inconshreveable / ngrok

Introspected tunnels to localhost

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Cannot serve https endpoint with valid TLS termination

orty opened this issue · comments

Hello,

I cannot find a way to manage the https + TLS configuration. Everything that I tried ends up either with the regular certificate warning, or with an ERR_EMPTY_RESPONSE error. Here are the steps I followed :

  • created a domain on Azure my-domain.com
  • registered the domain in my paid ngrok plan, added the CNAME in Azure xxxxxxxxx.cname.eu.ngrok.io
  • created a certificate in Azure, validated it and downloaded the .pfx certificate file
  • generated a .crt and a passwordless .key files
  • specified my ngrok.yml as follows
authtoken: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
region: eu
update: true
tunnels:
    api:
        proto: tls
        addr: localhost:7071
        hostname: my-domain.com
        host-header: localhost:7071
        key: path/to/certificate.key
        crt: path/to/certificate.crt

On my computer, VS is serving the webservice (an Azure function) over https at https://localhost:7071

My previous configuration was working, I just wanted to get rid of the certificate warnings.

The previous one was

    api:
        proto: http
        addr: https://localhost:7071
        hostname: my-domain.com
        host-header: localhost:7071

What did I do wrong ?

Hello again,

I have made some progress since my first post. Now, with the following configuration :

proto: tls
addr: localhost:49493
hostname: my-domain.com
host_header: localhost:49493
key: path/to/cert.key
crt: path/to/cert.crt

.. and the fact that I finally understood that it is not possible to create a tls tunnel pointing to a https exposed local server, I am now able to connect to some parts of my application (I run multiple project at once).
The ASP.Net Core web app though, I am not able to use it, since I need the host_header option and it seems to be completely ignored when creating a tls tunnel.
Is that the case ? If yes, is there any workaround I can rely on ?

Many thanks.

@orty

.. and the fact that I finally understood that it is not possible to create a tls tunnel pointing to a https exposed local server, I am now able to connect to some parts of my application (I run multiple project at once).

it is, but you would need to do it in one of two ways:

Let your ASP.NET server terminate TLS by not specifying key and crt:

proto: tls
addr: localhost:49493
hostname: my-domain.com
host_header: localhost:49493

OR

Tell ngrok to re-encrypt with tls for the local hop by adding tls:// at the start of your addr

proto: tls
addr: tls://localhost:49493
hostname: my-domain.com
host_header: localhost:49493
key: path/to/cert.key
crt: path/to/cert.crt

Re your second problem with the host_header:

The ASP.Net Core web app though, I am not able to use it, since I need the host_header option and it seems to be completely ignored when creating a tls tunnel.

This is correct, host_header is not supported on tls tunnels. you should use an http tunnel. you can solve this in one of two ways:

  1. modify your ASP.NET web app to recognize the ngrok hostname. i'm not sure what code is necessary to do this, but it is definitely possible
  2. use an https tunnel and let ngrok provision the certificate for you:
proto: http
addr: https://localhost:49493
hostname: my-domain.com
host_header: localhost:49493

then in the ngrok dashboard click on your domain on the domains page: https://dashboard.ngrok.com/endpoints/domains and choose automated certificates (you may need to enter the beta):
image

hope that helps!