diff --git a/komodo/mastodon/Pangolin.md b/komodo/mastodon/Pangolin.md
new file mode 100644
index 0000000..0b885cc
--- /dev/null
+++ b/komodo/mastodon/Pangolin.md
@@ -0,0 +1,12 @@
+# Pangolin reverse-proxy guidance (concise)
+ - Pangolin handles TLS and obtains certs for masto.pcenicni.social.
+ - Create two upstreams on Pangolin:
+     1) mastodon_web -> <Mastodon host IP>:3000
+     2) mastodon_stream -> <Mastodon host IP>:4000
+ - Site rules:
+     - Default proxy target: mastodon_web
+     - If header "Upgrade" equals "websocket" OR Connection contains "Upgrade", route to mastodon_stream.
+ - Ensure these headers are forwarded to the Mastodon host:
+     Host, X-Forwarded-For, X-Forwarded-Proto=https, X-Forwarded-Host
+ - Increase timeouts on the streaming upstream so long-lived websocket connections don't time out.
+ - If your Mastodon host is firewalled, allow inbound connections from the Pangolin VPS IP to ports 3000 and 4000 only.
\ No newline at end of file