Skip to main content

TLS Edge


A TLS edge terminate all TLS (SSL) traffic at the ngrok.com servers using ngrok.com certificates. For production-grade services, you'll want your tunneled traffic to be encrypted with your own TLS key and certificate.

Compatible Clients

TLS tunnels work by inspecting the data present in the Server Name Information (SNI) extension on incoming TLS connections. Not all clients that initiate TLS connections support setting the SNI extension data. These clients will not work properly with ngrok's TLS tunnels. Fortunately, nearly all modern browsers use SNI. Some modern software libraries do not though. The following list of clients do not support SNI and will not work with TLS tunnels:

A more complete list can be found on the Server Name Indication page on Wikipedia

TLS Edge Modules

ModuleDescription
Mutual TLSAlso known as "TLS client authentication", connections must complete a mutual TLS handshake in which the client presents a valid certificate signed by any of the root certificate authorities that you upload.
TLSAllows you to configure whether ngrok terminates TLS traffic at its edge or forwards the TLS traffic through unterminated.
IP RestrictionsIP Restrictions allow you to attach one or more IP policies to the edge.