How Do I Handle TLS Traffic?
Overview
TLS endpoints enable you to deliver any network service that runs over a TLS-based protocol. TLS endpoints make no assumptions about the wrapped protocol being transported.
TLS endpoints inspect the Server Name Indication (SNI) data on incoming TLS connections to route connections to the appropriate endpoint.
Because the TLS protocol describes no application-level semantics, ngrok can only offer a limited set of traffic policy actions to handle TLS traffic.
If you are delivering an HTTPS application, prefer to create an HTTP Endpoint.
Quickstart
Loading…
TLS termination at the edge is not supported for:
- SSH
- Rust
Learn more
- URL Validation — URLs are validated differently depending on their binding. To learn more about valid URLs for TLS endpoints, see the Endpoint URLs documentation.
- Domains — Public TLS endpoints must match a domain on your account. See the domains documentation for more information.
- Authentication — You can secure your TLS endpoints with the IP Restriction and Mutual TLS Traffic Policy actions. There is a limited set of actions available to authenticate TLS traffic because the protocol is low-level.
- Bring your own domain — To use your own domain with TLS endpoints, see the guide on the subject.
- Wildcard Endpoints — You can create TLS endpoints that receive traffic from all of the subdomains matching a given wildcard domain. See the wildcard domain docs for more information.
- Traffic Policy — Attach Traffic Policy to endpoints to route, authenticate and transform the traffic through the endpoint.
- Agent Forwarding — The ngrok agent and Agent SDKs forward traffic that your endpoints receive to upstream services. See the agent forwarding documentation for more information.
- Traffic Observability — Traffic Inspector gives you a real-time view in the ngrok dashboard of the traffic flowing through your TLS endpoints. You can even export traffic logs with the Traffic Events system.
- TLS Certificates — Learn how ngrok automatically handles TLS and TLS termination for TLS endpoints for you.
TLS termination
TLS Endpoints enable you to to define where TLS termination occurs. You can configure your endpoint to terminate TLS at the ngrok cloud service. You can also achieve end-to-end encryption by terminating at the agent or your upstream service.
When you use end-to-end encryption, the ngrok cloud service can not see payloads that transit through your endpoints.
See the TLS Termination documentation for more information.
Errors
Learn how ngrok handles errors for TLS endpoints in the Errors documentation.
API
TLS Endpoints can be created programatically. Consult the documentation on Endpoint APIs.
Limits & pricing
TLS endpoints are available on Pay-as-you-go, Pro, and Enterprise plans. Consult the pricing documentation for general billing details.
For TLS limits, see the endpoint Limits documentation.