Hello Eveyone, this is the other maintainer here. Just wanted to add some more detail about the other components of this system:
Pangolin uses Traefik under the hood to do the actual HTTP proxying. A plugin, Badger, provides a way to authenticate every request with Pangolin. A second service, Gerbil, provides a WireGuard management server that Pangolin can use to create peers for connectivity. And finally, there is Newt, a CLI tool and Docker container that connects back to Gerbil with WireGuard fully in user space and proxies your local resources. This means that you do not need to run a privileged process or container in order to expose your services!
Newt ( https://github.com/fosrl/newt ) is a custom userspace Wireguard client that you run on the 'edge server' side (typically behind your home firewall) that is part of the Pangolin system. It reaches out to your Pangolin server (typically hosted on a small VPS with a static IP) and will take care of negotiating the Wireguard tunnel and managing dispatch to the different services you exposed and mapped on your LAN. Easiest way to understand the full stack is to have a look at https://docs.fossorial.io/Getting%20Started/overview wich includes a nice System Overview Diagram.
BTW check the tutorial for Incus it's great! Don't know if you can do something similar with Pangolin but this would be amazing to get a sense of what's possible to do!
I’m using it as my ingress controller on my K3S homelab and it has definitely been a nice DX so far.
The one thing I haven’t been able to figure out how to do with it is do compression (gzip/br/zstd) there, so I’m handling it in the application layer, which feels suboptimal.
Any tips? Seems like a table stakes sort of feature in the space that shouldn’t be too hard to implement.
Are you trying to compress the request that has already come in to your cluster? I'm not sure there's a ton of value to be extracted there, since the requests have already made their way across the internet uncompressed to your ingress point.
If there's a "long way" to go after hitting your ingress controller then maybe there's something to be gained...
I compile static-pie HAproxy binaries using different TLS libraries. Size varies a little based on the versions and compile-time options for those libraries
For example, max sizes for the largest and smallest TLS libraries I have tried
OpenSSL 9.0MB
WolfSSL 4.6MB
OpenSSL bloat is unfortunate
Does Traefik allow any TLS libraries other than OpenSSL
Pangolin uses Traefik under the hood to do the actual HTTP proxying. A plugin, Badger, provides a way to authenticate every request with Pangolin. A second service, Gerbil, provides a WireGuard management server that Pangolin can use to create peers for connectivity. And finally, there is Newt, a CLI tool and Docker container that connects back to Gerbil with WireGuard fully in user space and proxies your local resources. This means that you do not need to run a privileged process or container in order to expose your services!