Skip to main content

TLS Variables

Connection Variables

The following variables are available under the conn namespace:

NameTypeDescription
conn.bytes_inint64The number of bytes entering the endpoint from the client.
conn.bytes_outint64The number of bytes leaving an endpoint to the client.
conn.client_ipstringSource IP of the connection to the ngrok endpoint.
conn.client_portint32Source port of the connection to the ngrok endpoint.
conn.server_ipstringThe IP that this connection was established on.
conn.server_portint32The port that this connection was established on.
conn.ts.endtimestampTimestamp when the connection to ngrok was closed.
conn.ts.starttimestampTimestamp when the connection to ngrok was started.

conn.bytes_in

The number of bytes entering the endpoint from the client.

# snippet
---
expressions:
- "conn.bytes_in > 1000"

conn.bytes_out

The number of bytes leaving an endpoint to the client.

# snippet
---
expressions:
- "conn.bytes_out > 1000"

conn.client_ip

Source IP of the connection to the ngrok endpoint.

# snippet
---
expressions:
- "conn.client_ip in ['::1', '127.0.0.1']"

conn.client_port

Source port of the connection to the ngrok endpoint.

# snippet
---
expressions:
- "conn.client_port == 80"

conn.ts.end

Timestamp when the connection to ngrok was closed.

# snippet
---
expressions:
- "conn.ts.end > timestamp('2024-01-01')"

conn.server_ip

The IP that this connection was established on.

# snippet
---
expressions:
- "conn.server_ip == '192.168.1.1'"

conn.server_port

The port that this connection was established on.

# snippet
---
expressions:
- "conn.server_port == 80"

conn.ts.start

Timestamp when the connection to ngrok was started.

# snippet
---
expressions:
- "conn.ts.start > timestamp('2023-12-31')"

Connection Geo Variables

The following variables are available under the conn.geo namespace:

NameTypeDescription
conn.geo.citystringThe name of the city, in EN, where the conn.client_ip is likely to originate.
conn.geo.countrystringThe name of the country, in EN, where the conn.client_ip is likely to originate.
conn.geo.country_codestringThe two-letter ISO country code where the conn.client_ip is likely to originate.
conn.geo.latitudestringThe approximate latitude where the conn.client_ip is likely to originate.
conn.geo.longitudestringThe approximate longitude where the conn.client_ip is likely to originate.
conn.geo.radiusstringThe radius in kilometers around the latitude and longitude where the conn.client_ip is likely to originate.
conn.geo.subdivisionstringThe name of the subdivision, in EN, where the conn.client_ip is likely to originate.

conn.geo.city

The name of the city, in EN, where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- "conn.geo.city == 'Strongsville'"

conn.geo.country

The name of the country, in EN, where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- "conn.geo.country == 'United States'"

conn.geo.country_code

The two-letter ISO country code where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- "conn.geo.country_code != 'US'"

conn.geo.latitude

The approximate latitude where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- "double(conn.geo.latitude) >= 45.0"

conn.geo.longitude

The approximate longitude where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- "double(conn.geo.longitude) <= -93.0"

conn.geo.radius

The radius in kilometers around the latitude and longitude where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- "conn.geo.radius <= '5'"

conn.geo.subdivision

The name of the subdivision, in EN, where the conn.client_ip is likely to originate.

# snippet
---
expressions:
- "conn.geo.subdivision == 'California'"

Connection TLS Variables

The following variables are available under the conn.tls namespace:

NameTypeDescription
conn.tls.cipher_suitestringThe cipher suite selected during the TLS handshake.
conn.tls.snistringThe hostname included in the ClientHello message via the SNI extension.
conn.tls.versionstringThe version of the TLS protocol used between the client and the ngrok edge.

conn.tls.cipher_suite

The cipher suite selected during the TLS handshake.

# snippet
---
expressions:
- "conn.tls.cipher_suite == 'TLS_AES_128_GCM_SHA256'"

conn.tls.sni

The hostname included in the ClientHello message via the SNI extension.

# snippet
---
expressions:
- "conn.tls.sni == 'client.example.com'"

conn.tls.version

The version of the TLS protocol used between the client and the ngrok edge.

# snippet
---
expressions:
- "conn.tls.version == '1.3'"

Connection TLS Client Variables

The following variables are available under the conn.tls.client namespace:

NameTypeDescription
conn.tls.client.extensions[]ExtensionAdditional information added to the certificate.
conn.tls.client.issuerstringThe issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.client.issuer.common_namestringCommon name of the issuing authority, usually the domain name.
conn.tls.client.issuer.country[]stringCountry name(s) where the issuing authority is located.
conn.tls.client.issuer.locality[]stringLocality or city of the issuing authority.
conn.tls.client.issuer.organization[]stringName(s) of the organization that issued the certificate.
conn.tls.client.issuer.organizational_unit[]stringDivision of the organization responsible for the certificate.
conn.tls.client.issuer.postal_code[]stringPostal code of the issuing authority.
conn.tls.client.issuer.province[]stringProvince or state of the issuing authority.
conn.tls.client.issuer.street_address[]stringStreet address of the issuing authority.
conn.tls.client.sanstringSubject alternative names of the client certificate.
conn.tls.client.san.dns_names[]stringDNS names in the subject alternative names.
conn.tls.client.san.email_addresses[]stringEmail addresses in the subject alternative names.
conn.tls.client.san.ip_addresses[]stringIP addresses in the subject alternative names.
conn.tls.client.san.uris[]stringURIs in the subject alternative names.
conn.tls.client.serial_numberstringUnique identifier for the certificate.
conn.tls.client.signature_algorithmstringAlgorithm used to sign the certificate.
conn.tls.client.subjectstringThe entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.client.subject.common_namestringCommon name of the subject, usually the domain name.
conn.tls.client.subject.country[]stringCountry name(s) where the subject of the certificate is located.
conn.tls.client.subject.locality[]stringLocality or city where the subject is located.
conn.tls.client.subject.organization[]stringName(s) of the organization to which the subject belongs.
conn.tls.client.subject.organizational_unit[]stringDivision of the organization to which the subject belongs.
conn.tls.client.subject.postal_code[]stringPostal code where the subject is located.
conn.tls.client.subject.province[]stringProvince or state where the subject is located.
conn.tls.client.subject.street_address[]stringStreet address where the subject is located.
conn.tls.client.validity.not_aftertimestampExpiration date and time when the certificate is no longer valid.
conn.tls.client.validity.not_beforetimestampStart date and time when the certificate becomes valid.

conn.tls.client.extensions

Additional information added to the certificate.

# snippet
---
expressions:
- "size(conn.tls.client.extensions) > 0"

conn.tls.client.issuer

The issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.

# snippet
---
expressions:
- "conn.tls.client.issuer == 'CN=E1,O=Let's Encrypt,C=US'"

conn.tls.client.issuer.common_name

Common name of the issuing authority, usually the domain name.

# snippet
---
expressions:
- "conn.tls.client.issuer.common_name == 'exampleca.com'"

conn.tls.client.issuer.country

Country name(s) where the issuing authority is located.

# snippet
---
expressions:
- "conn.tls.client.issuer.country == ['US']"

conn.tls.client.issuer.locality

Locality or city of the issuing authority.

# snippet
---
expressions:
- "conn.tls.client.issuer.locality == ['Mountain View']"

conn.tls.client.issuer.organization

Name(s) of the organization that issued the certificate.

# snippet
---
expressions:
- "conn.tls.client.issuer.organization == ['Example CA']"

conn.tls.client.issuer.organizational_unit

Division of the organization responsible for the certificate.

# snippet
---
expressions:
- "conn.tls.client.issuer.organizational_unit == ['Certification Authority
Division']"

conn.tls.client.issuer.postal_code

Postal code of the issuing authority.

# snippet
---
expressions:
- "conn.tls.client.issuer.postal_code == ['94043']"

conn.tls.client.issuer.province

Province or state of the issuing authority.

# snippet
---
expressions:
- "conn.tls.client.issuer.province == ['California']"

conn.tls.client.issuer.street_address

Street address of the issuing authority.

# snippet
---
expressions:
- "conn.tls.client.issuer.street_address == ['1234 Encryption Way']"

conn.tls.client.san

Subject alternative names of the client certificate.

# snippet
---
expressions:
- "conn.tls.client.san == 'DNS:www.example.com, DNS:example.com, IP
Address:192.168.1.1'"

conn.tls.client.san.dns_names

DNS names in the subject alternative names.

# snippet
---
expressions:
- "conn.tls.client.san.dns_names == ['www.example.com', 'example.com']"

conn.tls.client.san.email_addresses

Email addresses in the subject alternative names.

# snippet
---
expressions:
- "conn.tls.client.san.email_addresses == ['ngrok-email1@example.com',
'ngrok-email2@example.com']"

conn.tls.client.san.ip_addresses

IP addresses in the subject alternative names.

# snippet
---
expressions:
- "conn.tls.client.san.ip_addresses == ['192.168.1.1']"

conn.tls.client.san.uris

URIs in the subject alternative names.

# snippet
---
expressions:
- "conn.tls.client.san.uris == ['https://example.com/example']"

conn.tls.client.serial_number

Unique identifier for the certificate.

# snippet
---
expressions:
- "conn.tls.client.serial_number == 'b53017e79d4a5208b314a55d3574e0a8'"

conn.tls.client.signature_algorithm

Algorithm used to sign the certificate.

# snippet
---
expressions:
- "conn.tls.client.signature_algorithm == 'SHA256-RSA'"

conn.tls.client.subject

The entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.

# snippet
---
expressions:
- "conn.tls.client.subject == 'CN=www.example.com'"

conn.tls.client.subject.common_name

Common name of the subject, usually the domain name.

# snippet
---
expressions:
- "conn.tls.client.subject.common_name == 'www.example.com'"

conn.tls.client.subject.country

Country name(s) where the subject of the certificate is located.

# snippet
---
expressions:
- "conn.tls.client.subject.country == ['US']"

conn.tls.client.subject.locality

Locality or city where the subject is located.

# snippet
---
expressions:
- "conn.tls.client.subject.locality == ['Mountain View']"

conn.tls.client.subject.organization

Name(s) of the organization to which the subject belongs.

# snippet
---
expressions:
- "conn.tls.client.subject.organization == ['Example Corp']"

conn.tls.client.subject.organizational_unit

Division of the organization to which the subject belongs.

# snippet
---
expressions:
- "conn.tls.client.subject.organizational_unit == ['Web Services']"

conn.tls.client.subject.postal_code

Postal code where the subject is located.

# snippet
---
expressions:
- "conn.tls.client.subject.postal_code == ['94043']"

conn.tls.client.subject.province

Province or state where the subject is located.

# snippet
---
expressions:
- "conn.tls.client.subject.province == ['California']"

conn.tls.client.subject.street_address

Street address where the subject is located.

# snippet
---
expressions:
- "conn.tls.client.subject.street_address == ['1234 Secure Blvd']"

conn.tls.client.validity.not_after

Expiration date and time when the certificate is no longer valid.

# snippet
---
expressions:
- "conn.tls.client.validity.not_after == timestamp('2023-01-01T00:00:00Z')"

conn.tls.client.validity.not_before

Start date and time when the certificate becomes valid.

# snippet
---
expressions:
- "conn.tls.client.validity.not_before == timestamp('2020-01-01T00:00:00Z')"

Connection TLS Server Variables

The following variables are available under the conn.tls.server namespace:

NameTypeDescription
conn.tls.server.extensions[]ExtensionAdditional information added to the certificate.
conn.tls.server.issuerstringThe issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.server.issuer.common_namestringCommon name of the issuing authority, usually the domain name.
conn.tls.server.issuer.country[]stringCountry name(s) where the issuing authority is located.
conn.tls.server.issuer.locality[]stringLocality or city of the issuing authority.
conn.tls.server.issuer.organization[]stringName(s) of the organization that issued the certificate.
conn.tls.server.issuer.organizational_unit[]stringDivision of the organization responsible for the certificate.
conn.tls.server.issuer.postal_code[]stringPostal code of the issuing authority.
conn.tls.server.issuer.province[]stringProvince or state of the issuing authority.
conn.tls.server.issuer.street_address[]stringStreet address of the issuing authority.
conn.tls.server.sanstringSubject alternative names of the ngrok server's leaf TLS certificate.
conn.tls.server.san.dns_names[]stringDNS names in the subject alternative names of the ngrok server's leaf TLS certificate.
conn.tls.server.san.email_addresses[]stringEmail addresses in the subject alternative names of the ngrok server's leaf TLS certificate.
conn.tls.server.san.ip_addresses[]stringIP addresses in the subject alternative names of the ngrok server's leaf TLS certificate.
conn.tls.server.san.uris[]stringURIs in the subject alternative names of the ngrok server's leaf TLS certificate.
conn.tls.server.serial_numberstringUnique identifier for the certificate.
conn.tls.server.signature_algorithmstringAlgorithm used to sign the certificate.
conn.tls.server.subjectstringThe entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.server.subject.common_namestringCommon name of the subject, usually the domain name.
conn.tls.server.subject.country[]stringCountry name(s) where the subject of the certificate is located.
conn.tls.server.subject.locality[]stringLocality or city where the subject is located.
conn.tls.server.subject.organization[]stringName(s) of the organization to which the subject belongs.
conn.tls.server.subject.organizational_unit[]stringDivision of the organization to which the subject belongs.
conn.tls.server.subject.postal_code[]stringPostal code where the subject is located.
conn.tls.server.subject.province[]stringProvince or state where the subject is located.
conn.tls.server.subject.street_address[]stringStreet address where the subject is located.
conn.tls.server.validity.not_aftertimestampExpiration date and time when the certificate is no longer valid.
conn.tls.server.validity.not_beforetimestampStart date and time when the certificate becomes valid.

conn.tls.server.extensions

Additional information added to the certificate.

# snippet
---
expressions:
- "size(conn.tls.server.extensions) > 0"

conn.tls.server.issuer

The issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.

# snippet
---
expressions:
- "conn.tls.server.issuer == 'CN=E1,O=Let's Encrypt,C=US'"

conn.tls.server.issuer.common_name

Common name of the issuing authority, usually the domain name.

# snippet
---
expressions:
- "conn.tls.server.issuer.common_name == 'exampleca.com'"

conn.tls.server.issuer.country

Country name(s) where the issuing authority is located.

# snippet
---
expressions:
- "conn.tls.server.issuer.country == ['US']"

conn.tls.server.issuer.locality

Locality or city of the issuing authority.

# snippet
---
expressions:
- "conn.tls.server.issuer.locality == ['Mountain View']"

conn.tls.server.issuer.organization

Name(s) of the organization that issued the certificate.

# snippet
---
expressions:
- "conn.tls.server.issuer.organization == ['Example CA']"

conn.tls.server.issuer.organizational_unit

Division of the organization responsible for the certificate.

# snippet
---
expressions:
- "conn.tls.server.issuer.organizational_unit == ['Certification Authority
Division']"

conn.tls.server.issuer.postal_code

Postal code of the issuing authority.

# snippet
---
expressions:
- "conn.tls.server.issuer.postal_code == ['94043']"

conn.tls.server.issuer.province

Province or state of the issuing authority.

# snippet
---
expressions:
- "conn.tls.server.issuer.province == ['California']"

conn.tls.server.issuer.street_address

Street address of the issuing authority.

# snippet
---
expressions:
- "conn.tls.server.issuer.street_address == ['1234 Encryption Way']"

conn.tls.server.san

Subject alternative names of the server certificate of the ngrok server's leaf TLS certificate.

# snippet
---
expressions:
- "conn.tls.server.san == 'DNS:www.example.com, DNS:example.com, IP
Address:192.168.1.1'"

conn.tls.server.san.dns_names

DNS names in the subject alternative names of the ngrok server's leaf TLS certificate.

# snippet
---
expressions:
- "conn.tls.server.san.dns_names == ['ngrok-dns.com', 'ngrok-dns2.com']"

conn.tls.server.san.email_addresses

Email addresses in the subject alternative names of the ngrok server's leaf TLS certificate.

# snippet
---
expressions:
- "conn.tls.server.san.email_addresses == ['ngrok-email1@example.com',
'ngrok-email2@example.com']"

conn.tls.server.san.ip_addresses

IP addresses in the subject alternative names of the ngrok server's leaf TLS certificate.

# snippet
---
expressions:
- "conn.tls.server.san.ip_addresses == ['192.168.1.1']"

conn.tls.server.san.uris

URIs in the subject alternative names of the ngrok server's leaf TLS certificate.

# snippet
---
expressions:
- "conn.tls.server.san.uris == ['https://example.com/example']"

conn.tls.server.serial_number

Unique identifier for the certificate.

# snippet
---
expressions:
- "conn.tls.server.serial_number == 'b53017e79d4a5208b314a55d3574e0a8'"

conn.tls.server.signature_algorithm

Algorithm used to sign the certificate.

# snippet
---
expressions:
- "conn.tls.server.signature_algorithm == 'SHA256-RSA'"

conn.tls.server.subject

The entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.

# snippet
---
expressions:
- "conn.tls.server.subject == 'CN=www.example.com'"

conn.tls.server.subject.common_name

Common name of the subject, usually the domain name.

# snippet
---
expressions:
- "conn.tls.server.subject.common_name == 'ngrok-server.example.com'"

conn.tls.server.subject.country

Country name(s) where the subject of the certificate is located.

# snippet
---
expressions:
- "conn.tls.server.subject.country == ['US']"

conn.tls.server.subject.locality

Locality or city where the subject is located.

# snippet
---
expressions:
- "conn.tls.server.subject.locality == ['Mountain View']"

conn.tls.server.subject.organization

Name(s) of the organization to which the subject belongs.

# snippet
---
expressions:
- "conn.tls.server.subject.organization == ['Example Corp']"

conn.tls.server.subject.organizational_unit

Division of the organization to which the subject belongs.

# snippet
---
expressions:
- "conn.tls.server.subject.organizational_unit == ['Web Services']"

conn.tls.server.subject.postal_code

Postal code where the subject is located.

# snippet
---
expressions:
- "conn.tls.server.subject.postal_code == ['94043']"

conn.tls.server.subject.province

Province or state where the subject is located.

# snippet
---
expressions:
- "conn.tls.server.subject.province == ['California']"

conn.tls.server.subject.street_address

Street address where the subject is located.

# snippet
---
expressions:
- "conn.tls.server.subject.street_address == ['1234 Secure Blvd']"

conn.tls.server.validity.not_after

Expiration date and time when the certificate is no longer valid.

# snippet
---
expressions:
- "conn.tls.server.validity.not_after > timestamp('2023-01-01T00:00:00Z')"

conn.tls.server.validity.not_before

Start date and time when the certificate becomes valid.

# snippet
---
expressions:
- "conn.tls.server.validity.not_before < timestamp('2020-01-01T00:00:00Z')"

Time variables

The following variables are available under the time namespace:

NameTypeDescription
time.nowstringThe current UTC time in RFC3339 format.

time.now

The current UTC time in RFC3339 format.

# snippet
---
expressions:
- "conn.ts.end < timestamp(time.now)"