
Ngrok: Secure tunnels to localhost - pvsukale3
https://ngrok.com/
======
Lazare
A lot of people seem to be a bit confused about the point of ngrok, why it's
useful, how much it costs, etc. Let me try and help out. :)

For me, the killer feature for ngrok is testing/developing webhooks. You
install ngrok in your dev environment, start it up, then point the
stripe/slack/whatever webhook your working on at the generated URL.

ngrok will 1) proxy that request through to your dev environment 2) log the
request 3) log the response 4) let you replay previous requests. It could not
be more helpful for developing webhook handlers, and has literally saved me
_hours_ of work in the last couple of months alone.

Finally, the free tier is all you need for that; it gives you a unique ngrok
subdomain which changes every time you start the tunnel and some (generous)
usage caps, both of which are fine for this usage.

People pointing out the potential security issues are correct, but that's an
argument to be careful and think about what you're doing. Besides, what's your
proposed alternative? Because most of the obvious ones have equally troubling
issues.

~~~
planetix
> Besides, what's your proposed alternative?

Setup a proper development environment that mirrors the production
environment?

~~~
nevi-me
If you don't have a static IP that's internet-accessible, and that which you
can arbitrarily point your domain to, how would you go about doing this?

Some, if not most, services won't allow you to redirect cold to an IP address,
they want some domain of sorts. There are alternatives, but I think "setup a
proper dev environment" alone misses the point of what ngrok does.

The 'easiest' alternative I've tried before was to VPN into my Linux box to
get a static internal IP, use a spare domain for the webhook then internally
redirect the webhook traffic to my local machine. In the end I'm achieving
what ngrok is doing (and none of it involves setting up a proper dev
environment, cos I would already have one anyways), but I'd like to hear of
better alternatives :)

~~~
avh02
i tend to fire up reverse port forwarding with ssh + special subdomain + ask
nginx to proxy to the reverse-forwarded port on that special subdomain to
resolve this, obviously you'd still need a static and public ip somewhere, but
any ssh-accessible host will now do.

it's a bit of setup, but works quite well once set. does _not_ provide the
features ngrok does of replay, etc, but at least it's 100% your own
infrastructure.

edit: to clarify: no reason why it should be a special subdomain, i just use
beta.mywebsite.com, just something that belongs to you and is globally dns
resolvable, could be mytestdomain.com for your use. you can skip nginx if you
don't mind binding to port 80 directly (i.e: no webserver already exists on
that machine)

~~~
vkjv
I do exactly this. I also have it set up with let's encrypt so that the
Webhooks are encrypted.

Locally, I also mirror the LE keys and add a hosts file entry for the test
domain to localhost.

This means I can test locally with proper ssl certs.

~~~
avh02
+1 original reason i did it was so i can have the LE cert to test a slack bot
i was developing (they require webhooks have SSL to do that)

------
tmp98112
Makes me sad to see all the negativeness towards this service, which clearly
works and serves a need some people have.

Yes, there are alternatives, but I hate when people jump to dismiss service
like this, without fully considering what issues the proposed alternatives
have. Obviously it is ok to mention the alternative options, but that can be
made in constructive way.

Let's celebrate the fact that somebody has built and released something and
even seems to have a business model to support it. Instead of complaining
about 5-20 bucks per month, try to figure out how you could channel some of
your corporate multimillion IT budget to this fellow hacker. Wouldn't it be
great if building and running this kind of small solutions would be actually a
viable way of making living?

------
packetized
Literally the most terrifying service for any security-minded operations-
focused person. Wonderful tool, interesting and useful in a dizzying array of
aspects - but dear lord, I've had some real horrific moments when users told
me that they installed it to allow access to their (private) repos for
testing.

~~~
ageofwant
If your users have to resort to this they are not getting the appropriate
support they need.

If your users are productive, chances are so is the company that pays both
your salaries. If your users have to fight their infrastructure people to get
their jobs done, you company will fail to effectively compete against those
companies that don't.

It astounds me that so few security people understand what their purpose is:
Your purpose is to assist the company you work for to keep on existing, and
even make a profit. If you disempower those that are most effective in helping
the company do what it does you're effectively destroying your own livelihood,
and everyone else that is dependent on it.

~~~
DonbunEf7
Uh, no. The purpose of a security team is to prevent data from being
exfiltrated from the company's control. Passwords, PII, HIPPA/other-
compliance-controlled stuff, source code, etc. are all at risk of being stolen
at all times, which means that security is a game of constant vigilance. And
since everybody has at least a bit of this data under their control, this
means that everybody is involved with security. (At least two of my past
employers have had the motto, "Everybody is on the security team.")

Productivity means nothing in the face of data exfiltration. You only have to
fail once at guarding a password in order to be completely compromised. If we
seem tightly wound, it's because we have fully internalized and grok the
stakes of our efforts and the entailment of failure.

"Our infrastructure sucked, so I used an insecure tool to leak our credentials
to third parties, because I couldn't be productive otherwise!" is not really a
valid excuse in this light, since there's no amount of productivity which
offsets data exfiltration.

~~~
dsr_
You're both right.

If the dev team needs something like ngrok, the security team has failed to
provide proper tools.

If the dev team goes ahead and uses ngrok without consulting the security
team, the dev team has likely committed an awful security breach.

The dev team and the security team need to think of each other as being on the
same team, and talk to each every day about what they want and need.

~~~
icedchai
Pretty sure a lot of people using this don't even have a "security team." They
likely have corporate IT that takes 2 weeks to add a DNS entry. Something
complex like mapping a public IP to a dev server would take an act of $DEITY.

~~~
philsnow
so register a new domain and set it up in route53? is there some corporate law
that says you can't?

just don't use your company's name in the domain name, make it something
obscure.

~~~
icedchai
Agreed. I personally don't have this problem. I have all my externally
accessible dev servers on AWS. However, others are not so lucky.

------
inconshreveable
Hiya there folks - I'm the creator of ngrok, happy to answer any questions

~~~
Arcsech
How does this compare to
[https://localtunnel.github.io/www/](https://localtunnel.github.io/www/) ?

~~~
notgood
I stopped used ngrok because after opening the tunneled URL a few times it
started saying "too many HTTP requests" on a Wordpress project. It is common
for those to have many images/scripts/styles so throttling by number of
requests makes ngrok unusable, now a happy localtunnel user.

~~~
clouddrover
ngrok has connection limits, but not request limits. Perhaps your server
wasn't using keep-alive connections? It's mentioned in the pricing FAQ (scroll
down a bit from this link):

[https://ngrok.com/product#pricing](https://ngrok.com/product#pricing)

~~~
notgood
Yeah my bad, it probably says "connections limit", I don't have time to figure
out my way around it; other devs may do thought. I just want to fire it up and
start working.

------
yeldarb
Happy paying ngrok user here.

Love it for developing anything using webhooks and also hybrid mobile apps (I
have my app pull the JS from the Dev box I'm working on via ngrok without
having to rebuild the app or deploy the code anywhere).

It significantly speeds up my workflow!

~~~
tomashertus
I'm surprised that ngrok is something new for HN community.

Anyway, happy customer here! Recommending this product whenever I go:) It has
became an essential part of my workflow.

------
jeremejevs
Nice tool, but without committing for annual billing (which I don't intend to
do, not for the first year of usage) it's $10 a month. My internet connection,
my mobile plan, my Photoshop & Lightroom subscription, a huge collection of
music (Spotify), 3K~5K movies and TV shows (Netflix), etc., all cost
approximately the same. I mean, sure, $120 a year is pocket change for
somebody using Ngrok professionally, but that's still super disproportional,
compared to, say, monster of a piece of software like Photoshop. I'd probably
subscribe for $2, but otherwise, IMO, frp [0] on a $3 VPS [1] is better value,
with the extra benefit of being FOSS and having zero limits.

[0] [https://github.com/fatedier/frp](https://github.com/fatedier/frp)

[1] [https://www.scaleway.com/pricing](https://www.scaleway.com/pricing)

~~~
greg5green
You can use ngrok without paying, you just get weird domains like
n56897as.ngrok.com (this is off the top of my head, idk how close I got to a
real one). This works fine most of the time.

~~~
amjd
Custom subdomains are available for non-paying users too. You just need to
create a free account.

~~~
sb8244
That isn't true for ngrok2. Ngrok 1 allowed for this but has been sunset.

~~~
scotteh
It's absolutely possible. Admittedly I'm still running 2.1.18, but I just
tested it there and it still works.

[https://ngrok.com/docs#subdomain](https://ngrok.com/docs#subdomain)

edit: Just in case, I updated to 2.2.4 (newest) and it's still possible to use
custom subdomains.

~~~
conqrr
This doesn't work. I just checked.

Tunnel session failed: Only paid plans may bind custom subdomains. Failed to
bind the custom subdomain 'blahblahblah' for the account xxx

~~~
scotteh
Strange. Did you have the account back when it was still possible? They may
have grandfathered the older accounts in.

------
kyboren
PSA: if you want to provide remote access to a local service, but don't want
the potentially-terrifying security implications, use Tor Authenticated Onion
Services (AKA "HiddenServiceAuthorizeClient" [0]).

On a machine on the LAN, install Tor and set up an authenticated onion
service, and point it to the desired endpoint. In order to access the service,
clients need a manually-loaded encryption key (and Tor, of course). Without
this key, nobody will be able even to _discover_ your endpoint, let alone
actually connect to it.

[0]: [https://gitweb.torproject.org/torspec.git/tree/rend-
spec.txt](https://gitweb.torproject.org/torspec.git/tree/rend-spec.txt)

~~~
sethammons
How does that work for webhook testing? They are just going to POST to a url
you give them...

------
yasn77
I prefer the implementation of [http://localhost.run](http://localhost.run)

To me it seems a lot cleaner, simply use SSH rather than download any app

~~~
GordonS
Is this free? I can't find any pricing info

~~~
thepiwo
According to the website "localhost.run is completely free to use!"

------
YPCrumble
A fantastic open-source javascript alternative is localtunnel
([https://github.com/localtunnel/localtunnel](https://github.com/localtunnel/localtunnel)).
I've used this more often than ngrok after ngrok became a paid service.

~~~
jaequery
yeah im in the same boat.

~~~
itaysk
ngrok is open source as well:
[https://github.com/inconshreveable/ngrok](https://github.com/inconshreveable/ngrok)
I've used localtunnel before but due to some misbehavior on windows (which i
can't remember anymore), switched to ngrok.

~~~
berdario
Unless you setup your own ngrok server, you cannot use ngrok1, and ngrok2 is
not open source

------
saintfiends
Their 1.x is open source:
[https://github.com/inconshreveable/ngrok](https://github.com/inconshreveable/ngrok)

This is a similar open source alternative:
[https://github.com/fatedier/frp](https://github.com/fatedier/frp)

Both written in Go.

------
bespoke_engnr
I see some people arguing that "you should use a dev/staging environment with
a public IP" instead of having ngrok tunneling traffic directly to your local
dev box.

When you're editing HTML/CSS, you don't have to run a deploy script before
checking how your markup renders. Ngrok gives people writing web services the
same convenience when dealing with requests from a 3rd party on the Net.

It is the equivalent of saving your HTML/CSS source files and instantly seeing
the changes when you reload your browser.

I just wrote a little proof-of-concept Alexa app that crawls HumbleBundle
('Bundled Goods', very much beta quality at the moment) and ngrok was
invaluable for developing it quickly.

------
pfista
Ngrok is the coolest tool I use on a pretty consistent basis. Developing
webhooks locally is usually what I use it for, and the web interface replay
capability is amazing. The creator gave a great talk on why he built it and
how it progressed over the years:
[https://www.youtube.com/watch?v=F_xNOVY96Ng](https://www.youtube.com/watch?v=F_xNOVY96Ng)

------
49531
I've used ngrok for a while now, and I love it. I used it just last night to
test out some webrtc stuff I was doing. Was able to get friends from around
the world on video chat served from localhost within seconds.

It's also super handy when building webhooks, you can use the unique URL to
test out apis without having to deploy anything. I can't rave about it enough.

------
DAddYE
A lot of negativity but I found this tool super useful when developing for
Alexa and test out my scripts. Keep it going guys!

------
xg15
The title of this submission makes it sound like a selling-fridges-to-eskimos
scam product - you need to read quite a bit to find out what's it actually
about and that it solves (or simplifies) an actual use-case.

I think a better comparision is with DynDNS services: It sets up a public host
connected to your own machine - but unlike DynDNS, the host doesn't point to
your machine's IP directly. Instead, requests are routed through a
proxy/tunnel, so your machine can be kept behind a firewall and is _only_
available through the public host.

(I figure, the proxy allows for some more neat tricks, such as restricting
ports/urls/etc or holding requests open while your machine changes IPs.)

------
yannis
For a part-time programmer Mechanical Engineer, it is such a gratifying task
to use ngrok. I first came across it a couple of years back. Great Project,
great development, open sourced and well written in go.
[https://github.com/inconshreveable/ngrok/tree/master/src/ngr...](https://github.com/inconshreveable/ngrok/tree/master/src/ngrok)

It takes two seconds to deploy an application in the evening from my kitchen
table, check it also on my mobile and the next day access it from work also
and show it to co-workers.

Call it "usability" for Engineers!

------
leesalminen
I've been on the free tier for a while and have been meaning to upgrade to
show support for such a great service. Seeing this post this morning reminded
me. Upgraded for the year!

------
nbrempel
Ngrok is one of the most valuable development tools in my toolbox.

~~~
avh02
did a spit-take when i accidentally read "deployment"

------
samcheng
It's possible to roll your own ngrok clone via SSH tunnels, a publicly-
available server somewhere, and autossh. This is basically ssh-tunnel-as-a-
service.

~~~
corv
or vpn which has better performance due to udp

------
ausjke
Never used it, what's the difference between ngrok and using DMZ with port-
forwarding? are they the same thing? What's the technical advantage other than
it is easy to use? I can port-forwarding easily on my router to expose
whatever port to the public, why do I need ngrok?

With a DDNS + Port-forwarding you can easily have what Ngrok provides? or am I
missing something?

~~~
hrktb
For me ngrok spares me all the talk with infra team to have the public port
exposed and the setup of a test server just to for a mere 10 or 20 calls I
need to receive from some new service I am checking.

I use it to prototype webhook entry points, and only need to receive a few
call to have a quick confirmation I receive what I expected from the docs.

Once I have enough info I can start building a more solid project and jump
through all the hoops to have it on a real server with a subdomain and a
public facing interface and all the security needed etc. I'd just hate to go
through the whole process first, only to discover the service is unusable for
my purpose, or the data I receive doesn't make any sense.

------
stevemk14ebr
3 important questions:

1) My university blocks LogMeInHamachi which is the main tool i've tried to
get around hosting behind a NAT. Will this likely be blocked too, or is it not
possible to tell without trying

2) Is there any costs associated with this. Do i ever need to pay

3) Does the person connecting to my server also require a special client or
does this appear to them as any standard connection would.

~~~
l2dy
> 2) Is there any costs associated with this. Do i ever need to pay

See [https://ngrok.com/product#pricing](https://ngrok.com/product#pricing).

~~~
an_account
Did the free option go away?

(On my phone now so I can't try it out.)

~~~
brianshaler
Below the paid options:

    
    
      Free Plan
      For quick demos and other simple tunneling needs.
      * HTTP/TCP tunnels on random URLs/ports
      * 1 online ngrok process
      * 4 tunnels per ngrok process
      * 40 connections / minute

~~~
an_account
Ah, thanks! I didn't scroll down on my phone all the way since the plans were
just getting more expensive. It's obvious now that I'm on a desktop.

------
vhost-
I really like ngrok. I use it a lot. I just really dislike how the TCP tunnels
work. With HTTP you get a unique subdomain which makes it harder for people to
just scan and connect. With TCP, it's always 0.tcp.ngrok.io, so you can just
scan that domain and connect to anything that's open.

~~~
gls2ro
I'not currently using it (so I did not test this) but seems like you have the
option of custom TCP as I can see here
[https://ngrok.com/product#pricing](https://ngrok.com/product#pricing) for Pro
account.

~~~
mmccaff
I use the -subdomain argument for this available in the Pro version and it
works perfectly.

------
roylez
I used to use Ngrok, then I discovered ultrahook which gives me a persistent
endpoint, for free.

~~~
skrebbel
Do you know how they're able to offer it for free?

~~~
veesahni
I created UltraHook.. it only replaces ngrok for the simple "receiving
webhooks on localhost" use case.

The infrastructure is sponsored by Enchant.com

------
JohnnyConatus
Love ngrok. The ngrok npm package makes it easy to put into a local dev
startup, too.

------
joantune
I have been using this for quite a while and it's really useful. Even though I
have VPSs available, where I could make a SSH tunnel, this is simply way more
convenient, so I end up using ngrok a lot for development

------
sandGorgon
I'm a happy paid user. If I had one request, it is for a different pricing and
better management for groups of users.

People like me would like to buy 5-10 licenses and manage them centrally.

Define shared endpoints and individual endpoints,etc

------
nejdetckenobi
long time ngrok user here. used several times to show my prototypes to the
others. It's simpler than deploying on heroku (or anywhere actually), and is
without restrictions ofc because you use your own hw.

------
stefanhuber
Use a hidden service! I manage many intranet servers over tor. You have no
problems with nat or firewalls and it is free!

Ok it is slower, but for many things like ssh it's great...

------
adamson
I've been using this for web server testing since 2012. It's probably the paid
tool that's given me the most bang for my buck in terms of hours saved

------
andkon
I love this product page so much! Great illustrations, a wonderful balance of
levity and clarity about ngrok's purpose.

------
andreiw
Cool. Where's the ARM64 linux build? That's more important than the legacy
32-bit ARM builds (i.e. ARM servers)

------
PacketPaul
How much is the paid service? You could roll your own for around $15/month
using an Amazon EC2 T2 micro instance.

~~~
ww520
Or one of the sub-$5 VPS places. Some even have $1 deal from time to time.

------
prodicus
Awesome! OT but can anyone suggest some free tools using which I can make
similar diagrams. They look pretty cool :)

------
jonthepirate
docker run -ti -e
'PROXY_TO_ADDR=[http://www.example.com/'](http://www.example.com/')
jonthepirate/ngrok:latest

^ that expression will expose a local docker powered web server, assuming
www.example.com is the local dns name on your docker network. Enjoy.

------
stummjr
Ngrok is just awesome! A huge shout out to the developers!

------
zAy0LfpBZLC8mAC
Yet another needless cost of not switching to IPv6 already ...

~~~
jdeb
Even with IPv6 you might still have a firewall that you don't control.

~~~
zAy0LfpBZLC8mAC
Even with IPv6, you might get issued a work laptop that has software installed
to randomly delete some of your files.

Well, yeah, of course, incompetent or malicious company IT can prevent you
from being a productive developer and you may then feel the need to work
around that, that is largely orthogonal to whether the world is using IPv6 or
not.

