Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does ngrok work behind a firewall?

Ngrok (https://ngrok.com/) is supposed to allow you to expose local ports and services to the world wide web through forwarding. But if I open port 80 on my local machine like this:

ngrok 80

and I get back:

Tunnel Status                 online
Version                       1.3/1.3
Forwarding                    http://3a4bfceb.ngrok.com -> 127.0.0.1:80
Forwarding                    https://3a4bfceb.ngrok.com -> 127.0.0.1:80
Web Interface                 http://127.0.0.1:4040
# Conn                        0
Avg Conn Time                 0.00ms

I understand that any requests to http://3a4bfceb.ngrok.com will go to my local machine on port 80 but what if I am sitting behind a NAT/Firewall that's blocking incoming traffic (a very common scenario). Does ngrok initiate polling requests to determine when data has been received?

like image 347
asolberg Avatar asked Apr 30 '14 18:04

asolberg


People also ask

What is Ngrok and how does it work?

Ngrok is a cross-platform application that exposes local server ports to the Internet. Their website claims, “[so you can] spend more time programming—one command for an instant, secure URL to your localhost server through any NAT or firewall.”

What protocol does Ngrok use?

ngrok TCP tunnels allow you to expose any networked service that runs over TCP. This is commonly used to expose SSH, game servers, databases and more. Starting a TCP tunnel is easy.

Does Ngrok open ports?

The connection tunnel established by ngrok is secure and can only transmit data to the localhost port you have open. It would be difficult to do any damage, but it's only as secure as the application you're testing.

Is Ngrok a security risk?

So simply using ngrok is not a security risk. well, if you've exposed your dev app running on your laptop to the internet, any exploit in your app now works against your laptop endpoint instead of a production endpoint.


1 Answers

Because an ngrok tunnel is always initiated on the client-side first, this is how it can negotiate a secure channel with the server. It's a really slick solution to getting around conventional firewall configurations.

This is internally accomplished by the client opening up a single long-lived tcp connection where many logical sockets are created within one physical socket connection. This technique is called stream multiplexing. With this setup in place there is no need for any kind of polling because the client and server still have fully bi-directional communication in place.

The client and server then stay alive with a heartbeat mechanism that makes sure the connection is open and working appropriately and will even reconnect upon error or a lost/closed connection.

See this for more information: Developer Guide on github.com

like image 155
Ralph Caraveo Avatar answered Oct 09 '22 06:10

Ralph Caraveo