Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt

Use this file to discover all available pages before exploring further.

Try free on Pangolin Cloud

Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
Only available in Pangolin Cloud and Enterprise Edition.
With a wildcard public resource, one resource owns an entire subdomain level: every hostname under that level is proxied through the same Pangolin resource and tunnel so downstream systems can route further (for example another reverse proxy or Kubernetes ingress). Access rules and authentication you set on that resource apply to all hostnames matched by the wildcard. If you enable a PIN code, every hostname under the wildcard requires that PIN.

Creating a Wildcard Resource

In the resource’s domain settings, set the subdomain field to * to match any label at that level. You can combine this with a parent subdomain, such as *.apps, so only hostnames under apps are covered, as long as TLS and DNS cover that same scope. The downstream target still receives the original Host header, so virtual hosts and path rules on your side keep working.

Requirements for Wildcard Resources

Wildcard hostnames need TLS certificates that cover *.your-level, not just a single FQDN, and DNS must send all of those names to Pangolin. How you satisfy that depends on how you host Pangolin.

Self-hosted Pangolin

You must issue a wildcard certificate using DNS validation (DNS-01). HTTP-01 challenges prove one exact hostname at a time; they cannot obtain a certificate for *.example.com. DNS-01 proves control of the DNS zone, which is what certificate authorities require for wildcard coverage, otherwise Pangolin could not terminate HTTPS for arbitrary subdomains at that label. Configure Traefik / Let’s Encrypt for DNS-01 and wildcard certs as described in Wildcard domains. You also need DNS records so every name at that level resolves to your Pangolin server, for example an A record for *.subdomain. See Domains for typical wildcard DNS patterns.

Pangolin Cloud

Use a domain delegation (NS record) domain so Pangolin controls DNS at the delegated zone. That delegation lets Pangolin issue and renew wildcard certificates for that level and ensures queries for *.your-delegated-zone route to Pangolin. Pangolin Cloud manages the certificates for you once delegation is in place.