Skip to main content

How Do I Forward Traffic To My Upstream Services?

The ngrok agent and Agent SDKs forward traffic that your endpoints receive to upstream services. You specify a URL or port number to instruct the ngrok agent where and how to forward traffic.

note

This page covers forwarding traffic to upstream resources. If you specifically want to forward traffic from one endpoint to another, use Traffic Policy.

HTTPS forwarding

The scheme in your upstream URL is used to determine whether to forward HTTP or HTTPS traffic to the upstream service. If you do not specify a scheme, the default http scheme is chosen unless you forward to port 443, in which case ngrok will use https. Consult the following table of examples.

Upstream URLNormalized Value
http://localhost:1234http://localhost:1234
https://localhost:1234https://localhost:1234
localhost:1234http://localhost:1234
1234http://localhost:1234
localhost:443https://localhost:443
443https://localhost:443

ngrok assumes that the network you run the agent on is private and it does not verify the TLS certificate presented by the upstream service. You may change this behavior with the flags --upstream-tls-verify and upstream-tls-verify-cas.

info

Forwarding to an upstream HTTPS service is not supported via SSH.

Loading…

HTTP/2 forwarding

When agents forward to upstream http/2 services, connections use HTTP/1.1 by default.

You can configure the agent, SDKs and Kubernetes Operator to instead use HTTP/2 when forwarding to your upstream service.

ForwarderOptionDocs
Agent--upstream-protocolAgent CLI flags
Agent SDKslanguage-dependentAgent SDKs
Kubernetes OperatorappProtocol on the Tunnel CRDKubernetes Operator

When http2 forwarding is enabled, all requests to your upstream service will be transmitted over HTTP/2 Cleartext since TLS was already terminated at the ngrok cloud service. We cannot use TLS-ALPN at this time. We rely on HTTP/2 with Prior Knowledge currently.

How do I encrypt traffic forwarded to upstream services?

If you terminate TLS at the ngrok cloud service or ngrok agent, you may want to re-encrypt the connection from the agent to your upstream service. The ngrok agent supports this behavior by using the non-standard tls:// scheme syntax.

Loading…
info

Re-encrypting the connection to your upstream service with TLS is not supported for:

  • SSH
  • Go
  • Rust