A tunnel you'd commit to git.

Declarative tunnels with custom domains, edge security, and a CLI shaped like the rest of your toolchain. Configure once, ship anywhere.

Get started Read the docs

HTTPS at the edgeSecurity policies on every planRuns in Compose, Kubernetes, CI

~/your-app

$ brew install ngsrv/tap/ngsrv
$ ngsrv token <YOUR_TOKEN>

$ ngsrv http 3000
✓ tunnel established
✓ TLS terminated at edge
✓ policies: ip_allowlist, rate_limit_100rps
→ https://wispy-fern-9f2.tnl.ngsrv.com

The shape of it

An edge, a CLI, and a config.

Three pieces, working as one. Configure your tunnels in YAML, route through a global edge, control everything from a single CLI.

One command, public HTTPS

Any local port → an edge-terminated HTTPS URL. HTTP/2 by default. Custom domain BYOD. Reserved subdomains. Static serve. TCP tunnels.

$ ngsrv http 3000 --domain api.example.com

$ ngsrv tcp 5432

$ ngsrv serve ./dist

Edge-enforced security

Policies declared in YAML, enforced at the edge before traffic ever reaches your process. Free tier ships with the full set.

ip_allowlistrate_limitgeotime_windowheader_requiredmtlswaf

Fits the rest of your stack

A single binary that lives wherever your app does — Docker Compose, a Kubernetes sidecar, a CI step. Structured logs and Prometheus metrics included.

services:

ngsrv:

image: ghcr.io/ngsrv/cli:latest

command: [ngsrv, run]

network_mode: host

Declarative

Tunnels as code.
Reviewed, versioned, deployed.

Define your tunnels in a single file alongside your service. Bring them up together, take them down together, ship them the same way you ship the rest of your code.

ngsrv.yml

# ngsrv.yml — declarative, multi-tunnel, GitOps-ready
tunnels:
  - name: api
    port: 8080
    subdomain: api
    security_policies:
      - allow-office-ip
      - rate-limit-100rps

  - name: webhooks
    port: 9000
    subdomain: hooks

  - name: docs
    port: 3000
    domain: docs.example.com

$ ngsrv run

How it runs in your pod

Pod

your app

:8080

ngsrv sidecar

ngsrv run

/healthz/readyz/metrics

api.example.com · hooks.example.com · docs.example.com

TLS terminated at the edge

ngsrv run docs ·Helm chart ·Ops endpoints

Security

Security that comes standard.

Attach a policy to a tunnel and it's enforced at the edge — before traffic ever touches your process. Every plan ships with the full set, free included.

IP allowlist & geo
Block traffic by CIDR or country before it hits your app.
Rate limit
Burst & sustained limits per IP, per token, per tunnel.
Time windows
Only accept traffic during business hours, in your timezone.
Header & token gates
Require a header or shared secret on every request.
WAF (Pro)
OWASP Core Rule Set protection without standing up your own proxy.

Browse all policy types

ngsrv.yml

# Real security policies — included on the free tier
security_policies:
  - type: ip_allowlist
    ips: ["203.0.113.0/24"]

  - type: rate_limit
    requests_per_second: 100

  - type: time_window
    allowed_hours: "09:00-18:00"
    timezone: "Europe/London"

  - type: header_required
    header: "X-Internal-Token"

Lives where your code lives.

No new pipeline, no proxy to maintain. Just a binary that fits beside whatever you already ship.

Kubernetes

Helm + sidecar

Docker

compose + run

GitHub Actions

preview tunnels

Prometheus

/metrics

macOS / Linux

brew · bash

GitOps

yaml in repo

Pricing without paywalls.

Free ships with everything that matters. Paid plans add scale, not gates.

Free

1 tunnel, 3 concurrent connections, security policies included.

Start free

That's the whole setup.

One CLI, one config, one dashboard. Everything else is just shipping.