TLS Variables
Action Result Variables
The following variables are made available for use in subsequent expressions and CEL interpolations after the action has run. Variable values will only apply to the last action execution, results are not concatenated.
Log
Name | Type | Description |
---|---|---|
actions.ngrok.log.metadata | map[string]string | The key-value map of metadata that was logged. |
Restrict IPs
Name | Type | Description |
---|---|---|
actions.ngrok.restrict_ips.action | string | The resulting action for this action execution. Supported values are either allow or deny . |
actions.ngrok.restrict_ips.matched_cidr | string | The CIDR that matched for the incoming client ip. This may be empty. |
actions.ngrok.restrict_ips.error.code | string | Code for an error that occurred during the invocation of an action. |
actions.ngrok.restrict_ips.error.message | string | Message for an error that occurred during the invocation of an action. |
Connection Variables
The following variables are available under the conn
namespace:
Name | Type | Description |
---|---|---|
conn.client_ip | string | Source IP of the connection to the ngrok endpoint. |
conn.client_port | int32 | Source port of the connection to the ngrok endpoint. |
conn.server_ip | string | The IP that this connection was established on. |
conn.server_port | int32 | The port that this connection was established on. |
conn.ts.start | timestamp | Timestamp when the connection to ngrok was started. |
conn.client_ip
Source IP of the connection to the ngrok endpoint.
- YAML
- JSON
# snippet
---
expressions:
- "conn.client_ip in ['::1', '127.0.0.1']"
// snippet
{
"expressions": [
"conn.client_ip in ['::1', '127.0.0.1']"
]
}
conn.client_port
Source port of the connection to the ngrok endpoint.
- YAML
- JSON
# snippet
---
expressions:
- "conn.client_port == 80"
// snippet
{
"expressions": [
"conn.client_port == 80"
]
}
conn.server_ip
The IP that this connection was established on.
- YAML
- JSON
# snippet
---
expressions:
- "conn.server_ip == '192.168.1.1'"
// snippet
{
"expressions": [
"conn.server_ip == '192.168.1.1'"
]
}
conn.server_port
The port that this connection was established on.
- YAML
- JSON
# snippet
---
expressions:
- "conn.server_port == 80"
// snippet
{
"expressions": [
"conn.server_port == 80"
]
}
conn.ts.start
Timestamp when the connection to ngrok was started.
- YAML
- JSON
# snippet
---
expressions:
- "conn.ts.start > timestamp('2023-12-31T00:00:00Z')"
// snippet
{
"expressions": [
"conn.ts.start > timestamp('2023-12-31T00:00:00Z')"
]
}
Connection Geo Variables
The following variables are available under the conn.geo
namespace:
Name | Type | Description |
---|---|---|
conn.geo.city | string | The name of the city, in EN, where the conn.client_ip is likely to originate. |
conn.geo.country | string | The name of the country, in EN, where the conn.client_ip is likely to originate. |
conn.geo.country_code | string | The two-letter ISO country code where the conn.client_ip is likely to originate. |
conn.geo.latitude | string | The approximate latitude where the conn.client_ip is likely to originate. |
conn.geo.longitude | string | The approximate longitude where the conn.client_ip is likely to originate. |
conn.geo.radius | string | The radius in kilometers around the latitude and longitude where the conn.client_ip is likely to originate. |
conn.geo.subdivision | string | The name of the subdivision, in EN, where the conn.client_ip is likely to originate. |
conn.geo.city
The name of the city, in EN, where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.geo.city == 'Strongsville'"
// snippet
{
"expressions": [
"conn.geo.city == 'Strongsville'"
]
}
conn.geo.country
The name of the country, in EN, where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.geo.country == 'United States'"
// snippet
{
"expressions": [
"conn.geo.country == 'United States'"
]
}
conn.geo.country_code
The two-letter ISO country code where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.geo.country_code != 'US'"
// snippet
{
"expressions": [
"conn.geo.country_code != 'US'"
]
}
conn.geo.latitude
The approximate latitude where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- "double(conn.geo.latitude) >= 45.0"
// snippet
{
"expressions": [
"double(conn.geo.latitude) >= 45.0"
]
}
conn.geo.longitude
The approximate longitude where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- "double(conn.geo.longitude) <= -93.0"
// snippet
{
"expressions": [
"double(conn.geo.longitude) <= -93.0"
]
}
conn.geo.radius
The radius in kilometers around the latitude and longitude where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.geo.radius <= '5'"
// snippet
{
"expressions": [
"conn.geo.radius <= '5'"
]
}
conn.geo.subdivision
The name of the subdivision, in EN, where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.geo.subdivision == 'California'"
// snippet
{
"expressions": [
"conn.geo.subdivision == 'California'"
]
}
Connection TLS Variables
The following variables are available under the conn.tls
namespace:
Name | Type | Description |
---|---|---|
conn.tls.cipher_suite | string | The cipher suite selected during the TLS handshake. |
conn.tls.sni | string | The hostname included in the ClientHello message via the SNI extension. |
conn.tls.version | string | The version of the TLS protocol used between the client and the ngrok edge. |
conn.tls.cipher_suite
The cipher suite selected during the TLS handshake.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.cipher_suite == 'TLS_AES_128_GCM_SHA256'"
// snippet
{
"expressions": [
"conn.tls.cipher_suite == 'TLS_AES_128_GCM_SHA256'"
]
}
conn.tls.sni
The hostname included in the ClientHello
message via the SNI extension.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.sni == 'client.example.com'"
// snippet
{
"expressions": [
"conn.tls.sni == 'client.example.com'"
]
}
conn.tls.version
The version of the TLS protocol used between the client and the ngrok edge.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.version == '1.3'"
// snippet
{
"expressions": [
"conn.tls.version == '1.3'"
]
}
Connection TLS Client Variables
The following variables are available under the conn.tls.client
namespace:
Name | Type | Description |
---|---|---|
conn.tls.client.extensions | []Extension | Additional information added to the certificate. |
conn.tls.client.extensions[i].id | string | The identifier (OID) that specifies the type of extension. |
conn.tls.client.extensions[i].critical | bool | True if the extension is critical. |
conn.tls.client.extensions[i].value | []byte | The data for the extension. |
conn.tls.client.issuer | string | The issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax. |
conn.tls.client.issuer.common_name | string | Common name of the issuing authority, usually the domain name. |
conn.tls.client.issuer.country | []string | Country name(s) where the issuing authority is located. |
conn.tls.client.issuer.locality | []string | Locality or city of the issuing authority. |
conn.tls.client.issuer.organization | []string | Name(s) of the organization that issued the certificate. |
conn.tls.client.issuer.organizational_unit | []string | Division of the organization responsible for the certificate. |
conn.tls.client.issuer.postal_code | []string | Postal code of the issuing authority. |
conn.tls.client.issuer.province | []string | Province or state of the issuing authority. |
conn.tls.client.issuer.street_address | []string | Street address of the issuing authority. |
conn.tls.client.san | string | Subject alternative names of the client certificate. |
conn.tls.client.san.dns_names | []string | DNS names in the subject alternative names. |
conn.tls.client.san.email_addresses | []string | Email addresses in the subject alternative names. |
conn.tls.client.san.ip_addresses | []string | IP addresses in the subject alternative names. |
conn.tls.client.san.uris | []string | URIs in the subject alternative names. |
conn.tls.client.serial_number | string | Unique identifier for the certificate. |
conn.tls.client.signature_algorithm | string | Algorithm used to sign the certificate. |
conn.tls.client.subject | string | The entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax. |
conn.tls.client.subject.common_name | string | Common name of the subject, usually the domain name. |
conn.tls.client.subject.country | []string | Country name(s) where the subject of the certificate is located. |
conn.tls.client.subject.locality | []string | Locality or city where the subject is located. |
conn.tls.client.subject.organization | []string | Name(s) of the organization to which the subject belongs. |
conn.tls.client.subject.organizational_unit | []string | Division of the organization to which the subject belongs. |
conn.tls.client.subject.postal_code | []string | Postal code where the subject is located. |
conn.tls.client.subject.province | []string | Province or state where the subject is located. |
conn.tls.client.subject.street_address | []string | Street address where the subject is located. |
conn.tls.client.validity.not_after | timestamp | Expiration date and time when the certificate is no longer valid. |
conn.tls.client.validity.not_before | timestamp | Start date and time when the certificate becomes valid. |
conn.tls.client.extensions
Additional information added to the certificate.
- YAML
- JSON
# snippet
---
expressions:
- "size(conn.tls.client.extensions) > 0"
// snippet
{
"expressions": [
"size(conn.tls.client.extensions) > 0"
]
}
conn.tls.client.extensions[i].id
The identifier (OID) that specifies the type of extension.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.extensions[0].id == '2.5.29.15'"
// snippet
{
"expressions": [
"conn.tls.client.extensions[0].id == '2.5.29.15'"
]
}
conn.tls.client.extensions[i].critical
True if the extension is critical.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.extensions[0].critical"
// snippet
{
"expressions": [
"conn.tls.client.extensions[0].critical"
]
}
conn.tls.client.extensions[i].value
The data for the extension.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.extensions[0].value == b'\x03\x02\x05 '"
// snippet
{
"expressions": [
"conn.tls.client.extensions[0].value == b'\u0003\u0002\u0005 '"
]
}
conn.tls.client.issuer
The issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer == 'CN=E1,O=Let's Encrypt,C=US'"
// snippet
{
"expressions": [
"conn.tls.client.issuer == 'CN=E1,O=Let's Encrypt,C=US'"
]
}
conn.tls.client.issuer.common_name
Common name of the issuing authority, usually the domain name.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.common_name == 'exampleca.com'"
// snippet
{
"expressions": [
"conn.tls.client.issuer.common_name == 'exampleca.com'"
]
}
conn.tls.client.issuer.country
Country name(s) where the issuing authority is located.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.country == ['US']"
// snippet
{
"expressions": [
"conn.tls.client.issuer.country == ['US']"
]
}
conn.tls.client.issuer.locality
Locality or city of the issuing authority.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.locality == ['Mountain View']"
// snippet
{
"expressions": [
"conn.tls.client.issuer.locality == ['Mountain View']"
]
}
conn.tls.client.issuer.organization
Name(s) of the organization that issued the certificate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.organization == ['Example CA']"
// snippet
{
"expressions": [
"conn.tls.client.issuer.organization == ['Example CA']"
]
}
conn.tls.client.issuer.organizational_unit
Division of the organization responsible for the certificate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.organizational_unit == ['Certification Authority
Division']"
// snippet
{
"expressions": [
"conn.tls.client.issuer.organizational_unit == ['Certification Authority Division']"
]
}
conn.tls.client.issuer.postal_code
Postal code of the issuing authority.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.postal_code == ['94043']"
// snippet
{
"expressions": [
"conn.tls.client.issuer.postal_code == ['94043']"
]
}
conn.tls.client.issuer.province
Province or state of the issuing authority.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.province == ['California']"
// snippet
{
"expressions": [
"conn.tls.client.issuer.province == ['California']"
]
}
conn.tls.client.issuer.street_address
Street address of the issuing authority.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.street_address == ['1234 Encryption Way']"
// snippet
{
"expressions": [
"conn.tls.client.issuer.street_address == ['1234 Encryption Way']"
]
}
conn.tls.client.san
Subject alternative names of the client certificate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.san == 'DNS:www.example.com, DNS:example.com, IP
Address:192.168.1.1'"
// snippet
{
"expressions": [
"conn.tls.client.san == 'DNS:www.example.com, DNS:example.com, IP Address:192.168.1.1'"
]
}
conn.tls.client.san.dns_names
DNS names in the subject alternative names.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.san.dns_names == ['www.example.com', 'example.com']"
// snippet
{
"expressions": [
"conn.tls.client.san.dns_names == ['www.example.com', 'example.com']"
]
}
conn.tls.client.san.email_addresses
Email addresses in the subject alternative names.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.san.email_addresses == ['ngrok-email1@example.com',
'ngrok-email2@example.com']"
// snippet
{
"expressions": [
"conn.tls.client.san.email_addresses == ['ngrok-email1@example.com', 'ngrok-email2@example.com']"
]
}
conn.tls.client.san.ip_addresses
IP addresses in the subject alternative names.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.san.ip_addresses == ['192.168.1.1']"
// snippet
{
"expressions": [
"conn.tls.client.san.ip_addresses == ['192.168.1.1']"
]
}
conn.tls.client.san.uris
URIs in the subject alternative names.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.san.uris == ['https://example.com/example']"
// snippet
{
"expressions": [
"conn.tls.client.san.uris == ['https://example.com/example']"
]
}
conn.tls.client.serial_number
Unique identifier for the certificate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.serial_number == 'b53017e79d4a5208b314a55d3574e0a8'"
// snippet
{
"expressions": [
"conn.tls.client.serial_number == 'b53017e79d4a5208b314a55d3574e0a8'"
]
}
conn.tls.client.signature_algorithm
Algorithm used to sign the certificate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.signature_algorithm == 'SHA256-RSA'"
// snippet
{
"expressions": [
"conn.tls.client.signature_algorithm == 'SHA256-RSA'"
]
}
conn.tls.client.subject
The entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject == 'CN=www.example.com'"
// snippet
{
"expressions": [
"conn.tls.client.subject == 'CN=www.example.com'"
]
}
conn.tls.client.subject.common_name
Common name of the subject, usually the domain name.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.common_name == 'www.example.com'"
// snippet
{
"expressions": [
"conn.tls.client.subject.common_name == 'www.example.com'"
]
}
conn.tls.client.subject.country
Country name(s) where the subject of the certificate is located.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.country == ['US']"
// snippet
{
"expressions": [
"conn.tls.client.subject.country == ['US']"
]
}
conn.tls.client.subject.locality
Locality or city where the subject is located.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.locality == ['Mountain View']"
// snippet
{
"expressions": [
"conn.tls.client.subject.locality == ['Mountain View']"
]
}
conn.tls.client.subject.organization
Name(s) of the organization to which the subject belongs.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.organization == ['Example Corp']"
// snippet
{
"expressions": [
"conn.tls.client.subject.organization == ['Example Corp']"
]
}
conn.tls.client.subject.organizational_unit
Division of the organization to which the subject belongs.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.organizational_unit == ['Web Services']"
// snippet
{
"expressions": [
"conn.tls.client.subject.organizational_unit == ['Web Services']"
]
}
conn.tls.client.subject.postal_code
Postal code where the subject is located.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.postal_code == ['94043']"
// snippet
{
"expressions": [
"conn.tls.client.subject.postal_code == ['94043']"
]
}
conn.tls.client.subject.province
Province or state where the subject is located.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.province == ['California']"
// snippet
{
"expressions": [
"conn.tls.client.subject.province == ['California']"
]
}
conn.tls.client.subject.street_address
Street address where the subject is located.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.street_address == ['1234 Secure Blvd']"
// snippet
{
"expressions": [
"conn.tls.client.subject.street_address == ['1234 Secure Blvd']"
]
}
conn.tls.client.validity.not_after
Expiration date and time when the certificate is no longer valid.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.validity.not_after == timestamp('2023-01-01T00:00:00Z')"
// snippet
{
"expressions": [
"conn.tls.client.validity.not_after == timestamp('2023-01-01T00:00:00Z')"
]
}
conn.tls.client.validity.not_before
Start date and time when the certificate becomes valid.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.validity.not_before == timestamp('2020-01-01T00:00:00Z')"
// snippet
{
"expressions": [
"conn.tls.client.validity.not_before == timestamp('2020-01-01T00:00:00Z')"
]
}
Connection TLS Server Variables
The following variables are available under the conn.tls.server
namespace:
Name | Type | Description |
---|---|---|
conn.tls.server.extensions | []Extension | Additional information added to the certificate. |
conn.tls.server.extensions[i].id | string | The identifier that specifies the type of extension. |
conn.tls.server.extensions[i].critical | bool | True if the extension is critical. |
conn.tls.server.extensions[i].value | []byte | The data for the extension. |
conn.tls.server.issuer | string | The issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax. |
conn.tls.server.issuer.common_name | string | Common name of the issuing authority, usually the domain name. |
conn.tls.server.issuer.country | []string | Country name(s) where the issuing authority is located. |
conn.tls.server.issuer.locality | []string | Locality or city of the issuing authority. |
conn.tls.server.issuer.organization | []string | Name(s) of the organization that issued the certificate. |
conn.tls.server.issuer.organizational_unit | []string | Division of the organization responsible for the certificate. |
conn.tls.server.issuer.postal_code | []string | Postal code of the issuing authority. |
conn.tls.server.issuer.province | []string | Province or state of the issuing authority. |
conn.tls.server.issuer.street_address | []string | Street address of the issuing authority. |
conn.tls.server.san | string | Subject alternative names of the ngrok server's leaf TLS certificate. |
conn.tls.server.san.dns_names | []string | DNS names in the subject alternative names of the ngrok server's leaf TLS certificate. |
conn.tls.server.san.email_addresses | []string | Email addresses in the subject alternative names of the ngrok server's leaf TLS certificate. |
conn.tls.server.san.ip_addresses | []string | IP addresses in the subject alternative names of the ngrok server's leaf TLS certificate. |
conn.tls.server.san.uris | []string | URIs in the subject alternative names of the ngrok server's leaf TLS certificate. |
conn.tls.server.serial_number | string | Unique identifier for the certificate. |
conn.tls.server.signature_algorithm | string | Algorithm used to sign the certificate. |
conn.tls.server.subject | string | The entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax. |
conn.tls.server.subject.common_name | string | Common name of the subject, usually the domain name. |
conn.tls.server.subject.country | []string | Country name(s) where the subject of the certificate is located. |
conn.tls.server.subject.locality | []string | Locality or city where the subject is located. |
conn.tls.server.subject.organization | []string | Name(s) of the organization to which the subject belongs. |
conn.tls.server.subject.organizational_unit | []string | Division of the organization to which the subject belongs. |
conn.tls.server.subject.postal_code | []string | Postal code where the subject is located. |
conn.tls.server.subject.province | []string | Province or state where the subject is located. |
conn.tls.server.subject.street_address | []string | Street address where the subject is located. |
conn.tls.server.validity.not_after | timestamp | Expiration date and time when the certificate is no longer valid. |
conn.tls.server.validity.not_before | timestamp | Start date and time when the certificate becomes valid. |
conn.tls.server.extensions
Additional information added to the certificate.
- YAML
- JSON
# snippet
---
expressions:
- "size(conn.tls.server.extensions) > 0"
// snippet
{
"expressions": [
"size(conn.tls.server.extensions) > 0"
]
}