Restructure Universal Gateway

README.md

@@ -84,3 +84,18 @@ pnpm run build
 
 For bug reports, feature request, questions and community support please ooen an issue or discussion in our [ngrok Community](https://github.com/ngrok/ngrok).
 To report a problem with our documentation, please open a new [Github issue](https://github.com/ngrok/ngrok-docs/issues).
+
+## Troubleshooting
+
+### EMFILE: too many open files error
+
+Sometimes when you run `pnpm run dev`, docusaurus fails to build the site with the following error:
+
+```bash
+Error: Docusaurus could not load module at path "C:/.../ngrok-docs/sidebars.js"
+Cause: EMFILE: too many open files, open 'C:/.../ngrok-docs/sidebars.js'
+```
+
+You can fix this by running `pnpm run clean-dev`.
+
+The issue appears to be related to the npm cache being too large. `pnpm run clean-dev` clears and verifies the cache before running `pnpm run dev` for you.

docs/agent/agent-tls-termination.mdx

@@ -7,7 +7,7 @@ title: Agent TLS Termination
 Agent TLS termination enables you to secure your traffic with end-to-end encryption without needing to reconfigure your server.
 
 :::tip
-If your service doesn't support TLS termination, you can still use Agent TLS termination with [Zero-Knowledge TLS](/universal-gateway/tls-termination/#end-to-end-encryption).
+If your service doesn't support TLS termination, you can still use Agent TLS termination with [Zero-Knowledge TLS](/universal-gateway/tls/tls-termination/#end-to-end-encryption).
 :::
 
 ## Quickstart

docs/agent/cli.mdx

@@ -610,7 +610,7 @@ of a tunnel-group backend. Endpoint configurations containing a
 tunnel-group backend will cause traffic to their associated reserved
 domain or address to be forwarded to the tunnel-group.
 
-See the [Tunnel Group backends](/network-edge/edges/#tunnel-group) and [Edges](/network-edge/edges/) pages for more information.
+See the [Tunnel Group backends](/universal-gateway/edges/#tunnel-group) and [Edges](/universal-gateway/edges/) pages for more information.
 
 ### Usage
 

docs/agent/ssh-reverse-tunnel-agent.mdx

@@ -183,7 +183,7 @@ differences from the ngrok agent includes:
 - You can't [forward to upstream https services](/universal-gateway/http/#https-forwarding)
 - You can't create multiple endpoints over the same connection
 - You can't [serve file system directories](/universal-gateway/http/#serving-file-directories) with the `file://` protocol
-- You can't terminate TLS at the agent when using [end-to-end encryption](/universal-gateway/tls-termination/#end-to-end-encryption)
+- You can't terminate TLS at the agent when using [end-to-end encryption](/universal-gateway/tls/tls-termination/#end-to-end-encryption)
 - You can't run labeled tunnels for use with [Edges](/universal-gateway/edges).
 
 ## Pricing

docs/errors/index.md

@@ -60,3 +60,42 @@ complete list of all of ngrok's error codes.
 ## Customize Error Pages for your Traffic
 
 To access and provide feedback on a development preview of custom error pages [Fill out the form](https://ngrok.com/new-features/custom-error-pages?ref=errordoc).
+
+## HTTP Errors
+
+If ngrok fails to handle an HTTP request it will set the `ngrok-error-code` header in the HTTP response with a [unique ngrok Error Code](/errors/) describing the failure.
+
+ngrok guarantees that the upstream service may never set the `ngrok-error-code` HTTP response header so you know reliably that it was set by ngrok.
+
+ngrok may return an error under the following conditions:
+
+- Your upstream service timed out or rejected the connection
+- Your upstream service returned a response that was not valid HTTP
+- A [Traffic Policy](/traffic-policy) action rejected the request.
+- [Traffic Policy](/traffic-policy) execution encountered a runtime error.
+- ngrok encountered an internal error
+
+## TLS Errors
+
+If a TLS handshake fails, an appropriate TLS abort code will be sent to the
+client.
+
+In all other cases, if an error is encountered while handling TLS connections
+to your endpoints (e.g. no available backends or internal server error), the
+connection will be closed. The TLS protocol and its implementations are not
+sufficiently flexible enough to deliver additional rich error information when
+failures are encountered.
+
+Use the [observability](#observability) features to understand connection
+handling errors.
+
+## TCP Errors
+
+If an error is encountered while handling connections to a TCP endpoint for any
+reason (e.g. traffic policy action error, internal server error), the
+connection will be closed. Because of the low-level nature of the TCP protocol,
+there is no mechanism used to transmit information about what error code was
+encountered.
+
+Use the [observability](/obs/events/reference/#tcp-connection-closed) features to understand connection
+handling errors.

docs/faq/faq.mdx

@@ -66,7 +66,7 @@ and port 443 as well for TLS endpoints. This behavior is not configurable.
 
 TCP endpoints use the port of the TCP address that was assigned when you
 acquires the TCP address. [This port is assigned and not
-configurable](/universal-gateway/tcp-addresses/#address-assignment).
+configurable](/universal-gateway/tcp-addresses/how-are-tcp-addresses-assigned/).
 
 ## Will the ngrok agent work if my network changes? {#network-changes}
 

docs/getting-started/go.mdx

@@ -1,6 +1,6 @@
 ---
 title: Go
-pagination_next: universal-gateway/http
+pagination_next: universal-gateway/http-s/index
 ---
 
 # Quickstart: ngrok-go

docs/getting-started/index.mdx

@@ -1,6 +1,6 @@
 ---
 title: Quickstart
-pagination_next: universal-gateway/http
+pagination_next: universal-gateway/http-s/index
 ---
 
 import TabItem from "@theme/TabItem";

docs/getting-started/rust.mdx

@@ -1,6 +1,6 @@
 ---
 title: Rust
-pagination_next: universal-gateway/http
+pagination_next: universal-gateway/http-s/index
 ---
 
 # Quickstart: ngrok-rust

docs/guides/api-gateway/get-started.mdx

@@ -78,8 +78,8 @@ ngrok api reserved-domains create --domain {YOUR_NGROK_DOMAIN}
 ```
 
 This example uses an
-[ngrok-managed domain](/universal-gateway/domains/#ngrok-managed-domains), but you can use
-your own [branded domain](/universal-gateway/domains/#branded-domains) when you're ready for production.
+[ngrok-managed domain](/universal-gateway/domains/what-are-managed-domains), but you can use
+your own [branded domain](/universal-gateway/bring-your-own-domain) when you're ready for production.
 In that case, substitute your branded domain for `{YOUR_NGROK_DOMAIN}` in the command above, and
 [follow the steps](/guides/other-guides/how-to-set-up-a-custom-domain/#create-cname-record-in-domain-dns)
 to configure DNS.
@@ -540,7 +540,7 @@ out our [integrations guides](/integrations/) for specific examples.
 1. Leave the default values for **JSON Web Token (JWT) Profile \*** and **JSON Web Token Signing Algorithm \***.
 1. Click **Create**.
 
-<img src={Auth0} alt="Auth0 Create API" style={{width: 600}} />
+<img src={Auth0} alt="Auth0 Create API" style={{ width: 600 }} />
 
 #### Access your JWT
 

docs/guides/device-gateway/agent.md

@@ -123,7 +123,7 @@ https://api.ngrok.com/agent_ingresses
 
 ## Create a custom wildcard domain
 
-Next, create a custom [wildcard domain](/universal-gateway/domains/#wildcard-domains), which will allow you to
+Next, create a custom [wildcard domain](/universal-gateway/domains/what-are-domains/#wildcard-domains), which will allow you to
 create endpoints and receive traffic on any subdomain of your domain.
 
 For example, you might create `*.customer1.{YOUR_DOMAIN}`. You would then be able to create endpoints

docs/guides/device-gateway/arm64.md

@@ -102,7 +102,7 @@ If you already established a TCP tunnel for SSH access, you'll either need to cr
    Forwarding                    https://12345.ngrok.app -> http://localhost:8080
    ```
 
-1. Optionally, you can reserve a [static subdomain](/universal-gateway/domains/) like so:
+1. Optionally, you can reserve a [static subdomain](/universal-gateway/domains/what-are-domains/) like so:
 
    ```
    ngrok http 8080 --url https://example.ngrok.app

docs/guides/other-guides/how-to-terminate-traffic-with-ngrok-configs.mdx

@@ -3,7 +3,7 @@
 Agent TLS termination enables you to secure your traffic with end-to-end encryption without needing to reconfigure your server.
 
 :::tip
-If your service doesn't support TLS termination, you can still use Agent TLS termination with [Zero-Knowledge TLS](/universal-gateway/tls-termination/#end-to-end-encryption).
+If your service doesn't support TLS termination, you can still use Agent TLS termination with [Zero-Knowledge TLS](/universal-gateway/tls/tls-termination/#end-to-end-encryption).
 :::
 
 ## Quickstart

docs/guides/other-guides/securing-your-tunnels.mdx

@@ -26,7 +26,7 @@ For our HTTP tunnel type, use `scheme https` to configure the ngrok agent to ope
 
 If your local service is not running on the same machine as the ngrok agent, we recommend that you set up TLS encryption for the ngrok agent to upstream service leg of the tunnel using our [local HTTPS feature](/universal-gateway/http/#https-forwarding).
 
-For custom domains, use ngrok's [Automated TLS certificates](/universal-gateway/tls-certificates/#automated) to have ngrok automatically provision a TLS certificate for your endpoint from Let's Encrypt.
+For custom domains, use ngrok's [Automated TLS certificates](/universal-gateway/tls-certificatesautomatic-certificate-management/) to have ngrok automatically provision a TLS certificate for your endpoint from Let's Encrypt.
 
 :::note
 
@@ -42,7 +42,7 @@ If your organization uses a custom ingress domain, your default ngrok configurat
 
 ### TLS termination
 
-TLS Encryption is terminated at different locations depending on the ngrok Tunnel / Edge type and configuration. See the documentation on [Terminating TLS Connections](/universal-gateway/tls-termination/) for more details.
+TLS Encryption is terminated at different locations depending on the ngrok Tunnel / Edge type and configuration. See the documentation on [Terminating TLS Connections](/universal-gateway/tls/tls-termination/) for more details.
 
 ### Minimum TLS version
 

docs/guides/site-to-site-connectivity/apis-mtls.mdx

@@ -131,7 +131,7 @@ https://api.ngrok.com/agent_ingresses
 
 ## Create a custom wildcard domain
 
-Next, create a custom [wildcard domain](/universal-gateway/domains/#wildcard-domains), which will allow you to
+Next, create a custom [wildcard domain](/universal-gateway/domains/what-are-domains/#wildcard-domains), which will allow you to
 create endpoints and receive traffic on any subdomain of your domain.
 
 For example, you might create `*.customer1.{YOUR_DOMAIN}`. You would then be able to create endpoints

docs/guides/site-to-site-connectivity/apis.mdx

@@ -113,7 +113,7 @@ https://api.ngrok.com/agent_ingresses
 
 ## Create a custom wildcard domain
 
-Next, create a custom [wildcard domain](/universal-gateway/domains/#wildcard-domains), which will allow you to
+Next, create a custom [wildcard domain](/universal-gateway/domains/what-are-domains/#wildcard-domains), which will allow you to
 create endpoints and receive traffic on any subdomain of your domain.
 
 For example, you might create `*.customer1.{YOUR_DOMAIN}`. You would then be able to create endpoints

docs/guides/site-to-site-connectivity/dbs-mtls.mdx

@@ -134,7 +134,7 @@ https://api.ngrok.com/agent_ingresses
 
 ## Create a custom wildcard domain
 
-Next, create a custom [wildcard domain](/universal-gateway/domains/#wildcard-domains), which will allow you to
+Next, create a custom [wildcard domain](/universal-gateway/domains/what-are-domains/#wildcard-domains), which will allow you to
 create endpoints and receive traffic on any subdomain of your domain.
 
 For example, you might create `*.customer1.{YOUR_DOMAIN}`. You would then be able to create endpoints

docs/guides/site-to-site-connectivity/end-customers.mdx

@@ -140,8 +140,8 @@ your vendor.
 The agent always connects to the ngrok network via TLS. We support three encryption models based on where TLS is _terminated_:
 
 1. **TLS termination at the ngrok network**. This is the default behavior when using HTTPS tunnels, where ngrok manages TLS certificate generation and renewal for both you and your vendor.
-2. **TLS termination at the ngrok agent**. Often referred to as [zero-knowledge TLS](/universal-gateway/tls-termination/#end-to-end-encryption), this model encrypts your TLS tunnels end-to-end, using filesystem paths to your TLS certificate and key, without requiring you to reconfigure your upstream service for TLS termination.
-3. **TLS termination at your upstream service**. This model implements [end-to-end zero-knowledge encryption](/universal-gateway/tls-termination/#end-to-end-encryption), where the ngrok network forwards unterminated connections through to your upstream application.
+2. **TLS termination at the ngrok agent**. Often referred to as [zero-knowledge TLS](/universal-gateway/tls/tls-termination/#end-to-end-encryption), this model encrypts your TLS tunnels end-to-end, using filesystem paths to your TLS certificate and key, without requiring you to reconfigure your upstream service for TLS termination.
+3. **TLS termination at your upstream service**. This model implements [end-to-end zero-knowledge encryption](/universal-gateway/tls/tls-termination/#end-to-end-encryption), where the ngrok network forwards unterminated connections through to your upstream application.
 
 ### Is my data end-to-end encrypted?
 
@@ -196,7 +196,7 @@ Your vendor can also work with ngrok to provision dedicated IPs for their custom
 
 At this point, you can block the default agent ingress address at `connect.ngrok-agent.com:443`, which all agents use by default to connect outbound to ngrok’s network. This address resolves to a dynamic set of IP addresses, and blocking it at your network prevents any usage outside of this site-to-site connectivity use case in partnership with your vendor, such as developers utilizing ngrok to tunnel local development environments to the public internet.
 
-You should also block the [ngrok-managed public domains](/universal-gateway/domains/#ngrok-managed-domains), e.g. `ngrok.app`, `ngrok.io`, etc.
+You should also block the [ngrok-managed public domains](/universal-gateway/domains/what-are-managed-domains), e.g. `ngrok.app`, `ngrok.io`, etc.
 
 Work with your vendor to design an architecture that [prevents unauthorized
 use](#how-can-i-prevent-ngrok-from-being-used-for-any-purpose-other-than-in-site-to-site-connectivity-with-my-vendor?)

docs/integrations/digitalocean/gslb.mdx

@@ -44,7 +44,7 @@ To simplify authenticating your account with the ngrok API, export the API key o
 export NGROK_API_KEY=<YOUR-API-KEY>
 ```
 
-Next, create a domain that is a subdomain of an [ngrok-managed domain](/universal-gateway/domains/). For an example deployment like this, `YOUR_COMPANY-digitalocean-gslb.ngrok.app` would work great.
+Next, create a domain that is a subdomain of an [ngrok-managed domain](/universal-gateway/domains/what-are-domains/). For an example deployment like this, `YOUR_COMPANY-digitalocean-gslb.ngrok.app` would work great.
 
 You can reserve your domain in one of two ways: with the [ngrok API](/api/), or in the [ngrok dashboard](https://dashboard.ngrok.com/domains).
 

docs/integrations/linode/gslb.mdx

@@ -44,7 +44,7 @@ To simplify authenticating your account with the ngrok API, export the API key o
 export NGROK_API_KEY=<YOUR-API-KEY>
 ```
 
-Next, create a domain that is a subdomain of an [ngrok-managed domain](/universal-gateway/domains/). For an example deployment like this, `YOUR_COMPANY-linode-gslb.ngrok.app` would work great.
+Next, create a domain that is a subdomain of an [ngrok-managed domain](/universal-gateway/domains/what-are-domains/). For an example deployment like this, `YOUR_COMPANY-linode-gslb.ngrok.app` would work great.
 
 You can reserve your domain in one of two ways: with the [ngrok API](/api/), or in the [ngrok dashboard](https://dashboard.ngrok.com/domains).