Policies

Overview

The Policy module allows you to configure a series of inbound and outbound policies that can be used to influence and control traffic to and from your upstream service.

Policies are composed of zero-to-many expressions that filter the traffic on which they apply and one-to-many actions which will be taken against the traffic.

Example Usage

Agent CLI

ngrok tls 80 --policy-config /path/to/policy-config.yml

Agent Config

tunnels:
  example:
    proto: tls
    addr: 443
    policies:
      inbound:
      - name: EnforceTLS1.3
        expressions:
          - "conn.TLS.Version != 'TLS 1.3'"
        actions:
          - type: deny
      - name: "LogRequestsFromKnownIP"
        expressions:
          - "conn.ClientIP == '110.0.0.1'"
        actions:
          - type: log
            config:
              metadata:
                event: "known-ip",
                data: "110.0.0.1"

Behavior

Policies are evaluated sequentially in the order they are configured with inbound policies taking effect before the upstream server is reached and outbound policies taking effect after the upstream server responds. Whether or not a policy's actions are performed is determined at runtime.

Expression Evaluation

Policy expressions are a set of Common Expression Language (CEL) expressions that must evaluate to true in order for a policy actions to take effect. There is no behavioral difference between adding multiple expressions to a policy or having one single expression with multiple statements logically conjoined (&&) together.

If no expressions are specified on a policy, the actions will always take effect.

Action Execution

If a policy's expressions are evaluated as a match against a connection, the policy's actions will be executed. If multiple actions are defined on a policy, the actions will execute sequentially.

Edges

Policies is an HTTPS Edge module which can be applied to Routes.

Policies can be configured vai the ngrok dashboard or API.

//todo add api reference