HLDintermediatePremium

ngrok HLD: Exposing localhost to the Internet With Reverse Tunnels

How a secure tunneling service works inside: the reverse tunnel that needs no open firewall port, stream multiplexing many requests over one connection, and subdomain routing at the edge.

By fiveyearsdevJune 14, 20269 min read

You run a web app on localhost:3000 and want to show it to someone across the world — or let Stripe send a webhook to it. But your laptop has no public IP, sits behind a NAT, and you can't open a firewall port. ngrok solves this with one elegant move: instead of the world connecting to you, your machine dials out to a public edge server and holds that connection open; the edge then pipes inbound public requests back down it. The genius is in the direction (outbound, so no firewall hole) and the efficiency (one connection carries all your requests via multiplexing). This is the inside of ngrok …

What’s inside

Let's start nowhere near a computer

Where this exact shape shows up

Step 1 — Functional requirements (sentences first)

Step 2 — Non-functional requirements

Step 3 — The reverse tunnel

Step 4 — Subdomain routing at the edge

Step 5 — Multiplexing many requests over one tunnel

Step 6 — The architecture

Step 7 — Trade-offs (each one keeping an NFR)

The complete implementation

Step 8 — Scaling and security

Step 9 — When a piece fails: designing for failure

The interview corner

Where to go from here

Read this one free

Sign in and your first premium article is on us — read ngrok HLD: Exposing localhost to the Internet With Reverse Tunnels free.

HLD