Quickstart
- Agent CLI
- Agent Config
- SSH Reverse Tunnel
- Go
- Javascript
- Python
- Rust
- Kubernetes Controller
traffic-policy.yml
URLs
URLs are validated differently depending on their binding. Consult the following documentation for details on valid URLs for TLS endpoints: There is no standard scheme for TLS URLs so ngrok renders them astls://.
Bindings
TLS endpoints supportpublic and internal bindings. kubernetes binding is
not supported.
Traffic Policy
Attach Traffic Policy to endpoints to route, authenticate and transform the traffic through your TLS endpoints.Authentication
When you create public TLS endpoints, you often want to secure them with authentication. You can secure your TLS endpoints with the following Traffic Policy actions. There is a limited set of actions available to authenticate TLS traffic because the TLS protocol is low-level.TLS
Termination
TLS Endpoints provide you with the flexibility to define where TLS termination occurs. You may configure your endpoint to terminate TLS at the ngrok cloud service or you can achieve end-to-end encryption by terminating at the agent or your upstream service. When you use end-to-end encryption, the ngrok cloud service can not see payload that transit through your endpoints. Consult the documentation on TLS Termination Locations for additional details.Cloud service
- Agent CLI
- Agent Config
- SSH Reverse Tunnel
- Go
- Javascript
- Python
- Rust
- Kubernetes Controller
traffic-policy.yml
Terminate at Agent
See TLS Termination at the Agent for End-to-End Encryption for additional details.- Agent CLI
- Agent Config
- SSH Reverse Tunnel
- Go
- Javascript
- Python
- Rust
- Kubernetes Controller
Terminate at Upstream
- Agent CLI
- Agent Config
- SSH Reverse Tunnel
- Go
- Javascript
- Python
- Rust
- Kubernetes Controller
Certificates
It is very common to encounter certificate errors when working with TLS endpoints. When terminating TLS at ngrok’s cloud service, ngrok will automatically select, provision, and manage certs for you. When performing end-to-end encryption by terminating at the agent or upstream service, you become responsible for provisioning, managing, and distributing certificates. Consult the documentation on TLS Certificates for details about certificate selection, provisioning and management.Agent forwarding
Re-encrypt to upstream
If you terminate TLS at the ngrok cloud service or ngrok agent, you may want to re-encrypt the connection from the agent to your upstream service. The ngrok agent supports this behavior by using the non-standardtls:// scheme syntax.
- Agent CLI
- Agent Config
- SSH Reverse Tunnel
- Go
- Javascript
- Python
- Rust
- Kubernetes Controller
PROXY Protocol
Add a PROXY protocol header on connection to your upstream service. This sends connection information like the original client IP address to your upstream service.- Agent CLI
- Agent Config
- SSH Reverse Tunnel
- Go
- Javascript
- Python
- Rust
- Kubernetes Controller