Even if your admin dashboards and internal tools already have built-in authentication, you can make them even secure using ngrok and Traffic Policy to restrict specific types of traffic from even hitting your endpoint. You can restrict access to specific IP addresses, block traffic from problematic sources, restrict requests to only your geographical area, or all the above. In this example, we’re assuming that your admin tool is part of your public-facing service, available on a path like /admin.

1. Start an endpoint for your service

Start an internal Agent Endpoint, replacing $PORT based on where your service listens. You can also use one of our SDKs or the Kubernetes Operator. 
ngrok http $PORT --url https://service.internal

2. Reserve a domain

Navigate to the Domains section of the ngrok dashboard and click New + to reserve a free static domain like https://your-service.ngrok.app or a custom domain you already own. We’ll refer to this domain as $NGROK_DOMAIN from here on out.

3. Create a Cloud Endpoint

Navigate to the Endpoints section of the ngrok dashboard, then click New + and Cloud Endpoint. In the URL field, enter the domain you just reserved to finish creating your Cloud Endpoint.

4. Restrict access to your admin path with Traffic Policy

While still viewing your new cloud endpoint in the dashboard, copy and paste the policy below into the Traffic Policy editor. You may need to change:
  • /admin: Replace with the path of your admin tools.
  • 1.2.3.4/5.6.7.8: Replace with public IPs of your admins.
  • US: Replace with the country code where your admins would log in to.
on_http_request:
  - expressions:
      - "req.url.path.includes('/admin')"
      - "conn.client_ip.geo.location.country_code != 'US' || req.user_agent.is_bot || 'proxy.anonymous.tor, blocklist.co.greensnow' in conn.client_ip.categories"
    actions:
      - type: deny
  - expressions:
      - "req.url.path.includes('/admin')"
    actions:
      - type: restrict-ips
        config:
          allow:
            - 1.2.3.4/32
            - 5.6.7.8/32
  - actions:
      - type: forward-internal
        config:
          url: https://service.internal
What’s happening here? Your policy checks every HTTP request and filters out only those to the /admin path, first denying all requests from non-US traffic, bot traffic, Tor networks, and all IPs on the GreenSnow blocklist. For all requests not immediately denied, ngrok then also restricts access to only specific and trusted IP addresses before forwarding to your upstream service. ngrok forwards all requests to paths other than /admin without these filters or actions.

5. Try out your restricted admin tools

Visit the domain you reserved either in the browser or in the terminal using a tool like curl. You should see the app or service at the port connected to your internal Agent Endpoint.

What’s next?