Traffic Policy
Manage traffic with our simple, flexible, and idiomatic traffic policy engine. Use Common Expression Language (CEL) with JSON or YAML to define rules that match incoming or outgoing traffic based on attributes like URL path, headers, and other request or response properties. Apply pre-built actions such as URL rewrite, JWT validation, rate limiting, and more.
Validate that each request contains an unexpired, encrypted JWT signed by a trusted source and destined for your upstream service.
Provide a URL to your JSON Web Key Set (JWKS), and ngrok will use it to validate requests before they ever hit your upstream service.
This example validates JWTs found in requests to https://example.ngrok.com against the specified Auth0 JWKS before forwarding them to your upstream service.
Set limits to restrict traffic to your endpoints to ensure fairness across all clients and maintain multi-tenant resiliency.
This code snippet example specifies that only 30 requests per minute are allowed.
Allow or deny traffic based on the source IP of the connection that was initiated to your ngrok endpoints.
This example shows a configuration that only allows requests from the IP 1.1.1.1, while requests from the IP e680:5791:be4c:5739:d959:7b94:6d54:d4b4 are denied.
Protect your services by requiring clients to authenticate using OAuth.
ngrok supports a wide range of OAuth providers such as Google, Microsoft, GitHub and others that you can define in Traffic Policy. Once authenticated by the IdP, ngrok adds headers to the HTTP request with details about the authenticated OAuth user, providing additional context for your upstream service.
Redirect incoming requests to new URLs by modifying the original URLs with regular expressions.
Use this action to prevent 404 errors or ensure backwards compatibility of your applications and APIs by redirecting traffic to updated URLs. Redirection is performed using the Location header.
This example shows a configuration that will redirect any request from /products to /store/products with the default 302 Found status code.
More Traffic Policy capabilities
Return a hard-coded custom response, such as a maintenance page, to the client. Supports CEL interpolation that allows you to access traffic policy variables and embed CEL expressions in your custom response.
Protect your services by blocking HTTP or TLS requests or terminate a TCP connection. For example, deny requests from specific regions or restrict access to particular paths, such as an admin upstream service.
Transforms SEO friendly, customer-facing URL at runtime to the actual URL of the service without exposing internal routing to end users.
This action enables you to forward traffic to an internal endpoint within the same ngrok account. This is useful for safely and securely routing traffic from your public-facing endpoints to other services, giving you the ability to orchestrate and customize traffic flow based on headers, paths, domains or other parameters.
Add headers to an HTTP request before it is sent upstream or an HTTP response before it is sent back to the client. For instance, you can use it to add geographical data about clients that are connecting to your services. Supports CEL interpolation that allows you to access traffic policy variables and embed CEL expressions into header values.
Remove headers from an HTTP request before it is sent upstream or from an HTTP response before it is sent back to the client. This is useful for stripping sensitive internal headers from responses sent to clients, or removing unnecessary headers from requests to reduce overhead and prevent bloat.
Enhance traffic observability by adding metadata to log events for HTTP, TCP, TLS, giving you additional context. For example, you can include the endpoint identifier for every request. Supports CEL interpolation, allowing you to access traffic policy variables and embed CEL expressions in this action.
Improve the performance of your applications by compressing HTTP response bodies returned by your upstream service. List of supported algorithms include br ,compress ,gzip , and deflate .
Gain live visibility into active OAuth, OIDC, and SAML user sessions in your tunnels. Instantly view session context—such as user, device, identity provider, and network details—and terminate sessions through the dashboard or via REST API.
Terminate TLS and secure your connections with mutual TLS (mTLS) authentication for your HTTP and TLS endpoints. Specify which TLS versions your endpoint supports for added security and compatibility. For HTTPS endpoints, TLS is terminated automatically at ngrok's global network, while for TLS endpoints, you can choose to terminate TLS at the global network, the agent, or your upstream service.
Secure your services by restricting access to only users authorized by OpenID Connect IdP.
Enforce HTTP Basic Auth by securing your services with usernames and passwords.
Protect your upstream service by automatically blocking traffic if it becomes overloaded, giving it time to recover. Once the service stabilizes, traffic flow is restored.
Ensure that only authenticated requests from your webhook provider reach your upstream service, blocking malicious payloads and preventing security vulnerabilities. ngrok verifies the webhook signature before forwarding it your service. Here’s the full list of webhook providers that ngrok supports.
