# Pangolin reverse-proxy guidance (concise)
 - Pangolin handles TLS and obtains certs for masto.pcenicni.social.
 - Create two upstreams on Pangolin:
     1) mastodon_web -> <Mastodon host IP>:3000
     2) mastodon_stream -> <Mastodon host IP>:4000
 - Site rules:
     - Default proxy target: mastodon_web
     - If header "Upgrade" equals "websocket" OR Connection contains "Upgrade", route to mastodon_stream.
 - Ensure these headers are forwarded to the Mastodon host:
     Host, X-Forwarded-For, X-Forwarded-Proto=https, X-Forwarded-Host
 - Increase timeouts on the streaming upstream so long-lived websocket connections don't time out.
 - If your Mastodon host is firewalled, allow inbound connections from the Pangolin VPS IP to ports 3000 and 4000 only.