ngrok and OAuth for private tunnels
Protect private services in Release with ngrok
Last updated
Was this helpful?
Protect private services in Release with ngrok
Last updated
Was this helpful?
You may need a simple way to keep the applications you deploy to Release ephemeral environments private. Perhaps you're deploying a basic disposable admin tool, for example, or you would like to share a link with a potential client or vendor outside your organization. In such cases, you don't want to set up expensive access controls that need time-consuming configuration.
The solution is to create a proxy layer for your Release application environment.
We have a guide available for an .
Alternatively, take a look at this you can investigate.
We chose ngrok for this guide because it offers a simple, lightweight, and cost-effective way to securely expose an application without too much additional configuration or infrastructure maintenance.
Here's what you'll need to follow along:
An ngrok account. A free account may work for once-off environments. A business license is better for multiple accounts in a wildcard setup. Visit for more details.
An ngrok token. Preferably a token generated specifically for this use case so it can be revoked or changed without impacting a regularly used token somewhere else.
A Release application running in your Release account.
A service that you would like to expose via the proxy tunnel.
An OAuth, SAML, or OIDC service provider, such as Google Workspaces – this is optional, as it may incur vendor charges.
A custom domain name for your private pages, this is also optional, as it may incur vendor charges.
Say you want to expose the following service via the proxy tunnel:
The docsbuild
service is not for public consumption, but we would like to view it along with our code deployments in pre-production settings. The main application is configured with authentication and access controls, but the documentation is a set of web pages and would be difficult to protect. If you added a regular node_port:
and hostnames:
section to your application, the documentation would be exposed to the internet.
Let's create a private tunnel for an additional layer of protection instead.
Next, add the following to your application's environment variables template:
Add both services to your setup
workflow, but don't add the tunnel service to your patch flow, since it doesn't need to be restarted during deploys:
Exposing the tunnel service logs will reveal the one-time URL in ngrok.io similar to the following:
Point your browser to the Forwarding
URL to view your documentation pages.
Here are our tips for securing private tunnels.
You may want to use a well-known custom domain name for your application tunnel endpoint, but this could incur additional costs and require an upgrade to your ngrok account.
You could instead add a subdomain directive to your environment variable template:
Which yields something like this output:
You can also use Environment variable mappingsto create a link to the tunnel port like this
You will also need to add Hostnames and rules section like the following to your application template so that you can easily click the link in the UI or pull request comments.
For an even better domain name option, use a fully customised hostname. Please note this probably requires an upgrade to a paid ngrok account and features.
A quick diversion here is required since the custom domain names will not be managed by Release (we have no way of knowing what the ngrok tunnel addresses will be). You will need to setup CNAME record(s) in your cloud DNS provider, and a custom domain and a TLS certificate in the ngrok dashboard.
Which yields something like this output:
You can also follow the same instructions as above for a mapping and hostnames section. This will avoid having to hardcode the values in your configuration file. These two sections should help guide you.
Add a basic authentication password:
We can expose the application via ngrok using a . Instantiate this service alongside your other services in the application template as follows:
Here, the NGROK_AUTH
key has the value of your ngrok token. We use NGROK_LOOK_DOMAIN
to identify the service to expose via the ngrok tunnel, in this case it is docsbuild
. The port is specified as 8080
. By default ngrok will use http (you could specify TLS or TCP as well). Therefore the full url to your internal service in this example would be http://docsbuild:8080
. You could consider adding a and pointing to http://localhost
for even more privacy. The NGROK_BINDTLS
option tells ngrok to redirect from HTTP to HTTPS and only support https:
traffic externally.
Make sure you follow .
Please note that these features are an upgrade in the ngrok product feature and may require additional costs. Follow the ngrok documentation to , then associate the NGROK_AUTH
token with an ACL to attach to the custom Edge. You can add various Edge modules, including Mutual TLS, IP restrictions, OIDC, SAML, OAuth, and more.