Skip to main content

Version 2

Full Example

Below is a comprehensive configuration file for ngrok with detailed documentation for each option.

To activate a specific option or tunnel, simply uncomment the relevant lines by removing the # at the beginning of the line.

# ngrok Configuration File v2
# https://ngrok.com/docs/agent/config/

# ######################################################################
# # Agent Configuration #
# ######################################################################

# ----------------------------------------------------------------------
# | Authtoken (required) |
# ----------------------------------------------------------------------

# Specifies the authentication token (authtoken) used to connect to the
# ngrok service.
#
# (1) You can get your default authtoken through the dashboard:
# https://dashboard.ngrok.com/get-started/your-authtoken
#
# (2) You can view and generate authtokens through the dashboard
# https://dashboard.ngrok.com/tunnels/authtokens

#authtoken: 4nq9771bPxe8ctg7LKr_2ClH7Y15Zqe4bWLWF9p

# ----------------------------------------------------------------------
# | API Key |
# ----------------------------------------------------------------------

# The ngrok API key used to connect to the ngrok API.
#
# (!) This is only needed when using the ngrok api command and should
# not be confused with the authtoken.
#
# (1) You can obtain and manage your API Keys through the dashboard:
# https://dashboard.ngrok.com/api-keys

#api_key: 24yRd5U3DestCQapJrrVHLOqiAC_7RviwRqpd3wc9dKLujQZN

# ----------------------------------------------------------------------
# | Connect Timeout |
# ----------------------------------------------------------------------

# How long to wait when establishing an agent session connection to the
# ngrok service.
#
# Accepts duration, the default is 10s

#connect_timeout: 30s

# ----------------------------------------------------------------------
# | Console UI |
# ----------------------------------------------------------------------

# Enable or disable the console UI in the terminal.
#
# Options:
# true - Enable the console UI.
# false - Disable the console UI, use structured log format.
# iftty - (Default) Enable UI only if standard out is a TTY.

#console_ui: iftty

# ----------------------------------------------------------------------
# | Console UI Color |
# ----------------------------------------------------------------------

# Sets the console UI background color in the terminal.
#
# To use a color other than black, set to `transparent` and adjust your
# terminal's background.

#console_ui_color: transparent

# ----------------------------------------------------------------------
# | CRL No Verify |
# ----------------------------------------------------------------------

# Skip Certificate Revocation List (CRL) verification if set to true.
#
# Accepts a boolean. Default is `false`.

#crl_noverify: false

# ----------------------------------------------------------------------
# | DNS Resolver IPs |
# ----------------------------------------------------------------------

# List of DNS servers for resolving tunnel session DNS.
#
# Defaults to using the local system DNS servers.

#dns_resolver_ips:
# - 1.1.1.1
# - 8.8.8.8

# ----------------------------------------------------------------------
# | Heartbeat Interval |
# ----------------------------------------------------------------------

# How often the ngrok agent should heartbeat to the ngrok servers defined
# as a duration.
#
# Accepts a duration (e.g., 10s, 1m). The default value is `10s`.

#heartbeat_interval: 1m

# ----------------------------------------------------------------------
# | Heartbeat Tolerance |
# ----------------------------------------------------------------------

# This setting defines the maximum duration to wait for a heartbeat
# response from the server before reconnecting the agent tunnel session.
#
# Accepts a duration (e.g., 10s, 1m). The default value is `15s`.

#heartbeat_tolerance: 5s

# ----------------------------------------------------------------------
# | Inspect DB Size |
# ----------------------------------------------------------------------

# This is the upper limit in bytes on memory to allocate when saving
# requests over HTTP tunnels for inspection and reply.
#
# Accepts a numeric value. The default is `0`, equivalent to 50MB.
#
# (!) To disable inspection for all tunnels, set the value to `-1`.

#inspect_db_size: 104857600 # 100mb

# ----------------------------------------------------------------------
# | Log Level |
# ----------------------------------------------------------------------

# Sets the log detail level. Higher verbosity with each level.
#
# Allowed values:
# crit - Critical issues.
# warn - Warnings.
# error - Errors.
# info - Informational messages.
# debug - Detailed debugging info.

#log_level: info

# ----------------------------------------------------------------------
# | Log Format |
# ----------------------------------------------------------------------

# Specifies the format of log records.
#
# Allowed values:
# logfmt - Human and machine-friendly key/value pairs.
# json - Newline-separated JSON objects.
# term - Colored format for TTY; otherwise, same as logfmt.

#log_format: json

# ----------------------------------------------------------------------
# | Log |
# ----------------------------------------------------------------------

# This is the destination where ngrok should write the logs.
#
# Allowed values:
# stdout - write to standard out
# stderr - write to standard error
# false - disable logging
# <path> - write log records to file path on disk

#log: /var/log/ngrok.log

# ----------------------------------------------------------------------
# | Metadata |
# ----------------------------------------------------------------------

# Custom string included in the ngrok API response for identifying tunnels.
#
# Maximum 4096 characters.

#metadata: '{"serial": "00012xa-33rUtz9", "comment": "For customer alan@example.com"}'

# ----------------------------------------------------------------------
# | Proxy URL |
# ----------------------------------------------------------------------

# URL of an HTTP or SOCKS5 proxy for tunnel connections.
#
# (!) ngrok will also respect the `http_proxy` and `http_proxy_env`
# environment variables.

#proxy_url: socks5://localhost:9150

# ----------------------------------------------------------------------
# | Remote Management |
# ----------------------------------------------------------------------

# Allows remote management of the ngrok agent (stop, restart, update) via
# the ngrok API or Dashboard.
#
# Defaults to `true`.

#remote_management: false

# ----------------------------------------------------------------------
# | Root CAs |
# ----------------------------------------------------------------------

# Root certificate authorities used to validate TLS connections to the
# ngrok server.
#
# Allowed values:
# trusted - Use only the trusted certificate root for ngrok.com.
# host - Use the root certificates trusted by the host's OS (useful for MITM proxies with DPI).
# <path> - Path to a PEM file with additional trusted certificate authorities.

#root_cas: trusted

# ----------------------------------------------------------------------
# | Server Address |
# ----------------------------------------------------------------------

# This is the URL of the ngrok server to connect to.
#
# (!) You should only set this value if you are using a Custom Agent
# Ingress URL.
#
# https://ngrok.com/docs/agent/ingress/#customize-agent-ingress-address

#server_addr: tunnel.us.ingress.example.com:443

# ----------------------------------------------------------------------
# | Update Channel |
# ----------------------------------------------------------------------

# Determines the stability of builds for updates.
#
# (!) Use `stable` for any production deployments.
#
# Allowed values:
# stable - (Default) Production-ready builds.
# unstable - Nightly builds; may be unstable. Not for production.
# beta - Beta builds; may be unstable. Not for production.

#update_channel: stable

# ----------------------------------------------------------------------
# | Update Check |
# ----------------------------------------------------------------------

# Controls whether the ngrok agent checks for updates.
#
# Defaults to true.

#update_check: false

# ----------------------------------------------------------------------
# | Version (required) |
# ----------------------------------------------------------------------

# Specifies the version of the config file to use.

version: 2

# ----------------------------------------------------------------------
# | Web Address |
# ----------------------------------------------------------------------

# Network address to bind for the local agent web interface and API.
#
# https://ngrok.com/docs/agent/web-inspection-interface/
# https://ngrok.com/docs/agent/api/

#web_addr: localhost:4040

# ----------------------------------------------------------------------
# | Web Allow Hosts |
# ----------------------------------------------------------------------

# List of allowed Host headers for requests to the local agent web
# interface and API. The port is stripped from the Host header before
# matching.
#
# Allowed formats:
# 8.8.8.8 - Matches exact IP in Host header (e.g., 8.8.8.8).
# 1:2:3:4:5:6:7:8 - Matches exact IPv6 in Host header.
# 10.0.0.0/8 - Matches any IP within a CIDR range.
# example.com - Matches exact hostname.
# .example.com - Matches subdomains (e.g., sub.example.com).
#
# The default only allows localhost-like Hosts (localhost, 127.0.0.1,
# ::1, etc.).

#web_allow_hosts:
# - 8.8.8.8
# - example.com

# ######################################################################
# # Tunnels Configuration #
# ######################################################################

# Define individual tunnels and their configurations.
#
# Each entry under 'tunnels' represents a named tunnel that can be
# started using the 'ngrok start' command:
# https://ngrok.com/docs/agent/cli/#ngrok-start
#
# To start all tunnels at once, use:
# ngrok start --all
#
# List of common configuration fields:
# https://ngrok.com/docs/agent/config/#common-tunnel-configuration-properties
#
# List of HTTP configuration fields:
# https://ngrok.com/docs/agent/config/#http-configuration
#
# List of TCP configuration fields:
# https://ngrok.com/docs/agent/config/#tcp-configuration
#
# List of TLS tunnel configuration fields:
# https://ngrok.com/docs/agent/config/#tls-configuration
#
# List of Labeled tunnel configuration fields:
# https://ngrok.com/docs/agent/config/#labeled-tunnel-configuration

tunnels:

# --------------------------------------------------------------------
# | Basic Tunnel Example |
# --------------------------------------------------------------------

# Tunnel configuration for a website protected by basic authentication
# with a custom host header.
#
# Start with after uncommenting:
# ngrok start example-website

# example-website:
# addr: 8888
# basic_auth:
# - "bob:bobpassword"
# schemes:
# - https
# host_header: "myapp.ngrok.dev"
# inspect: false
# proto: http
# domain: myapp.ngrok.dev

# --------------------------------------------------------------------
# | End-to-End TLS Tunnel |
# --------------------------------------------------------------------

# Tunnel configuration for end-to-end TLS connections.
#
# Start with after uncommenting:
# ngrok start example-e2e-tls

# example-e2e-tls:
# addr: 9000
# proto: tls
# domain: myapp.example.com
# crt: example.crt
# key: example.key

# --------------------------------------------------------------------
# | Tunnel with Traffic Policy |
# --------------------------------------------------------------------

# Tunnel with a Traffic Policy.
#
# Start with after uncommenting:
# ngrok start example-traffic-policy
#
# More info:
# https://ngrok.com/docs/http/traffic-policy/
# https://ngrok.com/docs/tls/traffic-policy/
# https://ngrok.com/docs/tcp/traffic-policy/

# example-traffic-policy:
# traffic_policy:
# inbound:
# - name: LimitIPs
# expressions:
# - "conn.client_ip != '1.1.1.1'" # Example rule to deny specific IPs.
# actions:
# - type: deny
# addr: 8000
# proto: tcp

# --------------------------------------------------------------------
# | SSH Access Tunnel |
# --------------------------------------------------------------------

# Tunnel for SSH access.
#
# Start with:
# ngrok start example-ssh-access

# example-ssh-access:
# addr: 22
# proto: tcp
# remote_addr: 1.tcp.ngrok.io:12345

# --------------------------------------------------------------------
# | Load-Balanced Website Tunnel (Edges) |
# --------------------------------------------------------------------

# Tunnel with load balancing based on labels.
#
# If you uncomment this, you can start this tunnel by running:
#
# ngrok start example-load-balanced-edge

# example-load-balanced-edge:
# labels:
# - env=prod
# - team=infra
# addr: 8000

Tunnel configurations

The most common use of the configuration file is to define tunnel configurations. Defining tunnel configurations is useful because you may then start pre-configured tunnels by name from your command line without remembering all of the right arguments every time. You may also use this method to start as many tunnels as you like from a single ngrok agent.

Tunnels are defined as mapping of name -> configuration under the tunnels property in your configuration file.

Define two tunnels named 'httpbin' and 'demo'
tunnels:
httpbin:
proto: http
addr: 8000
domain: alan-httpbin.ngrok.dev
demo:
proto: http
addr: 9090
domain: demo.inconshreveable.com
inspect: false
Start the tunnel named 'httpbin'
ngrok start httpbin

Each tunnel you define is a map of configuration option names to values. The name of a configuration option is usually the same as its corresponding command line switch with hyphens (--host-header becomes host_header: in the configuration file and --url becomes url). Tunnels can define a specific proto or use labels to dynamically connect to one or more matching ngrok Edges. All tunnels must define a specific addr that tells the agent where to send the traffic. Other properties are available and many are protocol-specific.

Start all tunnels defined in the configuration file
ngrok start --all

You can configure a single ngrok agent to tunnel to multiple services within a single agent session.

Common Tunnel Configuration Properties
addrrequiredforward traffic to this local port number or network address. This can be just a port
metadataOptionalarbitrary user-defined metadata that will appear in the ngrok service API when listing tunnel sessions

HTTP Configuration

basic_authArray of username:password StringsThis is a list of username:password combinations to use for basic authenticate. Passwords must be at least 8 characters long.
circuit_breakerFloatReject requests when 5XX responses exceed this ratio
compressiontrue, falsegzip compress HTTP responses from your web service
host_headerrewrite, preserve, customRewrite the HTTP Host header to this value, or preserve to leave it unchanged. The rewrite option will rewrite the host header to match the hostname of the upstream service you are sending traffic to.
domainAny valid domain or hostname that you have previously registered with ngrok.The domain to request. If using a custom domain, this requires registering in the ngrok dashboard and setting a DNS CNAME value. When using wildcard domains you will need to surround the value with single quotes (domain: '*.example.com').
inspecttrue, falseenable/disable the http request inspection in the web and agent API (default: true)
ip_restriction.allow_cidrsArray of CIDRsRejects connections that do not match the given CIDRs
ip_restriction.deny_cidrsArray of CIDRsRejects connections that match the given CIDRs and allows all other CIDRs.
mutual_tls_casValid system pathThe path to the TLS certificate authority to verify client certs in mutual TLS
oauth.allow_domainsArray of StringsAllow only OAuth2 users with these email domains
oauth.allow_emailsArray of StringsAllow only OAuth users with these emails
oauth.oauth_scopesArray of StringsRequest these OAuth2 scopes when a user authenticates
oauth.providerStringenforce authentication OAuth2 provider on the endpoint, e.g. 'google'. For a lit of available providers, see OAuth2 providers.
policy.inbound.nameStringpolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.inbound.expressionsArray of Stringspolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.inbound.actions.typeStringpolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.inbound.actions.configcustompolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.outbound.nameStringpolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.outbound.expressionsArray of Stringspolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.outbound.actions.typeStringpolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.outbound.actions.configcustompolicy has been renamed to traffic_policy in agent version 3.14.0.
protohttpThe tunnel protocol name. This defines the type of tunnel you would like to start.
proxy_protoStringThe version of PROXY protocol to use with this tunnel, empty if not using. Example values are 1 or 2.
request_header.addArray of key:value StringsThe headers to add to the request in the key:value format.
request_header.removeArray of StringsThe header keys to remove from the request.
response_header.addArray of StringsThe headers to add to the response in the key:value format.
response_header.removeArray of StringsThe header keys to remove from the response.
schemeshttp, httpsCreate an HTTP or HTTPS endpoint (or both)
subdomainAny valid combination of letters, numbers, hyphens or periods.subdomain name to request. If unspecified, ngrok provides a unique subdomain based on your account type.
traffic_policy.inbound.nameStringThe name of an inbound rule that is part of a traffic policy
traffic_policy.inbound.expressionsArray of StringsExpressions written using CEL that filter traffic the inbound policy rule applies to
traffic_policy.inbound.actions.typeStringThe type of action that should be executed when this inbound policy rule is activated
traffic_policy.inbound.actions.configcustomThe configuration required for the specific type of action specified
traffic_policy.outbound.nameStringThe name of an outbound rule that is part of a traffic policy
traffic_policy.outbound.expressionsArray of StringsExpressions written using CEL that filter traffic the outbound policy rule applies to
traffic_policy.outbound.actions.typeStringThe type of action that should be executed when this outbound policy rule is activated
traffic_policy.outbound.actions.configcustomThe configuration required for the specific type of action specified
user_agent_filter.allowArray of StringsAllows User-Agents that match against these RE2 Regular Expressions
user_agent_filter.denyArray of StringsDenies User-Agents that match against these RE2 Regular Expressions
verify_webhook.providerStringVerify webhooks are signed by this provider, e.g. 'slack'. For a full list of providers, see Webhook Verification Providers.
verify_webhook.secretStringThe secret used by provider to sign webhooks, if there is one
websocket_tcp_convertertrue, falseConvert ingress websocket connections to TCP upstream

TCP Configuration

ip_restriction.allow_cidrsArray of CIDRsRejects connections that do not match the given CIDRs
ip_restriction.deny_cidrsArray of CIDRsRejects connections that match the given CIDRs and allows all other CIDRs.
policy.inbound.nameStringpolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.inbound.expressionsArray of Stringspolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.inbound.actions.typeStringpolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.inbound.actions.configcustompolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.outbound.nameStringpolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.outbound.expressionsArray of Stringspolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.outbound.actions.typeStringpolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.outbound.actions.configcustompolicy has been renamed to traffic_policy in agent version 3.14.0.
prototcpThe tunnel protocol name. This defines the type of tunnel you would like to start.
proxy_protoStringThe version of PROXY protocol to use with this tunnel, empty if not using. Example values are 1 or 2.
remote_addrA valid TCP address from ngrokbind the remote TCP address and port. These addresses can be reserved in the ngrok dashboard to use across sessions. For example: remote_addr: 2.tcp.ngrok.io:21746
traffic_policy.inbound.nameStringThe name of an inbound rule that is part of a traffic policy
traffic_policy.inbound.expressionsArray of StringsExpressions written using CEL that filter traffic the inbound policy rule applies to
traffic_policy.inbound.actions.typeStringThe type of action that should be executed when this inbound policy rule is activated
traffic_policy.inbound.actions.configcustomThe configuration required for the specific type of action specified
traffic_policy.outbound.nameStringThe name of an outbound rule that is part of a traffic policy
traffic_policy.outbound.expressionsArray of StringsExpressions written using CEL that filter traffic the outbound policy rule applies to
traffic_policy.outbound.actions.typeStringThe type of action that should be executed when this outbound policy rule is activated
traffic_policy.outbound.actions.configcustomThe configuration required for the specific type of action specified

TLS Configuration

mutual_tls_casValid system pathThe path to the TLS certificate authority to verify client certs for mutual TLS. You will also need to specify key and crt to enable mutual TLS.
crtValid system pathPEM TLS certificate at this path to terminate TLS traffic before forwarding locally. Requires --key to also be specified.
domainAny valid domain or hostname that you have previously registered with ngrok.The domain to request. If using a custom domain, this requires registering in the ngrok Dashboard and setting a DNS CNAME value. When using wildcard domains you will need to surround the value with single quotes (domain: '*.example.com').
ip_restriction.allow_cidrsArray of CIDRsRejects connections that do not match the given CIDRs
ip_restriction.deny_cidrsArray of CIDRsRejects connections that match the given CIDRs and allows all other CIDRs.
keyValid system pathPEM TLS private key at this path to terminate TLS traffic before forwarding locally. Requires --crt to also be specified.
policy.inbound.nameStringpolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.inbound.expressionsArray of Stringspolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.inbound.actions.typeStringpolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.inbound.actions.configcustompolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.outbound.nameStringpolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.outbound.expressionsArray of Stringspolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.outbound.actions.typeStringpolicy has been renamed to traffic_policy in agent version 3.14.0.
policy.outbound.actions.configcustompolicy has been renamed to traffic_policy in agent version 3.14.0.
prototlsThe tunnel protocol name. This defines the type of tunnel you would like to start.
proxy_protoStringThe version of PROXY protocol to use with this tunnel, empty if not using. Example values are 1 or 2.
subdomainAny valid combination of letters, numbers, hyphens or periods.subdomain name to request. If unspecified, ngrok provides a unique subdomain based on your account type.
terminate_atedge, agent, or upstreamTerminate at ngrok edge, agent, or upstream. Defaults to upstream unless --crt or --key are present, in which case edge is the default.
traffic_policy.inbound.nameStringThe name of an inbound rule that is part of a traffic policy
traffic_policy.inbound.expressionsArray of StringsExpressions written using CEL that filter traffic the inbound policy rule applies to
traffic_policy.inbound.actions.typeStringThe type of action that should be executed when this inbound policy rule is activated
traffic_policy.inbound.actions.configcustomThe configuration required for the specific type of action specified
traffic_policy.outbound.nameStringThe name of an outbound rule that is part of a traffic policy
traffic_policy.outbound.expressionsArray of StringsExpressions written using CEL that filter traffic the outbound policy rule applies to
traffic_policy.outbound.actions.typeStringThe type of action that should be executed when this outbound policy rule is activated
traffic_policy.outbound.actions.configcustomThe configuration required for the specific type of action specified

Labeled Tunnel Configuration

crtValid system pathThe path to a TLS certificate when doing TLS termination at the agent.
inspecttrue, falseenable/disable the http request inspection in the web and agent API (default: true)
keyValid system pathThe path to a TLS key when doing TLS termination at the agent.
labelsA list of labels (name=value) that can be used to identify a tunnel to an ngrok Edge (specifically a tunnel group backend).The labels for this tunnel in the format name=value. For example: edge=edghts_2gYaK9XAVa3ANouaDEPrkeaxkYT
Define two labeled tunnels
tunnels:
my-cool-website:
labels:
- env=prod
- team=infra
addr: 8000
inspect: false
ssh-tunnel:
labels:
- hostname=my-hostname
- service=ssh
- team=development
addr: 22
tip

When you use labeled tunnels, the protocol and domain are configured by the matching edge.

tip

Edges automatically create an edge label, for example: edge=edghts_2gYaK9XAVa3ANouaDEPrkeaxkYT

Agent Configuration

The following is a list of options that can be configured at the root of your configuration file and specify the behavior of the agent.

NameDescription
api_keySpecifies the ngrok API key used to connect to the ngrok API. This is only needed when using the ngrok api command and should not be confused with the authtoken.
authtokenSpecifies the authentication token (authtoken) used to connect to the ngrok service.
connect_interfaceSet the specific network interface for ngrok to use. This is only supported on Linux platforms.
connect_timeoutHow long to wait when establishing an agent session connection to the ngrok service. The default is 10s.
console_uiEnable/disable the console UI
console_ui_colorSet the background color of the console UI
crl_noverifyDisables verifying Certificate Revocation List
dns_resolver_ipsConsult these DNS servers for tunnel session DNS resolution.
heartbeat_intervalHow often the ngrok agent should heartbeat to the ngrok servers defined as a duration. Default is 10s.
heartbeat_toleranceReconnect the agent tunnel session if the server does not respond to a heartbeat within this tolerance defined as a duration. Default is 15s.
inspect_db_sizeThe size in bytes of the upper limit on memory to allocate to save requests over HTTP tunnels for inspection and replay.
log_levelLogging level of detail. In increasing order of verbosity, possible values are: crit, warn, error, info, and debug.
log_formatFormat of written log records.
logWrite logs to this target destination.
metadataOpaque, user-supplied string that will be returned as part of the ngrok API response to the list online sessions resource for all tunnels started by this agent.
proxy_urlURL of an HTTP or SOCKS5 proxy to use for establishing the tunnel connection.
region (Deprecated)Choose the region where the ngrok agent will connect to host its tunnels.
remote_managementSet this to true to allow the ngrok agent to be remotely managed (stop, restart, update). Defaults to true.
root_casThe root certificate authorities used to validate the TLS connection to the ngrok server.
server_addrThis is the URL of the ngrok server to connect to. You should only set this if you are using a custom ingress URL.
tunnelsA map of names to tunnel definitions. See V2 agent config tunnel definitions for more details.
update_channelThe update channel determines the stability of released builds to update to. Use stable for all production deployments.
update_checkThis tells the ngrok agent if it should check for updates. Defaults to true.
versionSpecifies the version of the config file to use.
web_addrNetwork address to bind on for serving the local web interface and api.
web_allow_hostsHost headers to allow access for on the local web interface and api, can be a combination of IP's, CIDR ranges, and/or hostname suffixes.

api_key

This option specifies the API key used to access the ngrok API through the ngrok api command. This is only needed when using the ngrok API and not the local ngrok agent API (available at localhost:4040/api). You can generate an API Key in the ngrok Dashboard and install it using the ngrok config add-api-key command.

ngrok.yml specifying an API key
api_key: 24yRd5U3DestCQapJrrVHLOqiAC_7RviwRqpd3wc9dKLujQZN

authtoken

This option specifies the authentication token (sometimes called tunnel credential) used to authenticate this agent when it connects to the ngrok service. After you've created an ngrok account, your dashboard will display the authtoken assigned to your account.

Your authtoken will work on multiple machines if you are just developing. When you want to deploy many agents on many devices, you can generate a unique authtoken for each device in the ngrok Dashboard or via the ngrok api credentials command.

ngrok.yml specifying an authtoken
authtoken: 4nq9771bPxe8ctg7LKr_2ClH7Y15Zqe4bWLWF9p

connect_interface

Sets the specific network interface that the ngrok agent should use. This is only supported on Linux platforms.

connect_timeout

How long to wait when establishing an agent session connection to the ngrok service. This is specified as a duration, with the default being 10s.

console_ui

This option allows you to enable or disable the console UI that is displayed in your terminal window after starting ngrok.

trueEnable the console UI
falseDisable the console UI
ifttydefaultEnable the UI only if standard out is a TTY (not a file or pipe)

console_ui_color

The command sets the background color when displaying the console UI in the terminal. To choose a color other than black, set the value to transparent and change the background of your terminal window.

transparentDon't set a background color when displaying the console UI
blackdefaultSet the console UI's background to black

crl_noverify

This option will skip verifying with the Certificate Revocation List if set to true. This defaults to false.

dns_resolver_ips

Consult these DNS servers for tunnel session DNS resolution. By default, the ngrok agent will use the local system DNS servers to resolve.

heartbeat_interval

How often the ngrok agent should heartbeat to the ngrok servers defined as a duration. The default is 10s.

heartbeat_tolerance

Reconnect the agent tunnel session if the server does not respond to a heartbeat within this tolerance defined as a duration. The default is 15s.

inspect_db_size

This is the upper limit in bytes on memory to allocate when saving requests over HTTP tunnels for inspection and reply. The default is 0, which means 50MB.

positive integerssize in bytes of the upper limit on memory to allocate to save requests over HTTP tunnels for inspection and replay.
0defaultuse the default allocation limit, 50MB
-1disable the inspection database; this has the effective behavior of disabling inspection for all tunnels

log_level

This is the logging level of detail. In increasing order of verbosity, possible values are: crit, warn, error, info, and debug.

log_format

This is the format of written log records.

logfmthuman and machine friendly key/value pairs
jsonnewline-separated JSON objects
termdefaultcustom colored human format if standard out is a TTY, otherwise same as logfmt

log

This is the destination where ngrok should write the logs.

stdoutwrite to standard out
stderrwrite to standard error
falsedefaultdisable logging
other valueswrite log records to file path on disk
log: /var/log/ngrok.log

metadata

This is a user-supplied custom string that will be returned as part of the ngrok API response to the list online sessions resource for all tunnels started by this agent. This is a useful mechanism to identify tunnels by your own device or customer identifier. Maximum 4096 characters.

metadata: bad8c1c0-8fce-11e4-b4a9-0800200c9a66

proxy_url

This is the URL of an HTTP or SOCKS5 proxy to use for establishing the tunnel connection. Many HTTP proxies have connection size and duration limits that will cause ngrok to fail. Like many other networking tools, ngrok will also respect the environment variable http_proxy and http_proxy_env if it is set.

region

Deprecated This is the region where the ngrok agent will connect to. You can only choose one region per agent session. Choosing the region closest to you usually improves latency and performance. By default, the ngrok agent attempts to choose the best region for you.

Region CodeRegion Name
apAsia/Pacific (Singapore)
auAustralia (Sydney)
euEurope (Frankfurt)
inIndia (Mumbai)
jpJapan (Tokyo)
saSouth America (São Paulo)
usUnited States (Ohio)
us-cal-1United States (California)

remote_management

Set this to true to allow the ngrok agent to be remotely managed (stop, restart, update) via the ngrok API or the ngrok Dashboard. Defaults to true.

root_cas

This is the root certificate authorities used to validate the TLS connection to the ngrok server.

trusteddefaultuse only the trusted certificate root for the ngrok.com tunnel service
hostuse the root certificates trusted by the host's operating system. This is helpful for working with machine-in-the-middle (MITM) proxies doing deep packet inspection (DPI).
other valuespath to a certificate PEM file on disk with certificate authorities to trust

server_addr

This is the URL of the ngrok server to connect to. You should set this if you are using a custom ingress URL.

tunnels

This is a map of names to tunnel definitions. See tunnel definitions for more details.

update_channel

The update channel determines the stability of released builds to update to. Use 'stable' for all production deployments.

stabledefaultThese are builds that are ready to be used in production.
unstableupdate to new nightly builds when available which could be broken. This should not be used in production.
betaupdate to new beta builds when available which could be broken. This should not be used in production.

update_check

This tells the ngrok agent if it should check for updates. Defaults to true.

version

Specifies the version of the config file to use.

web_addr

This is the network address to bind on for serving the local agent web interface and API.

Network addressBind to this network address
127.0.0.1:4040defaultdefault network address
falsedisable the web UI

web_allow_hosts

These are a list of specifiers for what Host headers will be allowed to make requests agains the local agent web interface and API. Any port is stripped off the Host header before matching is performed.

Allow stringExample Host headers that would match
defaultrequests to localhost-bound web interface or API endpoints are checked to have a localhost-like Host (localhost, 127.0.0.1, ::1, etc.)
8.8.8.8an IP matches Host header (8.8.8.8)
1:2:3:4:5:6:7:8an IPv6 matches Host header (1:2:3:4:5:6:7:8)
10.0.0.0/8a CIDR range matches a Host header that is an IP address in that range (10.0.0.1 or 10.1.2.3)
1:2:3:4:5:6:7:8/16a CIDR range matches a Host header that is an IPv6 address in that range (1:2:3:4:5:6:7:0)
example.coma hostname without preceding period will match Host header exactly (example.com)
.example.coma hostname with a preceding period Host header suffix (sub.example.com or foo.example.com)
Allow an IP address and a Domain as Host headers
web_allow_hosts:
- 8.8.8.8
- example.com