Connection Variables
The following variables are available under theconn namespace:
conn.bytes_in
The number of bytes entering the endpoint from the client.
conn.bytes_out
The number of bytes leaving an endpoint to the client.
conn.client_ip
Source IP of the connection to the ngrok endpoint.
conn.client_port
Source port of the connection to the ngrok endpoint.
conn.server_ip
The IP that this connection was established on.
conn.server_port
The port that this connection was established on.
conn.server_region
The ngrok PoP (Point of Presence) that this connection was established on and serviced through.
conn.ts.start
Timestamp when the connection to ngrok was started.
Connection Geo Variables
The following variables are available under theconn.geo namespace:
conn.geo.city
The name of the city, in EN, where the conn.client_ip is likely to originate.
conn.geo.country
The name of the country, in EN, where the conn.client_ip is likely to originate.
conn.geo.country_code
The two-letter ISO country code where the conn.client_ip is likely to originate.
conn.geo.latitude
The approximate latitude where the conn.client_ip is likely to originate.
conn.geo.longitude
The approximate longitude where the conn.client_ip is likely to originate.
conn.geo.radius
The radius in kilometers around the latitude and longitude where the conn.client_ip is likely to originate.
conn.geo.subdivision
The name of the subdivision, in EN, where the conn.client_ip is likely to originate.
Connection TLS Variables
The following variables are available under theconn.tls namespace:
conn.tls.cipher_suite
The cipher suite selected during the TLS handshake.
conn.tls.ja4_fingerprint
The JA4 fingerprint of the TLS handshake.
conn.tls.negotiated_alpn
The TLS Application-Layer Protocol Negotiation (ALPN) Protocol ID of the protocol agreed upon in the TLS handshake. Defaults to "" if no ALPN was successfully negotiated.
conn.tls.session_resumed
True if the TLS session was resumed. Currently always false as we do not yet support TLS session resumption.
conn.tls.sni
The hostname included in the ClientHello message via the SNI extension.
conn.tls.version
The version of the TLS protocol used between the client and the ngrok edge.
Connection TLS Client Variables
The following variables are available under theconn.tls.client namespace:
conn.tls.client.extensions
Additional information added to the certificate.
conn.tls.client.extensions[i].id
The identifier (OID) that specifies the type of extension.
conn.tls.client.extensions[i].critical
True if the extension is critical.
conn.tls.client.extensions[i].value
The data for the extension.
conn.tls.client.issuer
The issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.client.issuer.common_name
Common name of the issuing authority, usually the domain name.
conn.tls.client.issuer.country
Country names where the issuing authority is located.
conn.tls.client.issuer.locality
Locality or city of the issuing authority.
conn.tls.client.issuer.organization
Name of the organization that issued the certificate.
conn.tls.client.issuer.organizational_unit
Division of the organization responsible for the certificate.
conn.tls.client.issuer.postal_code
Postal code of the issuing authority.
conn.tls.client.issuer.province
Province or state of the issuing authority.
conn.tls.client.issuer.street_address
Street address of the issuing authority.
conn.tls.client.pem
Full PEM-encoded client certificate of the TLS connection, with \n used for newlines.
conn.tls.client.san
Subject alternative names of the client certificate.
conn.tls.client.san.dns_names
DNS names in the subject alternative names.
conn.tls.client.san.email_addresses
Email addresses in the subject alternative names.
conn.tls.client.san.ip_addresses
IP addresses in the subject alternative names.
conn.tls.client.san.uris
URIs in the subject alternative names.
conn.tls.client.serial_number
Unique identifier for the certificate.
conn.tls.client.signature_algorithm
Algorithm used to sign the certificate.
conn.tls.client.subject
The entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.client.subject.common_name
Common name of the subject, usually the domain name.
conn.tls.client.subject.country
Country names where the subject of the certificate is located.
conn.tls.client.subject.locality
Locality or city where the subject is located.
conn.tls.client.subject.organization
Name of the organization to which the subject belongs.
conn.tls.client.subject.organizational_unit
Division of the organization to which the subject belongs.
conn.tls.client.subject.postal_code
Postal code where the subject is located.
conn.tls.client.subject.province
Province or state where the subject is located.
conn.tls.client.subject.street_address
Street address where the subject is located.
conn.tls.client.validity.not_after
Expiration date and time when the certificate is no longer valid.
conn.tls.client.validity.not_before
Start date and time when the certificate becomes valid.
Connection TLS Server Variables
The following variables are available under theconn.tls.server namespace:
conn.tls.server.extensions
Additional information added to the certificate.
conn.tls.server.extensions[i].id
The identifier that specifies the type of extension.
conn.tls.server.extensions[i].critical
True if the extension is critical.
conn.tls.server.extensions[i].value
The data for the extension.
conn.tls.server.issuer
The issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.server.issuer.common_name
Common name of the issuing authority, usually the domain name.
conn.tls.server.issuer.country
Country names where the issuing authority is located.
conn.tls.server.issuer.locality
Locality or city of the issuing authority.
conn.tls.server.issuer.organization
Name of the organization that issued the certificate.
conn.tls.server.issuer.organizational_unit
Division of the organization responsible for the certificate.
conn.tls.server.issuer.postal_code
Postal code of the issuing authority.
conn.tls.server.issuer.province
Province or state of the issuing authority.
conn.tls.server.issuer.street_address
Street address of the issuing authority.
conn.tls.server.san
Subject alternative names of the server certificate of the ngrok server’s leaf TLS certificate.
conn.tls.server.san.dns_names
DNS names in the subject alternative names of the ngrok server’s leaf TLS certificate.
conn.tls.server.san.email_addresses
Email addresses in the subject alternative names of the ngrok server’s leaf TLS certificate.
conn.tls.server.san.ip_addresses
IP addresses in the subject alternative names of the ngrok server’s leaf TLS certificate.
conn.tls.server.san.uris
URIs in the subject alternative names of the ngrok server’s leaf TLS certificate.
conn.tls.server.serial_number
Unique identifier for the certificate.
conn.tls.server.signature_algorithm
Algorithm used to sign the certificate.
conn.tls.server.subject
The entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.server.subject.common_name
Common name of the subject, usually the domain name.
conn.tls.server.subject.country
Country names where the subject of the certificate is located.
conn.tls.server.subject.locality
Locality or city where the subject is located.
conn.tls.server.subject.organization
Name of the organization to which the subject belongs.
conn.tls.server.subject.organizational_unit
Division of the organization to which the subject belongs.
conn.tls.server.subject.postal_code
Postal code where the subject is located.
conn.tls.server.subject.province
Province or state where the subject is located.
conn.tls.server.subject.street_address
Street address where the subject is located.
conn.tls.server.validity.not_after
Expiration date and time when the certificate is no longer valid.
conn.tls.server.validity.not_before
Start date and time when the certificate becomes valid.
Connection Kubernetes Pod Variables
The following variables are available under theconn.k8s.pod namespace. They are populated on connections to endpoints with a kubernetes binding. They are not available on public or internal endpoints.
If pod identity cannot be resolved, the metadata variables will not be set and conn.k8s.pod.metadata.error_code will be populated instead. See conn.k8s.pod.metadata.error_code for details.
conn.k8s.pod.id
The unique identifier (UID) of the originating pod. Maximum size: 36 bytes.
conn.k8s.pod.metadata.name
The name of the originating pod. Maximum size: 255 bytes.
conn.k8s.pod.metadata.namespace
The namespace the originating pod belongs to. Maximum size: 63 bytes.
conn.k8s.pod.metadata.annotations
A map of pod annotations prefixed with k8s.ngrok.com/. Only annotations with the k8s.ngrok.com/ prefix are included. The combined size of all included annotations must not exceed 1024 bytes. If the limit is exceeded, conn.k8s.pod.metadata.error_code will be set to ERR_NGROK_28000 and a truncated annotation map being returned.
conn.k8s.pod.metadata.error_code
An error code set when pod identity could not be resolved. When this variable is set, the conn.k8s.pod metadata variables will not be populated.
It is recommended to check this variable at the start of any policy that relies on pod identity. See Restricting Access by Kubernetes Pod Identity for guidance on handling missing identity.
conn.k8s.pod.metadata.error_message
A human-readable error message providing additional detail when conn.k8s.pod.metadata.error_code is set. Intended for troubleshooting and diagnostic purposes.