If your upstream service requires encrypted TLS connections, you need to ensure that requests forwarded from the API Gateway are properly secured using TLS. Additionally, if your upstream service requires mutual TLS (mTLS), you can configure client certificates to authenticate both the API Gateway and the upstream service. By configuring Upstream TLS and mTLS, you can: 🔐 Ensure end-to-end encryption between ngrok and your backend services.
⚡ Authenticate API Gateway requests using client certificates.
🚀 Enforce stricter security policies for upstream service communication.

🔍 What are the Benefits of Upstream TLS & mTLS?

Securing upstream connections is essential for protecting sensitive data in transit, ensuring that API requests remain confidential and tamper-proof as they move between services. Key Benefits:
  • End-to-End Encryption: Protect sensitive data from client to backend using strong encryption.
  • Client Certificate Authentication: Ensure only trusted API gateways can connect to your backend.
  • Prevent Unauthorized Access: Block unauthorized requests by requiring valid client certificates.
  • Ensure Regulatory Compliance: Meet security standards like HIPAA, PCI DSS, and SOC 2.
  • Enhance Service-to-Service Security: Secure Kubernetes microservices using mTLS authentication.

Upstream TLS Examples

The following examples showcase how you can configure client certificates to be used by the ngrok Kubernetes operator when it connects to upstream services.

1. Generate Certificates

# 1. Generate CA private key (ca.key)
openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:2048

# 2. Generate CA certificate (ca.crt)
openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt -subj "/CN=ExampleCA"

# 3. Generate server private key (server.key)
openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048

# 4. Generate server certificate signing request (CSR) (server.csr)
openssl req -new -key server.key -out server.csr -subj "/CN=terminate-tls-example.ngrok.app"

# 5. Generate server certificate (server.crt)
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256

# 6. Generate client private key (client.key)
openssl genpkey -algorithm RSA -out client.key -pkeyopt rsa_keygen_bits:2048

# 7. Generate client certificate signing request (CSR) (client.csr)
openssl req -new -key client.key -out client.csr -subj "/CN=ExampleClient"

# 8. Generate client certificate (client.crt) with Client Authentication
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256 -extfile <(printf "extendedKeyUsage = clientAuth")
These commands will generate the following files:
  • CA Files:
    • ca.key: CA private key
    • ca.crt: CA certificate
  • Server Files:
    • server.key: Server private key
    • server.csr: Server certificate signing request
    • server.crt: Server certificate
  • Client Files:
  • client.key: Client private key
  • client.csr: Client certificate signing request
  • client.crt: Client certificate (with proper clientAuth extension for mTLS)

2. Configure your Upstream

If you’re testing this with an upstream service that you have. It will need to make use of the following files that were generated.
  • server.crt: Used to terminate TLS
  • server.key: Used to terminate TLS
  • ca.crt: Used to validate client certificates

3. Create a Kubernetes Secret for the Client Certificate

kubectl create secret tls client-cert-secret \
	--cert=client.crt \
	--key=client.key
The following examples showcase using the client certificate when connecting to the upstream.

4. Create an AgentEndpoint that uses the Client Certificate

apiVersion: ngrok.k8s.ngrok.com/v1alpha1
kind: AgentEndpoint
metadata:
name: example-agent-endpoint
spec:
url: https://example-hostname.ngrok.io
upstream:
  url: https://my-service.my-namespace:8443
clientCertificateRefs:
- name: client-cert-secret
  namespace: default