ngsrv
Get Started

How to protect a tunnel with mTLS

Mutual TLS (mTLS) requires clients to present a valid certificate in addition to HTTPS. Browsers and casual curl users cannot wander in — only workloads with issued certs connect.

Pay as you go and Enterprise: up to 10 mTLS policies per team. Free and Pro: upgrade required.

When mTLS fits

  • Service-to-service calls from CI, k8s jobs, or partner systems
  • High-trust APIs where shared secrets in headers are not enough
  • Compliance scenarios that mandate certificate-based client identity

mTLS is not ideal for human client previews in a browser tab — use header auth or IP allowlist instead.

Step 1 — Upgrade and create the policy

  1. Move the team to Pay as you go if needed.
  2. Create an mTLS policy via the API or dashboard when mTLS management is enabled for your team (upload CA / client cert requirements).
  3. Copy ngsrv_mtls_….

Step 2 — Attach to a tunnel

port: 8443
subdomain: internal-api
security_policies:
  - ngsrv_mtls_partners

ngsrv run

Clients must present the configured client certificate when connecting to the public hostname.

CLI config reference

See Configuration files for attaching ngsrv_mtls_* policy IDs.

More: Security overview · Pricing