The pgrok is a multi-tenant HTTP/TCP reverse tunnel solution through remote port forwarding from the SSH protocol.
This is intended for small teams that need to expose the local development environment to the public internet, and you need to bring your own domain name and SSO provider.
It gives stable subdomain for every user, and gated by your SSO through OIDC protocol.
Think of this as a bare-bones alternative to the ngrok's $39/user/month enterprise tier. Trying to put this behind a production system will blow up your SLA.
For individuals and production systems, just buy ngrok, it is still my favorite.
Stable subdomains and SSO are two things too expensive.
Why not just pick one from the Awesome Tunneling? Think broader. Not everyone is a dev who knows about server operations. For people working as community managers, sales, and PMs, booting up something locally could already be a stretch and requiring them to understand how to set up and fix server problems is a waste of team's productivity.
Copy, paste, and run is the best UX for everyone.
Before you get started, make sure you have the following:
- A domain name (e.g.
example.com
, this will be used as the example throughout this section). - A server (dedicated server, VPS) with a public IP address (e.g.
111.33.5.14
). - An SSO provider (e.g. Google, JumpCloud, Okta, GitLab, Keycloak) that allows you to create OIDC clients.
- A PostgreSQL server (Render, Vercel, Cloud SQL, self-host).
Note
- All values used in this document are just examples, substitute based on your setup.
- HTTPS for the web and proxy server is not required for this to work, while recommended if possible. Examples in this document all use HTTP.
- Add the following DNS records for your domain name:
A
record forexample.com
to111.33.5.14
A
record for*.example.com
to111.33.5.14
- Set up the server with the single binary, Docker or Docker Compose.
- Alter your network security policy (if applicable) to allow inbound requests to port 2222 from
0.0.0.0/0
(anywhere). - Download and install Caddy 2 on your server, and use the following Caddyfile config:
http://example.com { reverse_proxy * localhost:3320 } http://*.example.com { reverse_proxy * localhost:3000 }
- Create a new OIDC client in your SSO with the Redirect URI to be
http://example.com/-/oidc/callback
.
- Go to http://example.com, authenticate with your SSO to obtain the token and URL (e.g.
http://unknwon.example.com
). - Download the latest version of the
pgrok
:- For Homebrew:
brew install pgrok
- For others, download the archive from the Releases page.
- For Homebrew:
- Initialize a
pgrok.yml
file with the following command (assuming you want to forward requests tohttp://localhost:3000
):pgrok init --remote-addr example.com:2222 --forward-addr http://localhost:3000 --token {YOUR_TOKEN}
- By default, the config file is created under the standard user configuration directory (
XDG_CONFIG_HOME
):- macOS:
~/Library/Application Support/pgrok/pgrok.yml
- Linux:
~/.config/pgrok/pgrok.yml
- Windows:
%LOCALAPPDATA%\pgrok\pgrok.yml
- macOS:
- Use
--config
flag to specify a different path for the config file.
- By default, the config file is created under the standard user configuration directory (
- Launch the client by executing the
pgrok
orpgrok http
command.- By default,
pgrok
expects thepgrok.yml
is available under the standard user configuration directory, or under the home directory (~/.pgrok/pgrok.yml
). Use--config
flag to specify a different path for the config file. - Use the
--debug
flag to turn on debug logging. - Upon successful startup, you should see a log looks like:
🎉 You're ready to go live at http://unknwon.example.com! remote=example.com:2222
- By default,
- Now visit the URL.
As a special case, the first argument of the pgrok http
can be used to specify forward address, e.g.
pgrok http 8080
Important
You need to alter the server network security policy (if applicable) to allow additional inbound requests to port range 10000-15000 from 0.0.0.0/0
(anywhere).
Use the tcp
subcommand to tunnel raw TCP traffic:
pgrok tcp 5432
Upon successful startup, you should see a log looks like:
🎉 You're ready to go live at tcp://example.com:10086! remote=example.com:2222
The assigned TCP port on the server side is semi-stable, such that the same port number is used when still available.
Following config options can be overridden through CLI flags for both http
and tcp
subcommands:
--remote-addr, -r
->remote_addr
--forward-addr, -f
->forward_addr
--token, -t
->token
Typical HTTP reverse tunnel solutions only support forwarding requests to a single address, pgrok
can be configured to have dynamic forward rules when tunneling HTTP requests.
For example, if your local frontend is running at http://localhost:3000
but some gRPC endpoints need to talk to the backend directly at http://localhost:8080
:
dynamic_forwards: |
/api http://localhost:8080
/hook http://localhost:8080
Then all requests prefixed with the path /api
and /hook
will be forwarded to http://localhost:8080
and all the rest are forwarded to the forward_addr
(http://localhost:3000
).
Because the standard SSH protocol is used for tunneling, you may well just use the vanilla SSH client.
- Go to http://example.com, authenticate with your SSO to obtain the token and URL (e.g.
http://unknwon.example.com
). - Launch the client by executing the
ssh -N -R 0::3000 example.com -p 2222
command:- Enter the token as your password.
- Use the
-v
flag to turn on debug logging. - Upon successful startup, you should see a log looks like:
Allocated port 22487 for remote forward to :3000
- Now visit the URL.
The project wouldn't be possible without reading function61/holepunch-server, function61/holepunch-client, and TCP/IP Port Forwarding.
This project is under the MIT License. See the LICENSE file for the full license text.