TLS Variables
Connection Variables
The following variables are available under the conn
namespace:
Name | Type | Description |
---|---|---|
conn.bytes_in | int64 | The number of bytes entering the endpoint from the client. |
conn.bytes_out | int64 | The number of bytes leaving an endpoint to the client. |
conn.client_ip | string | Source IP of the connection to the ngrok endpoint. |
conn.client_port | int32 | Source port of the connection to the ngrok endpoint. |
conn.server_ip | string | The IP that this connection was established on. |
conn.server_port | int32 | The port that this connection was established on. |
conn.ts.end | timestamp | Timestamp when the connection to ngrok was closed. |
conn.ts.start | timestamp | Timestamp when the connection to ngrok was started. |
conn.bytes_in
The number of bytes entering the endpoint from the client.
- YAML
- JSON
# snippet
---
expressions:
- "conn.bytes_in > 1000"
// snippet
{
"expressions": [
"conn.bytes_in > 1000"
]
}
conn.bytes_out
The number of bytes leaving an endpoint to the client.
- YAML
- JSON
# snippet
---
expressions:
- "conn.bytes_out > 1000"
// snippet
{
"expressions": [
"conn.bytes_out > 1000"
]
}
conn.client_ip
Source IP of the connection to the ngrok endpoint.
- YAML
- JSON
# snippet
---
expressions:
- "conn.client_ip in ['::1', '127.0.0.1']"
// snippet
{
"expressions": [
"conn.client_ip in ['::1', '127.0.0.1']"
]
}
conn.client_port
Source port of the connection to the ngrok endpoint.
- YAML
- JSON
# snippet
---
expressions:
- "conn.client_port == 80"
// snippet
{
"expressions": [
"conn.client_port == 80"
]
}
conn.ts.end
Timestamp when the connection to ngrok was closed.
- YAML
- JSON
# snippet
---
expressions:
- "conn.ts.end > timestamp('2024-01-01')"
// snippet
{
"expressions": [
"conn.ts.end > timestamp('2024-01-01')"
]
}
conn.server_ip
The IP that this connection was established on.
- YAML
- JSON
# snippet
---
expressions:
- "conn.server_ip == '192.168.1.1'"
// snippet
{
"expressions": [
"conn.server_ip == '192.168.1.1'"
]
}
conn.server_port
The port that this connection was established on.
- YAML
- JSON
# snippet
---
expressions:
- "conn.server_port == 80"
// snippet
{
"expressions": [
"conn.server_port == 80"
]
}
conn.ts.start
Timestamp when the connection to ngrok was started.
- YAML
- JSON
# snippet
---
expressions:
- "conn.ts.start > timestamp('2023-12-31')"
// snippet
{
"expressions": [
"conn.ts.start > timestamp('2023-12-31')"
]
}
Connection Geo Variables
The following variables are available under the conn.geo
namespace:
Name | Type | Description |
---|---|---|
conn.geo.city | string | The name of the city, in EN, where the conn.client_ip is likely to originate. |
conn.geo.country | string | The name of the country, in EN, where the conn.client_ip is likely to originate. |
conn.geo.country_code | string | The two-letter ISO country code where the conn.client_ip is likely to originate. |
conn.geo.latitude | string | The approximate latitude where the conn.client_ip is likely to originate. |
conn.geo.longitude | string | The approximate longitude where the conn.client_ip is likely to originate. |
conn.geo.radius | string | The radius in kilometers around the latitude and longitude where the conn.client_ip is likely to originate. |
conn.geo.subdivision | string | The name of the subdivision, in EN, where the conn.client_ip is likely to originate. |
conn.geo.city
The name of the city, in EN, where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.geo.city == 'Strongsville'"
// snippet
{
"expressions": [
"conn.geo.city == 'Strongsville'"
]
}
conn.geo.country
The name of the country, in EN, where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.geo.country == 'United States'"
// snippet
{
"expressions": [
"conn.geo.country == 'United States'"
]
}
conn.geo.country_code
The two-letter ISO country code where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.geo.country_code != 'US'"
// snippet
{
"expressions": [
"conn.geo.country_code != 'US'"
]
}
conn.geo.latitude
The approximate latitude where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- "double(conn.geo.latitude) >= 45.0"
// snippet
{
"expressions": [
"double(conn.geo.latitude) >= 45.0"
]
}
conn.geo.longitude
The approximate longitude where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- "double(conn.geo.longitude) <= -93.0"
// snippet
{
"expressions": [
"double(conn.geo.longitude) <= -93.0"
]
}
conn.geo.radius
The radius in kilometers around the latitude and longitude where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.geo.radius <= '5'"
// snippet
{
"expressions": [
"conn.geo.radius <= '5'"
]
}
conn.geo.subdivision
The name of the subdivision, in EN, where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.geo.subdivision == 'California'"
// snippet
{
"expressions": [
"conn.geo.subdivision == 'California'"
]
}
Connection TLS Variables
The following variables are available under the conn.tls
namespace:
Name | Type | Description |
---|---|---|
conn.tls.cipher_suite | string | The cipher suite selected during the TLS handshake. |
conn.tls.sni | string | The hostname included in the ClientHello message via the SNI extension. |
conn.tls.version | string | The version of the TLS protocol used between the client and the ngrok edge. |
conn.tls.cipher_suite
The cipher suite selected during the TLS handshake.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.cipher_suite == 'TLS_AES_128_GCM_SHA256'"
// snippet
{
"expressions": [
"conn.tls.cipher_suite == 'TLS_AES_128_GCM_SHA256'"
]
}
conn.tls.sni
The hostname included in the ClientHello message via the SNI extension.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.sni == 'client.example.com'"
// snippet
{
"expressions": [
"conn.tls.sni == 'client.example.com'"
]
}
conn.tls.version
The version of the TLS protocol used between the client and the ngrok edge.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.version == '1.3'"
// snippet
{
"expressions": [
"conn.tls.version == '1.3'"
]
}
Connection TLS Client Variables
The following variables are available under the conn.tls.client
namespace:
Name | Type | Description |
---|---|---|
conn.tls.client.extensions | []Extension | Additional information added to the certificate. |
conn.tls.client.issuer | string | The issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax. |
conn.tls.client.issuer.common_name | string | Common name of the issuing authority, usually the domain name. |
conn.tls.client.issuer.country | []string | Country name(s) where the issuing authority is located. |
conn.tls.client.issuer.locality | []string | Locality or city of the issuing authority. |
conn.tls.client.issuer.organization | []string | Name(s) of the organization that issued the certificate. |
conn.tls.client.issuer.organizational_unit | []string | Division of the organization responsible for the certificate. |
conn.tls.client.issuer.postal_code | []string | Postal code of the issuing authority. |
conn.tls.client.issuer.province | []string | Province or state of the issuing authority. |
conn.tls.client.issuer.street_address | []string | Street address of the issuing authority. |
conn.tls.client.san | string | Subject alternative names of the client certificate. |
conn.tls.client.san.dns_names | []string | DNS names in the subject alternative names. |
conn.tls.client.san.email_addresses | []string | Email addresses in the subject alternative names. |
conn.tls.client.san.ip_addresses | []string | IP addresses in the subject alternative names. |
conn.tls.client.san.uris | []string | URIs in the subject alternative names. |
conn.tls.client.serial_number | string | Unique identifier for the certificate. |
conn.tls.client.signature_algorithm | string | Algorithm used to sign the certificate. |
conn.tls.client.subject | string | The entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax. |
conn.tls.client.subject.common_name | string | Common name of the subject, usually the domain name. |
conn.tls.client.subject.country | []string | Country name(s) where the subject of the certificate is located. |
conn.tls.client.subject.locality | []string | Locality or city where the subject is located. |
conn.tls.client.subject.organization | []string | Name(s) of the organization to which the subject belongs. |
conn.tls.client.subject.organizational_unit | []string | Division of the organization to which the subject belongs. |
conn.tls.client.subject.postal_code | []string | Postal code where the subject is located. |
conn.tls.client.subject.province | []string | Province or state where the subject is located. |
conn.tls.client.subject.street_address | []string | Street address where the subject is located. |
conn.tls.client.validity.not_after | timestamp | Expiration date and time when the certificate is no longer valid. |
conn.tls.client.validity.not_before | timestamp | Start date and time when the certificate becomes valid. |
conn.tls.client.extensions
Additional information added to the certificate.
- YAML
- JSON
# snippet
---
expressions:
- "size(conn.tls.client.extensions) > 0"
// snippet
{
"expressions": [
"size(conn.tls.client.extensions) > 0"
]
}
conn.tls.client.issuer
The issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer == 'CN=E1,O=Let's Encrypt,C=US'"
// snippet
{
"expressions": [
"conn.tls.client.issuer == 'CN=E1,O=Let's Encrypt,C=US'"
]
}
conn.tls.client.issuer.common_name
Common name of the issuing authority, usually the domain name.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.common_name == 'exampleca.com'"
// snippet
{
"expressions": [
"conn.tls.client.issuer.common_name == 'exampleca.com'"
]
}
conn.tls.client.issuer.country
Country name(s) where the issuing authority is located.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.country == ['US']"
// snippet
{
"expressions": [
"conn.tls.client.issuer.country == ['US']"
]
}
conn.tls.client.issuer.locality
Locality or city of the issuing authority.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.locality == ['Mountain View']"
// snippet
{
"expressions": [
"conn.tls.client.issuer.locality == ['Mountain View']"
]
}
conn.tls.client.issuer.organization
Name(s) of the organization that issued the certificate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.organization == ['Example CA']"
// snippet
{
"expressions": [
"conn.tls.client.issuer.organization == ['Example CA']"
]
}
conn.tls.client.issuer.organizational_unit
Division of the organization responsible for the certificate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.organizational_unit == ['Certification Authority
Division']"
// snippet
{
"expressions": [
"conn.tls.client.issuer.organizational_unit == ['Certification Authority Division']"
]
}
conn.tls.client.issuer.postal_code
Postal code of the issuing authority.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.postal_code == ['94043']"
// snippet
{
"expressions": [
"conn.tls.client.issuer.postal_code == ['94043']"
]
}
conn.tls.client.issuer.province
Province or state of the issuing authority.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.province == ['California']"
// snippet
{
"expressions": [
"conn.tls.client.issuer.province == ['California']"
]
}
conn.tls.client.issuer.street_address
Street address of the issuing authority.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.issuer.street_address == ['1234 Encryption Way']"
// snippet
{
"expressions": [
"conn.tls.client.issuer.street_address == ['1234 Encryption Way']"
]
}
conn.tls.client.san
Subject alternative names of the client certificate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.san == 'DNS:www.example.com, DNS:example.com, IP
Address:192.168.1.1'"
// snippet
{
"expressions": [
"conn.tls.client.san == 'DNS:www.example.com, DNS:example.com, IP Address:192.168.1.1'"
]
}
conn.tls.client.san.dns_names
DNS names in the subject alternative names.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.san.dns_names == ['www.example.com', 'example.com']"
// snippet
{
"expressions": [
"conn.tls.client.san.dns_names == ['www.example.com', 'example.com']"
]
}
conn.tls.client.san.email_addresses
Email addresses in the subject alternative names.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.san.email_addresses == ['ngrok-email1@example.com',
'ngrok-email2@example.com']"
// snippet
{
"expressions": [
"conn.tls.client.san.email_addresses == ['ngrok-email1@example.com', 'ngrok-email2@example.com']"
]
}
conn.tls.client.san.ip_addresses
IP addresses in the subject alternative names.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.san.ip_addresses == ['192.168.1.1']"
// snippet
{
"expressions": [
"conn.tls.client.san.ip_addresses == ['192.168.1.1']"
]
}
conn.tls.client.san.uris
URIs in the subject alternative names.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.san.uris == ['https://example.com/example']"
// snippet
{
"expressions": [
"conn.tls.client.san.uris == ['https://example.com/example']"
]
}
conn.tls.client.serial_number
Unique identifier for the certificate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.serial_number == 'b53017e79d4a5208b314a55d3574e0a8'"
// snippet
{
"expressions": [
"conn.tls.client.serial_number == 'b53017e79d4a5208b314a55d3574e0a8'"
]
}
conn.tls.client.signature_algorithm
Algorithm used to sign the certificate.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.signature_algorithm == 'SHA256-RSA'"
// snippet
{
"expressions": [
"conn.tls.client.signature_algorithm == 'SHA256-RSA'"
]
}
conn.tls.client.subject
The entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject == 'CN=www.example.com'"
// snippet
{
"expressions": [
"conn.tls.client.subject == 'CN=www.example.com'"
]
}
conn.tls.client.subject.common_name
Common name of the subject, usually the domain name.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.common_name == 'www.example.com'"
// snippet
{
"expressions": [
"conn.tls.client.subject.common_name == 'www.example.com'"
]
}
conn.tls.client.subject.country
Country name(s) where the subject of the certificate is located.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.country == ['US']"
// snippet
{
"expressions": [
"conn.tls.client.subject.country == ['US']"
]
}
conn.tls.client.subject.locality
Locality or city where the subject is located.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.locality == ['Mountain View']"
// snippet
{
"expressions": [
"conn.tls.client.subject.locality == ['Mountain View']"
]
}
conn.tls.client.subject.organization
Name(s) of the organization to which the subject belongs.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.organization == ['Example Corp']"
// snippet
{
"expressions": [
"conn.tls.client.subject.organization == ['Example Corp']"
]
}
conn.tls.client.subject.organizational_unit
Division of the organization to which the subject belongs.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.organizational_unit == ['Web Services']"
// snippet
{
"expressions": [
"conn.tls.client.subject.organizational_unit == ['Web Services']"
]
}
conn.tls.client.subject.postal_code
Postal code where the subject is located.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.postal_code == ['94043']"
// snippet
{
"expressions": [
"conn.tls.client.subject.postal_code == ['94043']"
]
}
conn.tls.client.subject.province
Province or state where the subject is located.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.province == ['California']"
// snippet
{
"expressions": [
"conn.tls.client.subject.province == ['California']"
]
}
conn.tls.client.subject.street_address
Street address where the subject is located.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.subject.street_address == ['1234 Secure Blvd']"
// snippet
{
"expressions": [
"conn.tls.client.subject.street_address == ['1234 Secure Blvd']"
]
}
conn.tls.client.validity.not_after
Expiration date and time when the certificate is no longer valid.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.validity.not_after == timestamp('2023-01-01T00:00:00Z')"
// snippet
{
"expressions": [
"conn.tls.client.validity.not_after == timestamp('2023-01-01T00:00:00Z')"
]
}
conn.tls.client.validity.not_before
Start date and time when the certificate becomes valid.
- YAML
- JSON
# snippet
---
expressions:
- "conn.tls.client.validity.not_before == timestamp('2020-01-01T00:00:00Z')"
// snippet
{
"expressions": [
"conn.tls.client.validity.not_before == timestamp('2020-01-01T00:00:00Z')"
]
}