Skip to content

Tunnel (Pangolin)

Pangolin provides secure tunneling to expose your self-hosted services to the internet without port forwarding or a static IP.

Tunnel Management

Setup

From /app/pangolin:

  • Automated setup — one-command deployment that creates the Pangolin site, updates .env with credentials, and restarts the Newt tunnel container
  • Manual setup — step-by-step instructions for connecting to an existing Pangolin instance

Resource Management

The platform defines 18 service resources in configs/pangolin/resources.yml:

  • Each resource maps a subdomain (e.g., api.DOMAIN, app.DOMAIN) to an internal service
  • Hourly sync — nginx cron job pushes resource definitions to Pangolin automatically
  • Status dashboard — view tunnel connection status and resource health

Newt Container

The Newt container runs alongside nginx and tunnels traffic to your services:

  • Configured via PANGOLIN_NEWT_ID and PANGOLIN_NEWT_SECRET environment variables
  • Depends on nginx (all resources route through nginx:80)
  • Auto-restarts on failure

Security

The Pangolin server runs CrowdSec for intrusion detection with a web management UI protected by Tinyauth forward-auth. See CrowdSec & Security for details on:

  • CrowdSec Manager dashboard (crowdsec.bnkserve.org)
  • Tinyauth authentication (auth.bnkserve.org)
  • Canadian ISP whitelisting and crawl detection tuning
  • Cloudflare Turnstile captcha integration

Admin Routes

  • /app/pangolin — tunnel status, setup wizard, and resource management