This guide will walk you through recommendations for ensuring you are using ngrok securely.
For our HTTP tunnel type, use
scheme https to configure the
ngrok agent to open only a HTTPS endpoint and not a HTTP endpoint. If you
are running the latest ngrok agent, this is the default.
If your local service is not running on the same machine as the ngrok agent, we recommend that you set up TLS encryption for the ngrok agent to upstream service leg of the tunnel using our local HTTPS feature.
For custom domains, use ngrok's Automated TLS certificates to have ngrok automatically provision a TLS certificate for your endpoint from Let's Encrypt.
Assign an unique Authtoken to each ngrok agent deployment to isolate issues if a specific Authtoken is compromised.
Set up a minimum ACL per Authtoken to limit the endpoints each agent is able to start.
Do not run ngrok as root, as it should not be necessary.
Do not open any additional incoming ports in your firewall. ngrok only makes an outbound connection upon start.
Consider restricting the IPs that are able to start ngrok agent sessions.
For authenticating access to the dashboard, ngrok has features for role based access control (RBAC), IP Policy, and SSO.
With RBAC, you can configure permissions for groups of users within your team (for example admins and developers).
Consider restricting the IPs permitted to access the dashboard.
You need a API key to authenticate with the ngrok REST API. API keys are Base64 encoded strings and are available from the ngrok dashboard and also from an API endpoint, which makes it easy to rotate your API keys.
Consider restricting the IPs permitted to access the API. You can do so in the ngrok Dashboard under the Security section.
TLS Encryption is terminated at different locations depending on the ngrok Tunnel / Edge type and configuration. See the documentation on Terminating TLS Connections for more details.
For HTTPS endpoints, ngrok will take care of TLS certificates automatically. For endpoints that are ngrok subdomains, ngrok uses a wildcard *.ngrok.io certificate. We also provision certificates for your custom domains through Let's Encrypt and handle keeping them up to date for you.
It is possible to specify the minimum TLS version that clients are required to use to talk to the ngrok edge for your tunnel.
ngrok provides functionality for consuming logs for events in the system. For more information, check out our ngrok Event Subscriptions documentation.