Search code examples
ngrok

Why ngrok tries to redirect to https scheme?

I have an http server which runs over http scheme only (no SSL). If I access the site locally through http://localhost:80 (note that https://localhost:80 is not supported) everything works fine. I decided to access the site from outside with ngrok using the http scheme only. So I started ngrok with the following command:

ngrok http 80 --scheme http

enter image description here

Ngrok starts successfully and provide me only with a http link that when pasted in the browser redirects to https scheme. Since https is not enabled ngrok gives me an error ERR_NGROK_3200.

So is redirecting to https an expected behaviour? How to explicitely force ngrok to stop redirecting to https?

$ ngrok --version
ngrok version 3.4.0

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.3 LTS
Release:    22.04
Codename:   jammy

P.S. The following is a part of a CURL GET command:

*   Trying 3.125.223.134:80...
* Connected to *****************.ngrok-free.app (*.***.***.134) port 80 (#0)
> GET / HTTP/1.1
> Host: *****************.ngrok-free.app
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Cache-Control: no-store, no-cache, must-revalidate
< Content-Type: text/html; charset=UTF-8
< Date: Wed, 29 Nov 2023 15:17:09 GMT
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Ngrok-Trace-Id: 854d49a42c0fb1e8f7e4cf84f872af30
< Pragma: no-cache
< Server: Apache/2.4.52 (Debian)
< Set-Cookie: PHPSESSID=1c8a7c470af71b572c5e437ce391a3a8; path=/
< Vary: Accept-Encoding,User-Agent
< X-Powered-By: PHP/7.3.33
< Transfer-Encoding: chunked

It looks like ngrok is not the one who makes the redirect, but the browser. I tried Chrome and Firefox and both act the same way - redirecting to https.

Solution

  • Maybe that explains why the browser redirects to https - https://help.dreamhost.com/hc/en-us/articles/360025832811--dev-and-app-domains-force-HTTPS-by-default

    Also this - https://ngrok.com/blog-post/new-ngrok-domains

    It looks like since the ngrok's domain name ends with .app, the browser always redirects to https.

    Note: If you forward with ngrok a page in your browser using HTTPS, the browser will refuse to load any resources over HTTP. In the browser's developer console (in my case Google Chrome) you will see an error like this:

    Mixed Content: The page at 'https://1111-22-33-444-55.ngrok-free.app/' was loaded over HTTPS, but requested an insecure script 'https://1111-22-33-444-55.ngrok-free.app//config/js/all.min.js'. This request has been blocked; the content must be served over HTTPS. To go around that problem you can tell ngrok to attach to the HTTP response Content-Security-Policy: upgrade-insecure-requests header like so:

    ngrok http 80 --response-header-add='Content-Security-Policy: upgrade-insecure-requests'