How to protect a tunnel with WAF rules
WAF policies inspect HTTP requests for suspicious patterns — SQLi probes, path traversal, oversized payloads — and drop them at the edge.
Free plan: 1 WAF policy. Pro / PAYG: 10.
Step 1 — Create the policy
- Go to Dashboard → Security → WAF Rules.
- Enable rule sets appropriate for your stack (or custom rules if supported in your dashboard).
- Copy
ngsrv_waf_….
Step 2 — Attach to a tunnel
ngsrv http 8000 --policy ngsrv_waf_django
port: 8000
security_policies:
- ngsrv_waf_django
- ngsrv_rate_public
Dev vs prod
WAF on a dev tunnel catches bots scanning random *.tnl.ngsrv.com hostnames. It is not a replacement for framework-level validation — it is a first line while you iterate locally.
Combine with other policies
Typical public API tunnel:
security_policies:
- ngsrv_rate_api
- ngsrv_waf_api
- ngsrv_ips_office # optional: office-only admin
More: WAF docs