- Use Case
- Log in →
- Security & Tech
- Webhook Forwarding
- Exec Commands
- WebSocket Server
- Functions guide
- Automating code updates
- HTTP Tunnels
- TLS Tunnels
- Global Infrastructure
- Ingress Controller (Tunnels)
- Webhook Relay Operator (Forwarding)
Internet of Things
- Home Automation
- Internet of Things (IoT)
- CLI commands
- Proxy Configuration
- Self-hosted deployment
- Client configuration
TLS tunnels are available for all paid plans.
HTTPS tunnels terminate TLS (SSL) traffic at the Webhook Relay servers (
*.webrelay.io). For production traffic or anything that includes sensitive information such as authentication tokens, you will want your tunnel traffic to be encrypted with your own key and certificate. Webhook Relay supports TLS tunnels and it’s really easy to use them:
To specify TLS pass-through mode when using connect command:
relay connect --crypto tls-pass-through https://127.0.0.1:8123/
Now, you can access it with curl:
curl --insecure https://7hhnns081m8t1jtg8vmh9t.webrelay.io
In previous command example
--insecure option is required so that we can ignore certificate warnings. You need to specify that because your local HTTPS server doesn’t have the TLS key and certificate necessary to terminate traffic for any
*webrelay.io subdomains. If you try to load up that page in a web browser, it will ask you to add an exception.
If you want your certificates to match and be protected from man-in-the-middle attacks, you need two things. First, you’ll need to buy an SSL (TLS) certificate for a domain name that you own and configure your local web server to use that certificate and its private key to terminate TLS connections. How to do this is specific to your web server and SSL certificate provider and beyond the scope of this documentation. For the sake of example, we’ll assume that you were issued an SSL certificate for the domain secure.yourdomain.com.
Once you have your key and certificate, it’s time to run a a TLS tunnel on your own custom domain name. The instructions to set this up are identical to those described in the previous section, we will just be specifying new
--host option. The custom domain you register should be the same as the one in your SSL certificate (secure.yourdomain.com). After you’ve set up the custom domain, use the
--host argument to connect the TLS tunnel on your own domain.
Forward TLS traffic over your own custom domain
relay connect --host secure.yourdomain.com --crypto tls-pass-through https://192.168.1.137:8123/
It is possible that the server you want to expose can’t terminate TLS connections. Webhook Relay client can terminate TLS for you, so you can have your traffic end-to-end encrypted without worrying about your local service supporting TLS. To do this, provide
--crt command line options when starting a tunnel:
relay connect -s demo --key tls.key --crt tls.crt --crypto tls-pass-through http://localhost:4000
Sometimes even though you don’t have a certificate, you want your traffic to still be end-to-end encrypted. There are plenty of tools that can generate you self-signed certificates, but Webhook Relay client can also do it:
relay connect -s demo --key tls.key --crt tls.crt --auto-generate=true --crypto tls-pass-through http://localhost:4000
In this case,
relay client will generate certificates if they don’t exist.
Webhook Relay doesn’t intercept encrypted TLS traffic so any protocol that is wrapped in TLS can be used with TLS tunnels (for example smpts, ftps, etc).