Skip to main content

Managing TLS Termination for Secure Connections

When using Ingress and Gateway API resources with the ngrok Kubernetes operator, HTTPS endpoints are created by default, and ngrok automatically terminates TLS for secure traffic handling.

By customizing TLS termination settings, you can:

🔐 Use your own TLS certificates instead of ngrok-managed certificates.
⚡ Enforce specific TLS versions for enhanced security.
🔄 Configure mutual TLS (mTLS) for bidirectional authentication between clients and your services.

🔍 What are the Benefits of Customizing TLS Termination?

TLS termination is essential for securing data in transit. Customizing TLS settings allows you to:

  • Control certificate management, choosing between automatically provisioned or manually managed TLS certificates.
  • Enforce strong encryption standards by restricting which TLS versions are accepted.
  • Enable mutual TLS (mTLS) for client authentication, adding an extra layer of security.

Key Benefits:

  • Enhance Security: Enforce TLS policies that comply with industry best practices.
  • Use Custom Certificates: Deploy your own TLS certificates to meet security or compliance requirements.
  • Improve Client Authentication: Implement mutual TLS (mTLS) to verify both server and client identities.
  • Ensure Compatibility: Control TLS versions for secure connections.
  • Meet Compliance Standards: Enforce safety and security policies for HIPAA, PCI DSS, SOC 2, and other security frameworks.
  • Multi-tenant Environments: Serve different certificates per domain in multi-tenant environments.

TLS Termination Examples

The following examples showcase how you can create an endpoint that:

  • Terminates TLS using a custom certificate
  • Enforces mutual TLS with the clients
  • Allows a max TLS version of 1.3
  • Requires a minimum TLS version of 1.3

1. Generate Certificates

Loading…

These commands will generate the following files:

  • CA Files:
    • ca.key: CA private key
    • ca.crt: CA certificate
  • Server Files:
    • server.key: Server private key
    • server.csr: Server certificate signing request
    • server.crt: Server certificate
  • Client Files:
  • client.key: Client private key
  • client.csr: Client certificate signing request
  • client.crt: Client certificate (with proper clientAuth extension for mTLS)

2. Create an Endpoint with Custom TLS Termination

Check out the terminate TLS traffic policy action page for more details about how it functions and the parameters it accepts.

Loading…

Use the Client Certificates While Making Requests

Now that mutual TLS is enforced, you will need to include the client certificate when making requests

Loading…