About
Pangolin vs. Reverse Proxy
Learn how Pangolin’s distributed architecture eliminates single points of failure and provides authenticated access to your applications
Pangolin builds upon traditional reverse proxy principles but adds distributed architecture, tunneling, and identity-aware access control. While traditional reverse proxies are typically single-server solutions, Pangolin operates as a distributed network of points of presence that provide highly-available access to your applications.
Traditional Reverse Proxy Limitations
Single Point of Failure
If the reverse proxy server goes down, all applications become inaccessible.
Geographic Limitations
Users far from the server location experience higher latency.
Network Dependencies
Requires public IP addresses and open ports on your network.
Basic Authentication
Typically relies on network-based trust rather than user identity.
Pangolin’s Dual-Layer High Availability
Pangolin provides high availability at two critical layers: ingress points and backend routing.How It Works
1
Ingress Routing
Request is routed to the closest available point of presence. If one goes down, there is always another point available.
2
Authentication
User identity is verified at the point of presence before getting routed to your backend.
3
Tunnel Selection
Pangolin selects the optimal tunnel route to your backend service.
4
Failover Handling
If the primary tunnel fails, traffic automatically switches to an alternative route.
5
Response Delivery
Response follows the same resilient path back to the user.
This dual-layer approach ensures your applications remain accessible even if individual points of presence or tunnel connections fail.
Key Differences
Tunneling vs. Direct Network Access
| Traditional Reverse Proxy | Pangolin |
|---|---|
| Public IP Required | No Public IP Needed |
| Open Ports (80, 443) | No Open Ports |
| Complex Network Setup | Automatic Discovery |
| Network-Based Security | Encrypted WireGuard Tunnels |
This tunneling capability makes Pangolin ideal for environments behind restrictive firewalls, CGNAT, or corporate networks.
Identity-Aware Proxy (IAP)
Traditional reverse proxies rely on network-based trust, while Pangolin implements zero-trust access control:Multi-Factor Authentication
Support for 2FA, passkeys, and OTP.
Single Sign-On
Integration with Google, Okta, and other identity providers.
Granular Permissions
Role-based access control and path-based rules.
Contextual Rules
IP-based, path-based, and geographic access policies.
Unlike traditional reverse proxies, Pangolin authenticates every single request, ensuring that only authorized users can access your applications.
Benefits Summary
| Feature | Traditional Reverse Proxy | Pangolin |
|---|---|---|
| Availability | Single point of failure | Distributed, fault-tolerant |
| Performance | Limited by server location | Regionally, optimized routing |
| Security | Network-based trust | Zero-trust, identity-aware |
| Network Requirements | Public IP, open ports | No public IP needed |
| Authentication | Basic or none | Advanced, multi-factor |
| Scalability | Manual scaling | Automatic regional distribution |
Try Pangolin Cloud
Get distributed, authenticated access to your applications with Pangolin’s regional network of points of presence.