Comment on page
ngrok and OAuth for private tunnels
Protect private services in Release with ngrok
You may need a simple way to keep the applications you deploy to Release ephemeral environments private. Perhaps you're deploying a basic disposable admin tool, for example, or you would like to share a link with a potential client or vendor outside your organization. In such cases, you don't want to set up expensive access controls that need time-consuming configuration.
The solution is to create a proxy layer for your Release application environment.
We chose ngrok for this guide because it offers a simple, lightweight, and cost-effective way to securely expose an application without too much additional configuration or infrastructure maintenance.
Here's what you'll need to follow along:
- An ngrok account. A free account may work for once-off environments. A business license is better for multiple accounts in a wildcard setup. Visit ngrok's pricing page for more details.
- An ngrok token. Preferably a token generated specifically for this use case so it can be revoked or changed without impacting a regularly used token somewhere else.
- A Release application running in your Release account.
- A service that you would like to expose via the proxy tunnel.
- An OAuth, SAML, or OIDC service provider, such as Google Workspaces – this is optional, as it may incur vendor charges.
- A custom domain name for your private pages, this is also optional, as it may incur vendor charges.
Say you want to expose the following service via the proxy tunnel:
services:
- name: docsbuild
image: mycoolrepo/mycoolapp/docsbuild
registry: local
has_repo: true
ports:
- type: container_port
port: '8080'
build:
context: "."
dockerfile: docs/Dockerfile
The
docsbuild
service is not for public consumption, but we would like to view it along with our code deployments in pre-production settings. The main application is configured with authentication and access controls, but the documentation is a set of web pages and would be difficult to protect. If you added a regular node_port:
and hostnames:
section to your application, the documentation would be exposed to the internet.Let's create a private tunnel for an additional layer of protection instead.
We can expose the application via ngrok using a simple container. Instantiate this service alongside your other services in the application template as follows:
services:
- name: docsbuild-tunnel
image: wernight/ngrok
Next, add the following to your application's environment variables template:
services:
docbuild-tunnel:
- key: NGROK_AUTH
value: mysecretauthtoken
secret: true
- key: NGROK_LOOK_DOMAIN
value: docsbuild
- key: NGROK_PORT
value: '8080'
- key: NGROK_BINDTLS
value: "true"
Here, the
NGROK_AUTH
key has the value of your ngrok token. We use NGROK_LOOK_DOMAIN
to identify the service to expose via the ngrok tunnel, in this case it is docsbuild
. The port is specified as 8080
. By default ngrok will use http (you could specify TLS or TCP as well). Therefore the full url to your internal service in this example would be http://docsbuild:8080
. You could consider adding a sidecar and pointing to http://localhost
for even more privacy. The NGROK_BINDTLS
option tells ngrok to redirect from HTTP to HTTPS and only support https:
traffic externally.Add both services to your
setup
workflow, but don't add the tunnel service to your patch flow, since it doesn't need to be restarted during deploys:workflows:
- name: setup
paralellize:
- step: docs
tasks:
- services.docsbuild
- services.docsbuild-tunnel
wait_for_finish: false
- name: patch
paralellize:
- step: docs
tasks:
- services.docsbuild
wait_for_finish: false
Exposing the tunnel service logs will reveal the one-time URL in ngrok.io similar to the following:
ngrok by @inconshreveable
Tunnel Status online
Version 2.0/2.0
Web Interface http://localhost:4040
Forwarding https://abc.ngrok.io -> docsbuild:80
Connnections ttl opn rt1 rt5 p50 p90
0 0 0.00 0.00 0.00 0.00
Point your browser to the
Forwarding
URL to view your documentation pages.You can also expose the ngrok dashboard that runs on port 4040 by using
hostnames:
, or by using another tunnel pointed at the ngrok tunnel server. The ngrok tunnel dashboard could be used for various development or debugging services, but the dashboard itself will be exposed on the internet and may need to be protected too.Here are our tips for securing private tunnels.
You may want to use a well-known custom domain name for your application tunnel endpoint, but this could incur additional costs and require an upgrade to your ngrok account.
You could instead add a subdomain directive to your environment variable template:
services:
docsbuild-tunnel:
- key: NGROK_SUBDOMAIN
value: mydocs
Which yields something like this output:
ngrok by @inconshreveable
...
Forwarding https://mydocs.ngrok.io -> docsbuild:80
mapping:
NGROK_SUBDOMAIN: RELEASE_ENV_ID
You will also need to add Hostnames and rules section like the following to your application template so that you can easily click the link in the UI or pull request comments.
hostnames:
- ${env_id}.ngrok.io
For an even better domain name option, use a fully customised hostname. Please note this probably requires an upgrade to a paid ngrok account and features.
A quick diversion here is required since the custom domain names will not be managed by Release (we have no way of knowing what the ngrok tunnel addresses will be). You will need to setup CNAME record(s) in your cloud DNS provider, and a custom domain and a TLS certificate in the ngrok dashboard.
services:
docsbuild-tunnel:
- key: NGROK_HOSTNAME
value: mydocs.private.example.com
Which yields something like this output:
ngrok by @inconshreveable
...
Forwarding https://mydocs.private.example.com -> docsbuild:80
You can also follow the same instructions as above for a mapping and hostnames section. This will avoid having to hardcode the values in your configuration file. These two sections should help guide you.
mapping:
NGROK_HOSTNAME: DOCSBUILD_INGRESS_HOST
domain: example.com
hostnames:
- ${env_id}.private.${domain}
Add a basic authentication password:
services:
docsbuild-tunnel:
- key: NGROK_USERNAME
value: "myuser"
- key: NGROK_PASSWORD
value: "mypassword"
secret: true
Please note that these features are an upgrade in the ngrok product feature and may require additional costs. Follow the ngrok documentation to configure an Edge, then associate the
NGROK_AUTH
token with an ACL to attach to the custom Edge. You can add various Edge modules, including Mutual TLS, IP restrictions, OIDC, SAML, OAuth, and more.Last modified 10mo ago