Where Is TLS Terminated?

TLS connections to your ngrok endpoints can be terminated at ngrok's cloud service, at your ngrok agent, or at your upstream service.

info

TLS endpoints are not supported by the ngrok Kubernetes Operator

At ngrok's cloud service

You can terminate TLS at the edge with ngrok's cloud service.

This is the easiest and most common. All HTTPS endpoints terminate TLS at ngrok's cloud service. When connections are terminated by ngrok's cloud service, they are re-encrypted before they are transmitted over a Secure Tunnel to an agent.

You can get started with the following example.

Loading…

info

TLS Termination at the edge is not supported for:

SSH
Rust
Kubernetes

At your ngrok agent

You can terminate TLS at your ngrok agent. Doing so prevents TLS from being terminated at ngrok's cloud service, ensuring end-to-end encryption between visitors and your upstream service.

You can get started with the following example.

Loading…

info

Termination at the agent is not supported for:

SSH
Rust
Go
Javascript
Python
Kubernetes

At your upstream service

You can handle TLS termination at your upstream services. This is a form of end-to-end encryption where neither the cloud service nor an agent terminates TLS connections. Instead, your upstream application service is responsible for TLS termination.

You can get started with the following example.

Loading…

At ngrok's cloud service​

At your ngrok agent​

At your upstream service​

At ngrok's cloud service

At your ngrok agent

At your upstream service