How Does ngrok TLS Termination Work?
ngrok's TLS termination behavior is determined by an endpoint's protocol and traffic policy. You may customize each endpoint to choose where TLS is terminated, how it is terminated and even whether it is terminated at all. When ngrok's cloud service terminates TLS, it:
- Uses the latest and most secure version of TLS
- Uses the TLS Certificate attached to the Domain which matches the Endpoint URL's hostname
- Accelerates your traffic by using the global load balancer to terminate at its closest point of presence
ngrok supports end-to-end encryption, which enables you to encrypt traffic between visitors and your upstream services so the ngrok cloud service can't access it. See the docs on how TLS termination works to learn more.
Acceleration
The ngrok cloud service improves the performance of your endpoints by accelerating TLS termination using ngrok's global points of presence.
TLS connection set-up requires multiple network round-trips. When round-trip times (RTTs) are long, TLS connection establishment slows down. ngrok reduces the latency of these round-trip times between the client and your endpoint by terminating connections at the closest point of presence via its global load balancer.
FIPS Compliance
ngrok does not use a FIPS-compliant TLS implementation by default, but one can be enabled for your endpoints.
Contact us if you require a FIPS-compliant TLS implementation.
End-to-end encryption
You may choose to terminate TLS at your upstream service or at the ngrok agent to achieve end-to-end encryption (E2EE), often referred to as Zero-knowledge TLS. When your endpoints operate in this mode, the ngrok cloud service can not see the payloads that transfer through your endpoints.
Creating an endpoint with end-to-end encryption is simple:
- Create a TLS or TCP endpoint
- Do not add a
terminate-tlsaction to its traffic policy.
That's it! Read the Agent TLS Termination Guide for a step by step approach to set it up.
To set up the agent to terminate TLS for you, consult the following table because the configuration depends on which kind of agent you are using.
| Agent | Documentation |
|---|---|
| Agent Config File | agent_tls_termination |
| Go SDK | WithTLSTerminationKeyPair |
| Other SDKs | not supported |
| Kubernetes Operator | not supported |