Skip to main content

Does ngrok have an official Status page?

Yes. The official ngrok status page is status.ngrok.com.

Why am I required to add a payment method to use TCP endpoints on the free tier? Will I be charged?

In an effort to combat abuse on the platform, a valid payment method must be added to your account before you can use TCP endpoints on the free tier. This card will not be charged. If you remove this card from your account, you will lose access to TCP endpoints until you add another payment method. Valid payment methods include credit or debit cards. Prepaid cards may not be used to enable TCP endpoints.

Is ngrok a virus?

ngrok is beloved for its ease of use and powerful capability. Unfortunately, those same attributes also make it an attractive target for bad actors trying to phish credentials or create back doors into private networks. ngrok proactively monitors and bans any accounts identified that are involved with these attacks, and also works with 3rd parties that report malware and abuse via [email protected] and the abuse APIs. Because ngrok is sometimes used by bad actors for attacks, it is occasionally flagged by some antivirus companies as malware or a potentially unwanted application (PAU). ngrok actively monitors and reaches out to these companies and attempts to obtain the correct classification in their system and be added to the allow lists. If you receive a notice from your antivirus software when installing ngrok software, be sure to verify the following:
  • Official binaries can be downloaded from the ngrok Downloads page, and the binaries themselves are hosted at bin.equinox.io. If you installed ngrok from another source, you should be careful.
  • There are no open source versions of the ngrok Agent and the source code is not available. If you have downloaded anything claiming to be ngrok agent source code or built the agent from source, it is most likely malicious.
  • All binaries are signed using ngrok certificates. You can verify the integrity of the application by checking that the binary is signed by an ngrok LLC or ngrok, Inc. authority. See these instructions from Microsoft for verifying the digital signatures in Windows binaries.

Does ngrok own bin.equinox.io?

Equinox is 100% owned by ngrok (if you visit equinox.io you’ll see it redirect to https://ngrok.com/downloads). ngrok has exclusive access to its source code and its operational infrastructure. No other software is distributed via equinox.

How to verify the ngrok binary is signed

You can get a binary hash for every ngrok executable distributed (both current and historical) from https://dl.equinox.io/ngrok/ngrok-v3/stable/archive. All of those SHAs are correct.

How ngrok secures the distribution of binaries

When ngrok releases new versions of the ngrok agent via equinox, those releases are also signed in multiple ways:
  • Each MacOS and Windows release is signed with code-signing certificates that the operating system verifies. You can verify that those certificates state that ngrok is the publisher.
  • The released executables are also signed with a private key that only the release pipeline has access to that are used for ngrok’s optional self-update mechanism. If you ask ngrok to update to a new version (via ngrok update) it cryptographically verifies the new version was signed with a trusted CA that is packaged into its executable.
  • Uploading new releases to equinox is done in the same CI/CD pipeline that also has isolated access to the authentication keys which are used to upload those executables to the equinox service.
Here is an example verification flow for macOS using the 3.8.0 binary: 
 codesign -d -vvv ~/Downloads/ngrok
Executable=/Users/username/Downloads/binaries/ngrok
Identifier=darwin_amd64
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=209752 flags=0x10000(runtime) hashes=6549+2 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=9babe84803ac6c05874966cf0934c116b00b6b97
CandidateCDHashFull sha256=9babe84803ac6c05874966cf0934c116b00b6b97b1daa6ceb6362b8f2e9c63a2
Hash choices=sha256
CMSDigest=9babe84803ac6c05874966cf0934c116b00b6b97b1daa6ceb6362b8f2e9c63a2
CMSDigestType=2
CDHash=9babe84803ac6c05874966cf0934c116b00b6b97
Signature size=8963
Authority=Developer ID Application: ngrok LLC (TEX8MHRDQ9)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Mar 14, 2024 at 3:18:31 PM
Info.plist=not bound
TeamIdentifier=TEX8MHRDQ9
Runtime Version=11.0.0
Sealed Resources=none
Internal requirements count=1 size=172
Most antivirus tools have an option to report false positive classifications for their software. You can usually find that link in the software itself or on their support site. VirusTotal has a large list of contacts for reporting false positives and reporting ngrok is greatly appreciated—this helps ensure ngrok has the correct classification.

Can I choose a different port to receive traffic on my ngrok domains?

No. ngrok accepts traffic on port 80 for HTTP endpoints, 443 for HTTPS endpoints and port 443 as well for TLS endpoints. This behavior is not configurable. TCP endpoints use the port of the TCP address that was assigned when you acquired the TCP address. This port is assigned and not configurable.

Will the ngrok Agent work if my network changes?

Yes. The ngrok agent is robust to all network changes. If you switch Wi-Fi networks or your modem restarts and you have a dynamic IP that changes, the ngrok agent will automatically detect this condition and re-establish connectivity with the ngrok cloud service. You don’t need to take any manual action to restart or reconfigure the agent.

What information is stored about my use of ngrok?

Please see the Terms of Service and Data Processing Agreement for more information.

Does ngrok support CORS?

Yes, applications exposed via ngrok’s HTTP endpoints will work with CORS. Your application must serve the appropriate CORS headers, or you may use ngrok’s response headers module to add the appropriate CORS headers. Setting the correct CORS headers is non-trivial, but for very simple examples you may try: 
ngrok http 80 --response-header-add "Access-Control-Allow-Origin: *"
If you use any of ngrok’s authentication modules, CORS preflight options requests are blocked by default. You may override this behavior using traffic policy expressions to skip auth enforcement if the request is a CORS preflight request. Basic Auth (--basic-auth) does not yet support configuring options passthrough.

What’s the status of ngrok v1?

The original open source ngrok agent 1.x is available on GitHub but is no longer developed, supported or maintained. The latest ngrok agent is available on the ngrok downloads page.

How to pronounce ngrok

en-grok

How long has ngrok been around?

The first prototype for ngrok was committed on March 20th, 2013.

Why is my vendor asking me to install ngrok for ‘site-to-site connectivity’?

Your vendor wants to create a secure persistent connection between your network and theirs, which allows them to access and take action on your services and data. For details about what ngrok is, how to install the ngrok agent, and how to work with your vendor to implement adequate security practices, see the end customer installation guide.