zrok/assets/js/9939c4f4.f1f5b859.js

"use strict";(self.webpackChunkwebsite=self.webpackChunkwebsite||[]).push([[7273],{1855:(e,t,i)=>{i.r(t),i.d(t,{assets:()=>l,contentTitle:()=>a,default:()=>d,frontMatter:()=>r,metadata:()=>o,toc:()=>h});var n=i(5893),s=i(1151);const r={title:"Interstitial Pages",sidebar_label:"Interstitial Pages",sidebar_position:18},a=void 0,o={id:"guides/self-hosting/interstitial-page",title:"Interstitial Pages",description:"On large zrok installations that support open registration and shared public frontends, abuse can become an issue. In order to mitigate phishing and other similar forms of abuse, zrok offers an interstitial page that announces to the visiting user that the share is hosted through zrok, and probably isn't their financial institution.",source:"@site/../docs/guides/self-hosting/interstitial-page.md",sourceDirName:"guides/self-hosting",slug:"/guides/self-hosting/interstitial-page",permalink:"/docs/guides/self-hosting/interstitial-page",draft:!1,unlisted:!1,editUrl:"https://github.com/openziti/zrok/blob/main/docs/../docs/guides/self-hosting/interstitial-page.md",tags:[],version:"current",sidebarPosition:18,frontMatter:{title:"Interstitial Pages",sidebar_label:"Interstitial Pages",sidebar_position:18},sidebar:"tutorialSidebar",previous:{title:"NGINX TLS",permalink:"/docs/guides/self-hosting/linux/nginx"},next:{title:"Personalized Frontend",permalink:"/docs/guides/self-hosting/personalized-frontend"}},l={},h=[{value:"Bypassing the Interstitial",id:"bypassing-the-interstitial",level:2}];function c(e){const t={code:"code",em:"em",h2:"h2",img:"img",p:"p",pre:"pre",...(0,s.a)(),...e.components};return(0,n.jsxs)(n.Fragment,{children:[(0,n.jsx)(t.p,{children:"On large zrok installations that support open registration and shared public frontends, abuse can become an issue. In order to mitigate phishing and other similar forms of abuse, zrok offers an interstitial page that announces to the visiting user that the share is hosted through zrok, and probably isn't their financial institution."}),"\n",(0,n.jsx)(t.p,{children:"Interstitial pages can be enabled on a per-frontend basis. This allows the interstitial to be enabled on open public frontends but not closed public frontends (closed public frontends require a grant to use)."}),"\n",(0,n.jsx)(t.p,{children:"The interstitial page requirement can also be overridden on a per-account basis, allowing shares created by specific accounts to bypass the interstitial requirement on frontends that enable it. This facilitates building infrastructure that grants trusted users additional privileges."}),"\n",(0,n.jsx)(t.p,{children:"By default, if you do not specifically enable interstitial pages on a public frontend, then your self-hosted service instance will not offer them."}),"\n",(0,n.jsx)(t.p,{children:"Let's take a look at how the interstitial pages mechanism works. The following diagram shows the share configuration rendezvous made between the zrok controller and a zrok frontend:"}),"\n",(0,n.jsx)(t.p,{children:(0,n.jsx)(t.img,{alt:"zrok_interstitial_rendezvous",src:i(5390).Z+"",width:"631",height:"362"})}),"\n",(0,n.jsxs)(t.p,{children:["Every zrok share has a ",(0,n.jsx)(t.em,{children:"config"})," recorded in the underlying OpenZiti network. The config is of type ",(0,n.jsx)(t.code,{children:"zrok.proxy.v1"}),". The frontend uses the information in this config to understand the disposition of the share. The config can contain an ",(0,n.jsx)(t.code,{children:"interstitial: true"})," setting. If the config has this setting, and the frontend is configured to enable interstitial pages, then end users accessing the share will receive the interstitial page on first visit."]}),"\n",(0,n.jsxs)(t.p,{children:["By default the zrok controller will record ",(0,n.jsx)(t.code,{children:"interstitial: true"})," in the share config ",(0,n.jsx)(t.em,{children:"unless"})," a row is present in the ",(0,n.jsx)(t.code,{children:"skip_interstitial_grants"})," table in the underlying database for the account creating the share. The ",(0,n.jsx)(t.code,{children:"skip_interstitial_grants"})," table is a b