for management and coordination. You maintain complete control over your infrastructure and data flow, while the cloud handles the control plane, DNS, certificate management, and backups.
You can deploy multiple remote nodes for high availability and automatic failover. If your nodes become unavailable, traffic can optionally fail over to cloud infrastructure until you restore service.
<Card title="Read more about remote nodes" icon="circle-nodes" href="/manage/remote-node/nodes">
Learn about remote nodes and how they provide high availability and simplified operations.
</Card>
</CardGroup>

55
about/pangolin-vs-reverse-proxy-vs-vpn.mdx Normal file
View File

@@ -0,0 +1,55 @@
---
title: "Pangolin vs. Reverse Proxy vs. VPN"
icon: "book"
description: "What are the similarities and differences between Pangolin and traditional reverse proxies and VPNs?"
---
Pangolin combines the capabilities of both a reverse proxy and a VPN into a single platform. It provides reverse proxy functionality through public resources and VPN functionality through private resources, all with zero-trust access control and distributed architecture.
## What Each Solution Provides
**Reverse Proxies** expose web applications to the internet. They handle SSL termination, load balancing, and basic authentication. Users access applications through web browsers using domain names.
**VPNs** create encrypted tunnels that give users access to entire private networks. Users install client software and connect to a VPN server. Once connected, they can access any resource on the network they have network-level access to.
**Pangolin** provides both capabilities. Public resources work like a reverse proxy, allowing browser-based access to specific applications. Private resources work like a zero-trust VPN, giving users access to specific hosts or network ranges when connected with a client.
## Reverse Proxy Capabilities
Pangolin's public resources function as reverse proxies. They expose web applications through domain names with automatic SSL certificates. Users access these resources through web browsers without installing any software.
Public resources support identity-aware access control. You can require authentication, enforce multi-factor authentication, and create rules based on user identity, roles, geographic location, IP addresses, and URL paths. This goes beyond what traditional reverse proxies offer.
Unlike traditional reverse proxies, Pangolin does not require public IP addresses or open ports on your network. Sites create outbound tunnels to Pangolin, so your applications remain behind firewalls.
## VPN Capabilities
Pangolin's private resources function like a zero-trust VPN. Users install a Pangolin client on their device and connect to your organization. Once connected, they can access the specific hosts or network ranges you have granted them access to.
Private resources provide granular access control. Users only get access to the specific resources you define, not entire networks. This reduces the risk of over-permission that comes with traditional VPNs.
Clients work transparently with applications. No application configuration is required. Users connect once and can access all their authorized resources. The client handles routing and establishes encrypted tunnels automatically.
## Why Pangolin Combines Both
Many organizations need both reverse proxy and VPN capabilities. You might want to expose web applications to users through browsers while also providing secure access to databases, SSH servers, or internal services that require a VPN-like connection.
With Pangolin, you use one platform for both use cases. Public resources handle web application access. Private resources handle VPN-like access. Both use the same authentication system, access control policies, and infrastructure.
This unified approach simplifies management. You configure users, roles, and access policies once. Those policies apply to both public and private resources. You do not need to maintain separate systems for reverse proxy and VPN access.
## Infrastructure and Availability
Traditional reverse proxies and VPNs typically run on a single server. If that server fails, all access is lost. They also require public IP addresses and open ports, which adds complexity and security concerns.
Pangolin uses a distributed architecture with multiple nodes. If one node fails, traffic automatically routes to another node. Sites create outbound tunnels, so your networks do not need public IP addresses or open ports.
You can deploy multiple remote nodes for high availability. If your nodes become unavailable, traffic can optionally fail over to cloud infrastructure until you restore service. This provides redundancy that single-server solutions cannot match.
## When to Use Each Solution
Use a traditional reverse proxy if you only need to expose web applications, you have a public IP address, and you do not need advanced access control or high availability.
Use a traditional VPN if you need full network access, you can accept the security risks of broad access, and you do not need application-specific access control.
Use Pangolin if you need both reverse proxy and VPN capabilities, you want granular access control, you need high availability, or you want to avoid public IP addresses and open ports.

114
about/pangolin-vs-traditional-reverse-proxy.mdx
View File

@@ -1,114 +0,0 @@
---
title: "Pangolin vs. Reverse Proxy"
description: "Learn how Pangolin's distributed architecture eliminates single points of failure and provides authenticated access to your applications"
---
Pangolin builds upon traditional reverse proxy principles but adds distributed architecture, tunneling, and identity-aware access control. While traditional reverse proxies are typically single-server solutions, Pangolin operates as a distributed network of nodes that provide highly-available access to your applications.
## Traditional Reverse Proxy Limitations
<CardGroup cols={2}>
<Card title="Single Point of Failure" icon="triangle-exclamation">
If the reverse proxy server goes down, all applications become inaccessible.
</Card>
<Card title="Geographic Limitations" icon="globe">
Users far from the server location experience higher latency.
</Card>
<Card title="Network Dependencies" icon="network-wired">
Requires public IP addresses and open ports on your network.
</Card>
<Card title="Basic Authentication" icon="shield">
Typically relies on network-based trust rather than user identity.
</Card>
</CardGroup>
## Pangolin's Dual-Layer High Availability
Pangolin provides high availability at two critical layers: ingress points and backend routing.
### How It Works
<Steps>
<Step title="Ingress Routing">
Request is routed to the closest available node. If one goes down, there is always another point available.
</Step>
<Step title="Authentication">
User identity is verified at the node before getting routed to your backend.
</Step>
<Step title="Tunnel Selection">
Pangolin selects the optimal tunnel route to your backend service.
</Step>
<Step title="Failover Handling">
If the primary tunnel fails, traffic automatically switches to an alternative route.
</Step>
<Step title="Response Delivery">
Response follows the same resilient path back to the user.
</Step>
</Steps>
<Info>
This dual-layer approach ensures your applications remain accessible even if individual nodes or tunnel connections fail.
</Info>
## Key Differences
### Tunneling vs. Direct Network Access
| Traditional Reverse Proxy | Pangolin |
|--------------------------|----------|
| **Public IP Required** | **No Public IP Needed** |
| **Open Ports (80, 443)** | **No Open Ports** |
| **Complex Network Setup** | **Automatic Discovery** |
| **Network-Based Security** | **Encrypted WireGuard Tunnels** |
<Tip>
This tunneling capability makes Pangolin ideal for environments behind restrictive firewalls, CGNAT, or corporate networks.
</Tip>
### Identity-Aware Proxy (IAP)
Traditional reverse proxies rely on network-based trust, while Pangolin implements zero-trust access control:
<CardGroup cols={2}>
<Card title="Multi-Factor Authentication" icon="key">
Support for 2FA, passkeys, and OTP.
</Card>
<Card title="Single Sign-On" icon="users">
Integration with Google, Okta, and other identity providers.
</Card>
<Card title="Granular Permissions" icon="shield-check">
Role-based access control and path-based rules.
</Card>
<Card title="Contextual Rules" icon="map-pin">
IP-based, path-based, and geographic access policies.
</Card>
</CardGroup>
<Warning>
Unlike traditional reverse proxies, Pangolin authenticates every single request, ensuring that only authorized users can access your applications.
</Warning>
## Benefits Summary
| Feature | Traditional Reverse Proxy | Pangolin |
|---------|--------------------------|----------|
| **Availability** | Single point of failure | Distributed, fault-tolerant |
| **Performance** | Limited by server location | Regionally, optimized routing |
| **Security** | Network-based trust | Zero-trust, identity-aware |
| **Network Requirements** | Public IP, open ports | No public IP needed |
| **Authentication** | Basic or none | Advanced, multi-factor |
| **Scalability** | Manual scaling | Automatic regional distribution |
<Card title="Try Pangolin Cloud" icon="rocket" href="https://app.pangolin.net/auth/signup">
Get distributed, authenticated access to your applications with Pangolin's regional network of nodes.
</Card>

92
about/pangolin-vs-vpn.mdx
View File

@@ -1,92 +0,0 @@
---
title: "Pangolin vs. VPN"
description: "Learn how Pangolin provides application-specific access with zero-trust security compared to traditional VPNs"
---
Pangolin and VPNs serve different purposes: Pangolin focuses on secure ingress and application routing, while VPNs provide remote access to internal networks. They offer different approaches to secure connectivity.
## Traditional VPN Limitations
<CardGroup cols={2}>
<Card title="Over-Permission" icon="key">
Users get access to entire networks, not just the applications they need.
</Card>
<Card title="Client Software Required" icon="download">
Users must install and configure VPN client software.
</Card>
<Card title="Network Complexity" icon="network-wired">
Requires public IP addresses, open ports, and complex network configuration.
</Card>
<Card title="Limited Access Control" icon="shield">
Basic network-level security with few granular controls or complicated ACLs.
</Card>
<Card title="Single Point of Failure" icon="heart-crack">
If the VPN server goes down, all access is lost.
</Card>
<Card title="Security Risk" icon="triangle-exclamation">
Broad network access can be risky if user devices are compromised.
</Card>
</CardGroup>
## Pangolin's Ingress-First Approach
Pangolin provides secure, application-specific ingress and routing without the limitations of traditional VPNs:
### Zero-Trust Access Control
<CardGroup cols={2}>
<Card title="Application-Specific" icon="window-maximize">
Users access only the applications they're authorized to use.
</Card>
<Card title="Browser-Based" icon="globe">
No client software installation required - works with any web browser.
</Card>
<Card title="Granular Permissions" icon="shield-check">
Role-based access control, path-based rules, and contextual policies.
</Card>
<Card title="Multi-Factor Authentication" icon="key">
Support for SSO, OIDC, 2FA, and passkeys.
</Card>
</CardGroup>
### Simplified Ingress Infrastructure
<CardGroup cols={2}>
<Card title="No Public IPs" icon="network-wired">
Edge networks don't need public IP addresses.
</Card>
<Card title="Highly Available Mesh" icon="circle-nodes" href="/manage/remote-node/ha">
Multiple nodes ensure high availability.
</Card>
</CardGroup>
## Key Differences
| Feature | Traditional VPN | Pangolin |
|---------|----------------|----------|
| **Access Scope** | Full network access | Application-specific access |
| **Client Software** | Required | Not needed (browser-based) |
| **Network Requirements** | Public IP, open ports | No public IP needed |
| **Access Control** | Network-level | Zero-trust, granular |
| **Authentication** | Basic credentials | Multi-factor, SSO, OIDC |
| **Infrastructure** | Single server | Distributed nodes |
| **Security Model** | Network-based trust | Identity-based trust |
<Card title="Try Pangolin Cloud" icon="rocket" href="https://app.pangolin.net/auth/signup">
Get application-specific access with zero-trust security and no client software required.
</Card>
# Pangolin vs. Mesh VPN (e.g., Tailscale, Netbird)
Pangolin and mesh VPNs like Tailscale or Netbird both provide secure remote access, but they differ in their approach and functionality. Mesh VPNs focus on creating peer-to-peer connections between devices for full network access, while Pangolin is designed to expose specific applications or services securely through nodes, with no need for client-side software on user devices.
Pangolin is a better choice for application-specific access with zero-trust security and no client-side software requirements. Mesh VPNs like Tailscale or Netbird are more suitable for full network access and peer-to-peer connectivity. For environments prioritizing granular access control and simplicity, Pangolin offers a more focused and secure solution.

4
changelog.mdx
View File

@@ -1,7 +1,3 @@
2025-12-10 Unknown <unknown@Milos-MacBook-Pro.local>
*
---
title: "Changelog"
description: "Updates and announcements"

16
docs.json
View File

@@ -17,8 +17,8 @@
{
"group": "About",
"pages": [
"about/pangolin-vs-traditional-reverse-proxy",
"about/pangolin-vs-vpn"
"about/how-pangolin-works",
"about/pangolin-vs-reverse-proxy-vs-vpn"
]
},
{
@@ -113,7 +113,7 @@
"manage/blueprints",
{
"group": "Remote Nodes",
"icon": "server",
"icon": "circle-nodes",
"pages": [
"manage/remote-node/ha",
"manage/remote-node/nodes",
@@ -130,6 +130,7 @@
"group": "Self-host Pangolin",
"pages": [
"self-host/quick-install",
"self-host/choosing-a-vps",
{
"group": "Manual Installation",
"pages": [
@@ -138,9 +139,6 @@
]
},
"self-host/dns-and-networking",
"self-host/choosing-a-vps",
"self-host/how-to-update",
"self-host/supporter-program",
{
"group": "Advanced Configuration",
"pages": [
@@ -152,9 +150,11 @@
"self-host/advanced/database-options",
"self-host/advanced/integration-api",
"self-host/advanced/enable-geoblocking",
"self-host/advanced/metrics"
"self-host/advanced/metrics",
"self-host/telemetry"
]
},
"self-host/how-to-update",
{
"group": "Community Guides",
"pages": [
@@ -167,7 +167,7 @@
"self-host/community-guides/geolite2automation"
]
},
"self-host/telemetry",
"self-host/supporter-program",
"self-host/enterprise-edition"
]
},

24
index.mdx
View File

@@ -2,24 +2,40 @@
title: "Introduction to Pangolin"
---
Pangolin is an open-source and identity-aware tunneled reverse proxy server. Pangolin's distributed architecture with nodes provide highly available ingress to ensure applications always remain accessible.
Pangolin is an open-source, identity-based remote access platform built on WireGuard that enables secure, seamless connectivity to private and public resources.
<Frame caption="Screenshot of resources page from the Pangolin Dashboard.">
<img src="/images/fossorial-dashboard.png" alt="Pangolin Dashboard"/>
</Frame>
Pangolin establishes secure connections from edge networks to nodes, bypassing the need for public inbound ports and complex firewall configurations. Pangolin is incredibly useful for exposing local services, IoT devices, or internal applications to the internet without direct exposure, enhancing security by reducing attack surface and simplifying network management. Additionally, Pangolin acts as an identity-aware proxy by authenticating every request against admin-defined access controls and rules.
Pangolin combines reverse proxy and VPN capabilities into one platform. It provides browser-based access to web applications and client-based access to private resources like databases and SSH servers, all with zero-trust security and granular access control.
Pangolin connects remote networks using lightweight software connectors called sites. Sites create secure tunnels without requiring public IP addresses or open ports. Admins define specific resources that users can access, not entire networks. This gives users only the access they need while keeping everything else secure.
Users access public resources through any web browser with authentication. Users access private resources by connecting with a Pangolin client on their device. Both methods use the same identity-based access control, so you manage users and permissions in one place.
## Keep Reading
<Card title="How Pangolin Works" icon="brain" href="/about/how-pangolin-works">
Learn about the fundamentals of Pangolin and how they work together to provide simple and secure remote access.
</Card>
<Card title="Pangolin vs. Reverse Proxy vs. VPN" icon="brain" href="/about/how-pangolin-works">
What are the similarities and differences between Pangolin and traditional reverse proxies and VPNs?
</Card>
## Deployment Options
<Columns cols={2}>
<Card title="Pangolin Cloud" icon="cloud" href="https://app.pangolin.net/auth/signup">
Use Cloud for a highly available and access-controlled ingress service with nodes all over the world. Optionally self-host a node to keep your traffic private.
Use Cloud for low-maintenance, highly available remote access. Optionally self-host a node to keep your traffic private.
</Card>
<Card title="Self-host Pangolin" icon="server" href="self-host/quick-install">
Self-host a fully isolated Pangolin server. Install the Community Edition or Enterprise Edition easily using the quick installer.
</Card>
</Columns>
## What is a fossorial animal?
## What is a Fossorial Animal?
The Pangolin system is made up of many components, all with unique animal names. These animals are called fossorial animals.

4
self-host/quick-install.mdx
View File

@@ -143,8 +143,8 @@ https://pangolin.example.com/auth/initial-setup
<Step title="Create your first organization">
After logging in:
1. Click "Create Organization"
2. Enter organization name and description
1. Enter organization name and description
2. Click "Create Organization"
<Check>
You're now ready to start adding applications and configuring your reverse proxy!