Managing TLS Termination for Secure Connections
When using Ingress and Gateway API resources with the ngrok Kubernetes operator, HTTPS endpoints are created by default, and ngrok automatically terminates TLS for secure traffic handling.
By customizing TLS termination settings, you can:
🔐 Use your own TLS certificates instead of ngrok-managed certificates.
⚡ Enforce specific TLS versions for enhanced security.
🔄 Configure mutual TLS (mTLS) for bidirectional authentication between clients and your services.
🔍 What are the Benefits of Customizing TLS Termination?
TLS termination is essential for securing data in transit. Customizing TLS settings allows you to:
- Control certificate management, choosing between automatically provisioned or manually managed TLS certificates.
- Enforce strong encryption standards by restricting which TLS versions are accepted.
- Enable mutual TLS (mTLS) for client authentication, adding an extra layer of security.
Key Benefits:
- Enhance Security: Enforce TLS policies that comply with industry best practices.
- Use Custom Certificates: Deploy your own TLS certificates to meet security or compliance requirements.
- Improve Client Authentication: Implement mutual TLS (mTLS) to verify both server and client identities.
- Ensure Compatibility: Control TLS versions for secure connections.
- Meet Compliance Standards: Enforce safety and security policies for HIPAA, PCI DSS, SOC 2, and other security frameworks.
- Multi-tenant Environments: Serve different certificates per domain in multi-tenant environments.
TLS Termination Examples
The following examples showcase how you can create an endpoint that:
- Terminates TLS using a custom certificate
- Enforces mutual TLS with the clients
- Allows a max TLS version of 1.3
- Requires a minimum TLS version of 1.3
1. Generate Certificates
Loading…
These commands will generate the following files:
- CA Files:
ca.key
: CA private keyca.crt
: CA certificate
- Server Files:
server.key
: Server private keyserver.csr
: Server certificate signing requestserver.crt
: Server certificate
- Client Files:
client.key
: Client private keyclient.csr
: Client certificate signing requestclient.crt
: Client certificate (with proper clientAuth extension for mTLS)
2. Create an Endpoint with Custom TLS Termination
- AgentEndpoint
- CloudEndpoint
- Ingress
- Gateway API
Check out the terminate TLS traffic policy action page for more details about how it functions and the parameters it accepts.
Loading…
Check out the terminate TLS traffic policy action page for more details about how it functions and the parameters it accepts.
Loading…
💡 Ingress
resources do not natively support advanced TLS termination options, but they can be extended using a traffic policy.
Check out the terminate TLS traffic policy action page for more details about how it functions and the parameters it accepts.
3. Create an NgrokTrafficPolicy
Loading…
4. Use the NgrokTrafficPolicy
on an Ingress
Loading…
✅ Gateway API natively supports TLS termination, and this feature is fully supported by the ngrok Kubernetes operator.
3. Create a Secret
to Terminate TLS
Create a Kubernetes Secret
to configure TLS termination.
Loading…
4. Create a ConfigMap
to Validate Client Certificates
Create a Kubernetes ConfigMap
containing the CA so that client certificates can be validated.
Loading…
5. Create a Gateway
that Terminates TLS using the Generated Certificates
Loading…
6. Generate an HTTPRoute
to route to the upstream
Loading…
Use the Client Certificates While Making Requests
Now that mutual TLS is enforced, you will need to include the client certificate when making requests
Loading…