Scripts2026年4月19日·1 分钟阅读

Pangolin — Identity-Aware Reverse Proxy with Built-In Tunneling

Pangolin is a self-hosted reverse proxy and tunnel server that adds identity-aware access control to any service you expose, using WireGuard under the hood.

SC
Script Depot · Community
快速使用

先拿来用,再决定要不要深挖

这里应该同时让用户和 Agent 知道第一步该复制什么、安装什么、落到哪里。

git clone https://github.com/fosrl/pangolin.git
cd pangolin
docker compose up -d

Introduction

Pangolin combines a tunneled reverse proxy with identity-aware access control so you can expose internal services without opening firewall ports. It handles authentication, authorization, and encrypted transport in a single self-hosted binary.

What Pangolin Does

  • Tunnels traffic from your private network to the public internet over WireGuard
  • Enforces per-service access policies based on user identity and groups
  • Provides OIDC and SSO integration for centralized login
  • Generates TLS certificates automatically via ACME
  • Offers a web dashboard for managing sites, users, and tunnel configurations

Architecture Overview

Pangolin runs as a control server that orchestrates WireGuard tunnels between edge nodes (called Newt agents) and the central proxy. Incoming requests hit the proxy, which checks the identity session against configured policies before forwarding traffic through the encrypted tunnel to the origin service.

Self-Hosting & Configuration

  • Deploy with Docker Compose using the provided template
  • Configure OIDC provider settings for SSO in the environment file
  • Set WireGuard keys and endpoint addresses for tunnel nodes
  • Define access policies per site through the web dashboard
  • Supports custom domains with automatic TLS provisioning

Key Features

  • Zero-trust access model with per-resource identity checks
  • No need to open inbound ports on your private network
  • Built on WireGuard for high-performance encrypted tunnels
  • Web UI for managing sites, users, and access rules
  • Single binary deployment with minimal dependencies

Comparison with Similar Tools

  • Cloudflare Tunnel — managed service with vendor lock-in; Pangolin is fully self-hosted
  • Tailscale Funnel — simpler but lacks per-resource identity policies
  • Nginx Proxy Manager — no built-in tunneling or identity-aware access control
  • Authentik + Traefik — similar outcome but requires assembling multiple components
  • Rathole — fast tunneling but no identity layer or web management UI

FAQ

Q: Does Pangolin replace my existing reverse proxy? A: Yes, it acts as both the reverse proxy and the tunnel endpoint, so you do not need a separate Nginx or Traefik instance.

Q: Can I use Pangolin without the tunneling feature? A: Yes, you can run it as a standard identity-aware reverse proxy for services already reachable on the same network.

Q: What authentication providers does it support? A: Any OIDC-compliant provider including Keycloak, Authentik, Google Workspace, and Azure AD.

Q: Is WireGuard required on client devices? A: No, WireGuard runs between the Pangolin server and the Newt agent on your private network. End users access services through a normal browser.

Sources

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产

DocuSeal — Open Source Document Signing Platform

DocuSeal is a self-hosted alternative to DocuSign that lets you create, fill, and sign documents digitally with a clean web interface.

Script Depot

Nitter — Privacy-Focused Alternative Frontend for Twitter/X

Nitter is a free and open-source alternative frontend for Twitter (X) that provides a fast, private browsing experience with no JavaScript, ads, or tracking.

Script Depot

Automatisch — Open Source Zapier Alternative for Workflow Automation

Automatisch is a self-hosted workflow automation platform that connects apps and services through a visual flow builder without writing code.

Script Depot
首页🔍搜索👤我的