diff --git a/404.html b/404.html index 117ec1d0..0102576a 100644 --- a/404.html +++ b/404.html @@ -9,7 +9,7 @@ - + diff --git a/assets/js/685bed1a.47dd5dfa.js b/assets/js/685bed1a.47dd5dfa.js new file mode 100644 index 00000000..fb787f0d --- /dev/null +++ b/assets/js/685bed1a.47dd5dfa.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkwebsite=self.webpackChunkwebsite||[]).push([[5689],{1181:(e,n,r)=>{r.d(n,{Ay:()=>c,RM:()=>t});var o=r(4848),i=r(8453);const t=[{value:"Docker Instance",id:"docker-instance",level:2},{value:"DNS Configuration",id:"dns-configuration",level:3},{value:"Additional DNS Configuration for Caddy TLS",id:"additional-dns-configuration-for-caddy-tls",level:4},{value:"Create the Docker Compose Project",id:"create-the-docker-compose-project",level:3},{value:"Shortcut Option",id:"shortcut-option",level:4},{value:"Manual Option",id:"manual-option",level:4},{value:"Configure the Docker Compose Project Environment",id:"configure-the-docker-compose-project-environment",level:3},{value:"Start the Docker Compose Project",id:"start-the-docker-compose-project",level:3},{value:"Set up a User Account",id:"set-up-a-user-account",level:3},{value:"Enable the User Environment",id:"enable-the-user-environment",level:3},{value:"Firewall Configuration",id:"firewall-configuration",level:3},{value:"Required",id:"required",level:4},{value:"Troubleshooting",id:"troubleshooting",level:3}];function s(e){const n={a:"a",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,i.R)(),...e.components};return(0,o.jsxs)(o.Fragment,{children:[(0,o.jsx)(n.h2,{id:"docker-instance",children:"Docker Instance"}),"\n",(0,o.jsx)("iframe",{width:"100%",height:"315",src:"https://www.youtube.com/embed/70zJ_h4uiD8",title:"YouTube video player",frameborder:"0",allow:"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share",allowfullscreen:!0}),"\n",(0,o.jsx)(n.p,{children:"This Docker Compose project creates a zrok instance and includes a ziti controller and router. An optional Caddy container is included to provide HTTPS and reverse proxy services for the zrok API and public shares."}),"\n",(0,o.jsx)(n.h3,{id:"dns-configuration",children:"DNS Configuration"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["A wildcard record exists for the IP address where the zrok instance will run, e.g. if your DNS zone is ",(0,o.jsx)(n.code,{children:"share.example.com"}),", then your wildcard record is ",(0,o.jsx)(n.code,{children:"*.share.example.com"}),"."]}),"\n"]}),"\n",(0,o.jsx)(n.h4,{id:"additional-dns-configuration-for-caddy-tls",children:"Additional DNS Configuration for Caddy TLS"}),"\n",(0,o.jsxs)(n.p,{children:["The included Caddy container can automatically manage a wildcard certificate for your zrok instance. You can enable Caddy in this compose project by renaming ",(0,o.jsx)(n.code,{children:"compose.caddy.yml"})," as ",(0,o.jsx)(n.code,{children:"compose.override.yml"}),"."]}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["Ensure A Caddy DNS plugin is available for your DNS provider (see ",(0,o.jsx)(n.a,{href:"https://github.com/orgs/caddy-dns/repositories?type=all&q=sort%3Aname-asc",children:"github.com/caddy-dns"}),")."]}),"\n",(0,o.jsxs)(n.li,{children:["Designate A DNS zone for zrok, e.g. ",(0,o.jsx)(n.code,{children:"example.com"})," or ",(0,o.jsx)(n.code,{children:"share.example.com"})," and create the zone on your DNS provider's platform."]}),"\n",(0,o.jsx)(n.li,{children:"Created an API token in your DNS provider that has permission to manage zrok's DNS zone."}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"create-the-docker-compose-project",children:"Create the Docker Compose Project"}),"\n",(0,o.jsx)(n.p,{children:"Create a working directory on your Docker host and save these Docker Compose project files."}),"\n",(0,o.jsx)(n.h4,{id:"shortcut-option",children:"Shortcut Option"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Run this script to download the files in the current directory."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"curl https://get.openziti.io/zrok-instance/fetch.bash | bash\n"})}),"\n",(0,o.jsx)(n.p,{children:"Or, specify the Compose project directory."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"curl https://get.openziti.io/zrok-instance/fetch.bash | bash -s /path/to/compose/project/dir\n"})}),"\n"]}),"\n"]}),"\n",(0,o.jsx)(n.h4,{id:"manual-option",children:"Manual Option"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Get the zrok repo ZIP file."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"wget https://github.com/openziti/zrok/archive/refs/heads/main.zip\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Unzip the zrok-instance files into the project directory."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"unzip -j -d . main.zip '*/docker/compose/zrok-instance/*'\n"})}),"\n"]}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"configure-the-docker-compose-project-environment",children:"Configure the Docker Compose Project Environment"}),"\n",(0,o.jsxs)(n.p,{children:["Create an ",(0,o.jsx)(n.code,{children:".env"})," file in the working directory."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",metastring:'title=".env required"',children:"ZROK_DNS_ZONE=share.example.com\n\nZROK_USER_EMAIL=me@example.com\nZROK_USER_PWD=zrokuserpw\n\nZITI_PWD=zitiadminpw\nZROK_ADMIN_TOKEN=zroktoken\n"})}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",metastring:'title=".env options"',children:"# Caddy TLS option: rename compose.caddy.yml to compose.override.yml; allow CADDY_HTTPS_PORT in firewall\n\n#\n## set these in .env for providers other than Route53\n#\n# plugin name for your DNS provider\nCADDY_DNS_PLUGIN=cloudflare\n# API token from your DNS provider\nCADDY_DNS_PLUGIN_TOKEN=abcd1234\n# use the staging API until you're sure everything is working to avoid hitting the rate limit\nCADDY_ACME_API=https://acme-staging-v02.api.letsencrypt.org/directory\n\n#\n## set these in .env for Route53\n#\n# AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}\n# AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}\n# AWS_REGION: ${AWS_REGION}\n# AWS_SESSION_TOKEN: ${AWS_SESSION_TOKEN} # if temporary credential, e.g., from STS\n\n#\n## if not using Caddy for TLS, uncomment to publish the insecure ports to the internet\n#\n#ZROK_INSECURE_INTERFACE=0.0.0.0\n\n# these insecure ports must be proxied with TLS for security\nZROK_CTRL_PORT=18080\nZROK_FRONTEND_PORT=8080\nZROK_OAUTH_PORT=8081\n\n# these secure ports must be published to the internet\nZITI_CTRL_ADVERTISED_PORT=80\nZITI_ROUTER_PORT=3022\nCADDY_HTTPS_PORT=443\n\n# optionally configure oauth for public shares\n#ZROK_OAUTH_HASH_KEY=oauthhashkeysecret\n#ZROK_OAUTH_GITHUB_CLIENT_ID=abcd1234\n#ZROK_OAUTH_GITHUB_CLIENT_SECRET=abcd1234\n#ZROK_OAUTH_GOOGLE_CLIENT_ID=abcd1234\n#ZROK_OAUTH_GOOGLE_CLIENT_SECRET=abcd1234\n\n# zrok version, e.g., 1.0.0\nZROK_CLI_TAG=latest\n# ziti version, e.g., 1.0.0\nZITI_CLI_TAG=latest\n"})}),"\n",(0,o.jsx)(n.h3,{id:"start-the-docker-compose-project",children:"Start the Docker Compose Project"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Start the zrok instance."}),"\n",(0,o.jsxs)(n.p,{children:["The container images for zrok (including caddy) are built in this step. This provides a simple configuration to get started. You can modify the templates named like ",(0,o.jsx)(n.code,{children:"*.envsubst"})," or mount a customized configuration file to mask the one that was built in."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose up --build --detach\n"})}),"\n"]}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"set-up-a-user-account",children:"Set up a User Account"}),"\n",(0,o.jsxs)(n.p,{children:["This step creates a user account. You will log in to the zrok web console with the account password created in this step. The ZROK_USER_EMAIL and ZROK_USER_PWD variables are set in the ",(0,o.jsx)(n.code,{children:".env"})," file. You can create more user accounts the same way by substituting a different email and password."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",metastring:'title="Create the first user account"',children:"docker compose exec zrok-controller bash -xc 'zrok admin create account ${ZROK_USER_EMAIL} ${ZROK_USER_PWD}'\n"})}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-buttonless",metastring:'title="Example output"',children:"+ zrok admin create account me@example.com zrokuserpw\n[ 0.000] INFO zrok/controller/store.Open: database connected\n[ 0.002] INFO zrok/controller/store.(*Store).migrate: applied 0 migrations\nheMqncCyxZcx\n"})}),"\n",(0,o.jsx)(n.p,{children:"Create additional users by running the command again with a different email and password."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",metastring:'title="Create another user"',children:"docker compose exec zrok-controller zrok admin create account \n"})}),"\n",(0,o.jsx)(n.h3,{id:"enable-the-user-environment",children:"Enable the User Environment"}),"\n",(0,o.jsx)(n.p,{children:"You must enable each device environment with the account token obtained when the account was created. This is separate from the account password that's used to log in to the web console."}),"\n",(0,o.jsxs)(n.p,{children:["Follow ",(0,o.jsx)(n.a,{href:"/docs/getting-started#installing-the-zrok-command",children:"the getting started guide"})," to install the zrok CLI on some device and enable a zrok environment."]}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsxs)(n.p,{children:["Configure the environment with the zrok API. Substitute the API endpoint with the one you're using, e.g. ",(0,o.jsx)(n.code,{children:"https://zrok.${ZROK_DNS_ZONE}"}),"."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"zrok config set apiEndpoint https://zrok.share.example.com\n"})}),"\n",(0,o.jsx)(n.p,{children:"or, if not using Caddy for TLS:"}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"zrok config set apiEndpoint http://zrok.share.example.com:18080\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Enable an environment on this device with the account token from the previous step."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"zrok enable heMqncCyxZcx\n"})}),"\n"]}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"firewall-configuration",children:"Firewall Configuration"}),"\n",(0,o.jsxs)(n.p,{children:["The ",(0,o.jsx)(n.code,{children:"ziti-quickstart"})," and ",(0,o.jsx)(n.code,{children:"caddy"})," containers publish ports to all devices that use zrok shares. The ",(0,o.jsx)(n.code,{children:"zrok-controller"})," and ",(0,o.jsx)(n.code,{children:"zrok-frontend"})," containers expose ports only to the ",(0,o.jsx)(n.code,{children:"caddy"})," container and the Docker host's loopback interface."]}),"\n",(0,o.jsx)(n.h4,{id:"required",children:"Required"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:[(0,o.jsx)(n.code,{children:"443/tcp"})," - reverse proxy handles HTTPS requests for zrok API, OAuth, and public shares (published by container ",(0,o.jsx)(n.code,{children:"caddy"}),")"]}),"\n",(0,o.jsxs)(n.li,{children:[(0,o.jsx)(n.code,{children:"80/tcp"})," - ziti ctrl plane (published by container ",(0,o.jsx)(n.code,{children:"ziti-quickstart"}),")"]}),"\n",(0,o.jsxs)(n.li,{children:[(0,o.jsx)(n.code,{children:"3022/tcp"})," - ziti data plane (published by container ",(0,o.jsx)(n.code,{children:"ziti-quickstart"}),")"]}),"\n"]}),"\n",(0,o.jsx)(n.p,{children:'See "My internet connection can only send traffic to common ports" below about changing the required ports.'}),"\n",(0,o.jsx)(n.h3,{id:"troubleshooting",children:"Troubleshooting"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Check the ziti and zrok logs."}),"\n",(0,o.jsxs)(n.p,{children:["You can substitute the service container name of each to check their logs individually: ",(0,o.jsx)(n.code,{children:"ziti-quickstart"}),", ",(0,o.jsx)(n.code,{children:"zrok-controller"}),", ",(0,o.jsx)(n.code,{children:"zrok-frontend"}),"."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose logs zrok-controller\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Check the Caddy logs."}),"\n",(0,o.jsxs)(n.p,{children:["It can take a few minutes for Caddy to obtain the wildcard certificate. You can check the logs to see if there were any errors completing the DNS challenge which involves using the Caddy DNS plugin to create a TXT record in your DNS zone. This leverages the API token you provided in the ",(0,o.jsx)(n.code,{children:".env"})," file, which must have permission to create DNS records in the zrok DNS zone."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose logs caddy\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Caddy keeps failing to obtain a wildcard certificate because it timed out waiting for DNS."}),"\n",(0,o.jsx)(n.p,{children:"Symptom: the Caddy log contains \"timed out waiting for record to fully propagate.\" This means that Caddy added a DNS record with your DNS provider's API to prove to the CA it controls the zrok DNS zone, but it wasn't able to verify the record was created successfully with a DNS query."}),"\n",(0,o.jsx)(n.p,{children:"Solutions:"}),"\n",(0,o.jsxs)(n.ul,{children:["\n",(0,o.jsxs)(n.li,{children:["Add ",(0,o.jsx)(n.code,{children:"propagation_delay"})," in your ",(0,o.jsx)(n.code,{children:"Caddyfile"})," to delay the first DNS verification query. This avoids caching a verification query failure by waiting a few minutes for the record to become available so the verification query will succeed on the first attempt. Caddy will be unable to verify the DNS record if the failure remains in the cache too long."]}),"\n",(0,o.jsxs)(n.li,{children:["If the prior solution fails, you can override the default resolves/nameservers with ",(0,o.jsx)(n.code,{children:"resolvers"}),", a space-separated list of DNS servers. This gives you more control over if and where the verification query result is cached."]}),"\n"]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{children:"tls {\n dns {CADDY_DNS_PLUGIN} {CADDY_DNS_PLUGIN_TOKEN}\n\tpropagation_timeout 60m # default 2m\n propagation_delay 5m # default 0m\n}\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsxs)(n.p,{children:[(0,o.jsx)(n.code,{children:"zrok enable"})," fails certificate verification: ensure you are not using the staging API for Let's Encrypt."]}),"\n",(0,o.jsxs)(n.p,{children:["If you are using the staging API, you will see an error about the API certificate when you use the zrok CLI. You can switch to the production API by removing the overriding assignment of the ",(0,o.jsx)(n.code,{children:"CADDY_ACME_API"})," variable."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-buttonless",metastring:'title="Example output"',children:'there was a problem enabling your environment!\nyou are trying to use the zrok service at: https://zrok.share.example.com\nyou can change your zrok service endpoint using this command:\n\n$ zrok config set apiEndpoint \n\n(where newEndpoint is something like: https://some.zrok.io)\n[ERROR]: error creating service client (error getting version from api endpoint \'https://zrok.share.example.com\': Get "https://zrok.share.example.com/api/v1/version": tls: failed to verify certificate: x509: certificate signed by unknown authority: Get "https://zrok.share.example.com/api/v1/version": tls: failed to verify certificate: x509: certificate signed by unknown authority)\n'})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Validate the Caddyfile."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose exec caddy caddy validate --config /etc/caddy/Caddyfile\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Verify the correct DNS provider module was built-in to Caddy."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose exec caddy caddy list-modules | grep dns.providers\n"})}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-buttonless",metastring:'title="Example output"',children:"dns.providers.cloudflare\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Use the Caddy admin API."}),"\n",(0,o.jsxs)(n.p,{children:["You can use the Caddy admin API to check the status of the Caddy instance. The admin API is available on port ",(0,o.jsx)(n.code,{children:"2019/tcp"})," inside the Docker Compose project. You can modify ",(0,o.jsx)(n.code,{children:"compose.override.yml"})," to publish the port if you want to access the admin API from the Docker host or elsewhere."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose exec caddy curl http://localhost:2019/config/ | jq\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"My DNS provider credential is composed of several values, not a single API token."}),"\n",(0,o.jsxs)(n.p,{children:["As long as your DNS provider is supported by Caddy then it will work. Here's a checklist for DNS providers like Route53 with credentials expressed as multiple values, e.g., ",(0,o.jsx)(n.code,{children:"AWS_ACCESS_KEY_ID"}),", ",(0,o.jsx)(n.code,{children:"AWS_SECRET_ACCESS_KEY"}),"."]}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["Define env vars in ",(0,o.jsx)(n.code,{children:".env"})," file."]}),"\n",(0,o.jsxs)(n.li,{children:["Declare env vars in ",(0,o.jsx)(n.code,{children:"compose.override.yml"})," file on ",(0,o.jsx)(n.code,{children:"caddy"}),"'s ",(0,o.jsx)(n.code,{children:"environment"}),"."]}),"\n",(0,o.jsxs)(n.li,{children:["Modify ",(0,o.jsx)(n.code,{children:"Caddyfile"})," according to the DNS plugin author's instructions (",(0,o.jsx)(n.a,{href:"https://github.com/caddy-dns/route53",children:"link to Route53 README"}),"). This means modifying the ",(0,o.jsx)(n.code,{children:"Caddyfile"})," to reference the env vars. The provided file ",(0,o.jsx)(n.code,{children:"route53.Caddyfile"})," serves as an example."]}),"\n"]}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"My internet connection can only send traffic to common ports like 80, 443, and 3389."}),"\n",(0,o.jsxs)(n.p,{children:["You can change the required ports in the ",(0,o.jsx)(n.code,{children:".env"})," file before the first run of the Docker Compose project."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",metastring:'title=".env"',children:"ZITI_CTRL_ADVERTISED_PORT=80\nZITI_ROUTER_PORT=3389\nCADDY_HTTPS_PORT=443\n"})}),"\n"]}),"\n"]})]})}function c(e={}){const{wrapper:n}={...(0,i.R)(),...e.components};return n?(0,o.jsx)(n,{...e,children:(0,o.jsx)(s,{...e})}):s(e)}},654:(e,n,r)=>{r.r(n),r.d(n,{assets:()=>d,contentTitle:()=>a,default:()=>u,frontMatter:()=>c,metadata:()=>o,toc:()=>l});const o=JSON.parse('{"id":"guides/self-hosting/docker","title":"Self-hosting guide for Docker","description":"","source":"@site/versioned_docs/version-0.4/guides/self-hosting/docker.mdx","sourceDirName":"guides/self-hosting","slug":"/guides/self-hosting/docker","permalink":"/docs/0.4/guides/self-hosting/docker","draft":false,"unlisted":false,"editUrl":"https://github.com/openziti/zrok/blob/main/docs/versioned_docs/version-0.4/guides/self-hosting/docker.mdx","tags":[],"version":"0.4","sidebarPosition":45,"frontMatter":{"title":"Self-hosting guide for Docker","sidebar_label":"Docker","sidebar_position":45},"sidebar":"tutorialSidebar","previous":{"title":"Personalized Frontend","permalink":"/docs/0.4/guides/self-hosting/personalized-frontend"},"next":{"title":"Kubernetes","permalink":"/docs/0.4/guides/self-hosting/kubernetes"}}');var i=r(4848),t=r(8453),s=r(1181);const c={title:"Self-hosting guide for Docker",sidebar_label:"Docker",sidebar_position:45},a=void 0,d={},l=[...s.RM];function h(e){return(0,i.jsx)(s.Ay,{})}function u(e={}){const{wrapper:n}={...(0,t.R)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(h,{...e})}):h()}},8453:(e,n,r)=>{r.d(n,{R:()=>s,x:()=>c});var o=r(6540);const i={},t=o.createContext(i);function s(e){const n=o.useContext(t);return o.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function c(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:s(e.components),o.createElement(t.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/685bed1a.cba82c70.js b/assets/js/685bed1a.cba82c70.js deleted file mode 100644 index f9956540..00000000 --- a/assets/js/685bed1a.cba82c70.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkwebsite=self.webpackChunkwebsite||[]).push([[5689],{1181:(e,n,o)=>{o.d(n,{Ay:()=>c,RM:()=>t});var r=o(4848),i=o(8453);const t=[{value:"Docker Instance",id:"docker-instance",level:2},{value:"DNS Configuration",id:"dns-configuration",level:3},{value:"Additional DNS Configuration for Caddy TLS",id:"additional-dns-configuration-for-caddy-tls",level:4},{value:"Create the Docker Compose Project",id:"create-the-docker-compose-project",level:3},{value:"Shortcut Option",id:"shortcut-option",level:4},{value:"Manual Option",id:"manual-option",level:4},{value:"Configure the Docker Compose Project Environment",id:"configure-the-docker-compose-project-environment",level:3},{value:"Start the Docker Compose Project",id:"start-the-docker-compose-project",level:3},{value:"Set up a User Account",id:"set-up-a-user-account",level:3},{value:"Enable the User Environment",id:"enable-the-user-environment",level:3},{value:"Firewall Configuration",id:"firewall-configuration",level:3},{value:"Required",id:"required",level:4},{value:"Troubleshooting",id:"troubleshooting",level:3}];function s(e){const n={a:"a",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,i.R)(),...e.components};return(0,r.jsxs)(r.Fragment,{children:[(0,r.jsx)(n.h2,{id:"docker-instance",children:"Docker Instance"}),"\n",(0,r.jsx)("iframe",{width:"100%",height:"315",src:"https://www.youtube.com/embed/70zJ_h4uiD8",title:"YouTube video player",frameborder:"0",allow:"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share",allowfullscreen:!0}),"\n",(0,r.jsx)(n.p,{children:"This Docker Compose project creates a zrok instance and includes a ziti controller and router. An optional Caddy container is included to provide HTTPS and reverse proxy services for the zrok API and public shares."}),"\n",(0,r.jsx)(n.h3,{id:"dns-configuration",children:"DNS Configuration"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["A wildcard record exists for the IP address where the zrok instance will run, e.g. if your DNS zone is ",(0,r.jsx)(n.code,{children:"share.example.com"}),", then your wildcard record is ",(0,r.jsx)(n.code,{children:"*.share.example.com"}),"."]}),"\n"]}),"\n",(0,r.jsx)(n.h4,{id:"additional-dns-configuration-for-caddy-tls",children:"Additional DNS Configuration for Caddy TLS"}),"\n",(0,r.jsxs)(n.p,{children:["The included Caddy container can automatically manage a wildcard certificate for your zrok instance. You can enable Caddy in this compose project by renaming ",(0,r.jsx)(n.code,{children:"compose.caddy.yml"})," as ",(0,r.jsx)(n.code,{children:"compose.override.yml"}),"."]}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["Ensure A Caddy DNS plugin is available for your DNS provider (see ",(0,r.jsx)(n.a,{href:"https://github.com/orgs/caddy-dns/repositories?type=all&q=sort%3Aname-asc",children:"github.com/caddy-dns"}),")."]}),"\n",(0,r.jsxs)(n.li,{children:["Designate A DNS zone for zrok, e.g. ",(0,r.jsx)(n.code,{children:"example.com"})," or ",(0,r.jsx)(n.code,{children:"share.example.com"})," and create the zone on your DNS provider's platform."]}),"\n",(0,r.jsx)(n.li,{children:"Created an API token in your DNS provider that has permission to manage zrok's DNS zone."}),"\n"]}),"\n",(0,r.jsx)(n.h3,{id:"create-the-docker-compose-project",children:"Create the Docker Compose Project"}),"\n",(0,r.jsx)(n.p,{children:"Create a working directory on your Docker host and save these Docker Compose project files."}),"\n",(0,r.jsx)(n.h4,{id:"shortcut-option",children:"Shortcut Option"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Run this script to download the files in the current directory."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl https://get.openziti.io/zrok-instance/fetch.bash | bash\n"})}),"\n",(0,r.jsx)(n.p,{children:"Or, specify the Compose project directory."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"curl https://get.openziti.io/zrok-instance/fetch.bash | bash -s /path/to/compose/project/dir\n"})}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(n.h4,{id:"manual-option",children:"Manual Option"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Get the zrok repo ZIP file."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"wget https://github.com/openziti/zrok/archive/refs/heads/main.zip\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Unzip the zrok-instance files into the project directory."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"unzip -j -d . main.zip '*/docker/compose/zrok-instance/*'\n"})}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(n.h3,{id:"configure-the-docker-compose-project-environment",children:"Configure the Docker Compose Project Environment"}),"\n",(0,r.jsxs)(n.p,{children:["Create an ",(0,r.jsx)(n.code,{children:".env"})," file in the working directory."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",metastring:'title=".env required"',children:"ZROK_DNS_ZONE=share.example.com\n\nZROK_USER_EMAIL=me@example.com\nZROK_USER_PWD=zrokuserpw\n\nZITI_PWD=zitiadminpw\nZROK_ADMIN_TOKEN=zroktoken\n"})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",metastring:'title=".env options"',children:"# Caddy TLS option: rename compose.caddy.yml to compose.override.yml and set these vars; allow 80,443 in firewall\n\n#\n## set these in .env for providers other than Route53\n#\n# plugin name for your DNS provider\nCADDY_DNS_PLUGIN=cloudflare\n# API token from your DNS provider\nCADDY_DNS_PLUGIN_TOKEN=abcd1234\n# use the staging API until you're sure everything is working to avoid hitting the rate limit\nCADDY_ACME_API=https://acme-staging-v02.api.letsencrypt.org/directory\n\n#\n## set these in .env for Route53\n#\n# AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}\n# AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}\n# AWS_REGION: ${AWS_REGION}\n# AWS_SESSION_TOKEN: ${AWS_SESSION_TOKEN} # if temporary credential, e.g., from STS\n\n#\n## if not using Caddy for TLS, uncomment to publish the insecure ports to the internet\n#\n#ZROK_INSECURE_INTERFACE=0.0.0.0\n\n# these insecure ports must be proxied with TLS for security\nZROK_CTRL_PORT=18080\nZROK_FRONTEND_PORT=8080\nZROK_OAUTH_PORT=8081\n\n# these secure ziti ports must be published to the internet\nZITI_CTRL_ADVERTISED_PORT=80\nZITI_ROUTER_PORT=3022\n\n# optionally configure oauth for public shares\n#ZROK_OAUTH_HASH_KEY=oauthhashkeysecret\n#ZROK_OAUTH_GITHUB_CLIENT_ID=abcd1234\n#ZROK_OAUTH_GITHUB_CLIENT_SECRET=abcd1234\n#ZROK_OAUTH_GOOGLE_CLIENT_ID=abcd1234\n#ZROK_OAUTH_GOOGLE_CLIENT_SECRET=abcd1234\n\n# zrok version, e.g., 1.0.0\nZROK_CLI_TAG=latest\n# ziti version, e.g., 1.0.0\nZITI_CLI_TAG=latest\n"})}),"\n",(0,r.jsx)(n.h3,{id:"start-the-docker-compose-project",children:"Start the Docker Compose Project"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Start the zrok instance."}),"\n",(0,r.jsxs)(n.p,{children:["The container images for zrok (including caddy) are built in this step. This provides a simple configuration to get started. You can modify the templates named like ",(0,r.jsx)(n.code,{children:"*.envsubst"})," or mount a customized configuration file to mask the one that was built in."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"docker compose up --build --detach\n"})}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(n.h3,{id:"set-up-a-user-account",children:"Set up a User Account"}),"\n",(0,r.jsxs)(n.p,{children:["This step creates a user account. You will log in to the zrok web console with the account password created in this step. The ZROK_USER_EMAIL and ZROK_USER_PWD variables are set in the ",(0,r.jsx)(n.code,{children:".env"})," file. You can create more user accounts the same way by substituting a different email and password."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",metastring:'title="Create the first user account"',children:"docker compose exec zrok-controller bash -xc 'zrok admin create account ${ZROK_USER_EMAIL} ${ZROK_USER_PWD}'\n"})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-buttonless",metastring:'title="Example output"',children:"+ zrok admin create account me@example.com zrokuserpw\n[ 0.000] INFO zrok/controller/store.Open: database connected\n[ 0.002] INFO zrok/controller/store.(*Store).migrate: applied 0 migrations\nheMqncCyxZcx\n"})}),"\n",(0,r.jsx)(n.p,{children:"Create additional users by running the command again with a different email and password."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",metastring:'title="Create another user"',children:"docker compose exec zrok-controller zrok admin create account \n"})}),"\n",(0,r.jsx)(n.h3,{id:"enable-the-user-environment",children:"Enable the User Environment"}),"\n",(0,r.jsx)(n.p,{children:"You must enable each device environment with the account token obtained when the account was created. This is separate from the account password that's used to log in to the web console."}),"\n",(0,r.jsxs)(n.p,{children:["Follow ",(0,r.jsx)(n.a,{href:"/docs/getting-started#installing-the-zrok-command",children:"the getting started guide"})," to install the zrok CLI on some device and enable a zrok environment."]}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:["Configure the environment with the zrok API. Substitute the API endpoint with the one you're using, e.g. ",(0,r.jsx)(n.code,{children:"https://zrok.${ZROK_DNS_ZONE}"}),"."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"zrok config set apiEndpoint https://zrok.share.example.com\n"})}),"\n",(0,r.jsx)(n.p,{children:"or, if not using Caddy for TLS:"}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"zrok config set apiEndpoint http://zrok.share.example.com:18080\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Enable an environment on this device with the account token from the previous step."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"zrok enable heMqncCyxZcx\n"})}),"\n"]}),"\n"]}),"\n",(0,r.jsx)(n.h3,{id:"firewall-configuration",children:"Firewall Configuration"}),"\n",(0,r.jsxs)(n.p,{children:["The ",(0,r.jsx)(n.code,{children:"ziti-quickstart"})," and ",(0,r.jsx)(n.code,{children:"caddy"})," containers publish ports to all devices that use zrok shares. The ",(0,r.jsx)(n.code,{children:"zrok-controller"})," and ",(0,r.jsx)(n.code,{children:"zrok-frontend"})," containers expose ports only to the ",(0,r.jsx)(n.code,{children:"caddy"})," container and the Docker host's loopback interface."]}),"\n",(0,r.jsx)(n.h4,{id:"required",children:"Required"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.code,{children:"443/tcp"})," - reverse proxy handles HTTPS requests for zrok API, OAuth, and public shares (published by container ",(0,r.jsx)(n.code,{children:"caddy"}),")"]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.code,{children:"80/tcp"})," - ziti ctrl plane (published by container ",(0,r.jsx)(n.code,{children:"ziti-quickstart"}),")"]}),"\n",(0,r.jsxs)(n.li,{children:[(0,r.jsx)(n.code,{children:"3022/tcp"})," - ziti data plane (published by container ",(0,r.jsx)(n.code,{children:"ziti-quickstart"}),")"]}),"\n"]}),"\n",(0,r.jsx)(n.p,{children:'See "My internet connection can only send traffic to common ports" below about changing the required ports.'}),"\n",(0,r.jsx)(n.h3,{id:"troubleshooting",children:"Troubleshooting"}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Check the ziti and zrok logs."}),"\n",(0,r.jsxs)(n.p,{children:["You can substitute the service container name of each to check their logs individually: ",(0,r.jsx)(n.code,{children:"ziti-quickstart"}),", ",(0,r.jsx)(n.code,{children:"zrok-controller"}),", ",(0,r.jsx)(n.code,{children:"zrok-frontend"}),"."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"docker compose logs zrok-controller\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Check the Caddy logs."}),"\n",(0,r.jsxs)(n.p,{children:["It can take a few minutes for Caddy to obtain the wildcard certificate. You can check the logs to see if there were any errors completing the DNS challenge which involves using the Caddy DNS plugin to create a TXT record in your DNS zone. This leverages the API token you provided in the ",(0,r.jsx)(n.code,{children:".env"})," file, which must have permission to create DNS records in the zrok DNS zone."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"docker compose logs caddy\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Caddy keeps failing to obtain a wildcard certificate because it timed out waiting for DNS."}),"\n",(0,r.jsx)(n.p,{children:"Symptom: the Caddy log contains \"timed out waiting for record to fully propagate.\" This means that Caddy added a DNS record with your DNS provider's API to prove to the CA it controls the zrok DNS zone, but it wasn't able to verify the record was created successfully with a DNS query."}),"\n",(0,r.jsx)(n.p,{children:"Solutions:"}),"\n",(0,r.jsxs)(n.ul,{children:["\n",(0,r.jsxs)(n.li,{children:["Add ",(0,r.jsx)(n.code,{children:"propagation_delay"})," in your ",(0,r.jsx)(n.code,{children:"Caddyfile"})," to delay the first DNS verification query. This avoids caching a verification query failure by waiting a few minutes for the record to become available so the verification query will succeed on the first attempt. Caddy will be unable to verify the DNS record if the failure remains in the cache too long."]}),"\n",(0,r.jsxs)(n.li,{children:["If the prior solution fails, you can override the default resolves/nameservers with ",(0,r.jsx)(n.code,{children:"resolvers"}),", a space-separated list of DNS servers. This gives you more control over if and where the verification query result is cached."]}),"\n"]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{children:"tls {\n dns {CADDY_DNS_PLUGIN} {CADDY_DNS_PLUGIN_TOKEN}\n\tpropagation_timeout 60m # default 2m\n propagation_delay 5m # default 0m\n}\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsxs)(n.p,{children:[(0,r.jsx)(n.code,{children:"zrok enable"})," fails certificate verification: ensure you are not using the staging API for Let's Encrypt."]}),"\n",(0,r.jsxs)(n.p,{children:["If you are using the staging API, you will see an error about the API certificate when you use the zrok CLI. You can switch to the production API by removing the overriding assignment of the ",(0,r.jsx)(n.code,{children:"CADDY_ACME_API"})," variable."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-buttonless",metastring:'title="Example output"',children:'there was a problem enabling your environment!\nyou are trying to use the zrok service at: https://zrok.share.example.com\nyou can change your zrok service endpoint using this command:\n\n$ zrok config set apiEndpoint \n\n(where newEndpoint is something like: https://some.zrok.io)\n[ERROR]: error creating service client (error getting version from api endpoint \'https://zrok.share.example.com\': Get "https://zrok.share.example.com/api/v1/version": tls: failed to verify certificate: x509: certificate signed by unknown authority: Get "https://zrok.share.example.com/api/v1/version": tls: failed to verify certificate: x509: certificate signed by unknown authority)\n'})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Validate the Caddyfile."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"docker compose exec caddy caddy validate --config /etc/caddy/Caddyfile\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Verify the correct DNS provider module was built-in to Caddy."}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"docker compose exec caddy caddy list-modules | grep dns.providers\n"})}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-buttonless",metastring:'title="Example output"',children:"dns.providers.cloudflare\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"Use the Caddy admin API."}),"\n",(0,r.jsxs)(n.p,{children:["You can use the Caddy admin API to check the status of the Caddy instance. The admin API is available on port ",(0,r.jsx)(n.code,{children:"2019/tcp"})," inside the Docker Compose project. You can modify ",(0,r.jsx)(n.code,{children:"compose.override.yml"})," to publish the port if you want to access the admin API from the Docker host or elsewhere."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",children:"docker compose exec caddy curl http://localhost:2019/config/ | jq\n"})}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"My DNS provider credential is composed of several values, not a single API token."}),"\n",(0,r.jsxs)(n.p,{children:["As long as your DNS provider is supported by Caddy then it will work. Here's a checklist for DNS providers like Route53 with credentials expressed as multiple values, e.g., ",(0,r.jsx)(n.code,{children:"AWS_ACCESS_KEY_ID"}),", ",(0,r.jsx)(n.code,{children:"AWS_SECRET_ACCESS_KEY"}),"."]}),"\n",(0,r.jsxs)(n.ol,{children:["\n",(0,r.jsxs)(n.li,{children:["Define env vars in ",(0,r.jsx)(n.code,{children:".env"})," file."]}),"\n",(0,r.jsxs)(n.li,{children:["Declare env vars in ",(0,r.jsx)(n.code,{children:"compose.override.yml"})," file on ",(0,r.jsx)(n.code,{children:"caddy"}),"'s ",(0,r.jsx)(n.code,{children:"environment"}),"."]}),"\n",(0,r.jsxs)(n.li,{children:["Modify ",(0,r.jsx)(n.code,{children:"Caddyfile"})," according to the DNS plugin author's instructions (",(0,r.jsx)(n.a,{href:"https://github.com/caddy-dns/route53",children:"link to Route53 README"}),"). This means modifying the ",(0,r.jsx)(n.code,{children:"Caddyfile"})," to reference the env vars. The provided file ",(0,r.jsx)(n.code,{children:"route53.Caddyfile"})," serves as an example."]}),"\n"]}),"\n"]}),"\n",(0,r.jsxs)(n.li,{children:["\n",(0,r.jsx)(n.p,{children:"My internet connection can only send traffic to common ports like 80, 443, and 3389."}),"\n",(0,r.jsxs)(n.p,{children:["You can change the required ports in the ",(0,r.jsx)(n.code,{children:".env"})," file. Caddy will still use port 443 for zrok shares and API if you renamed ",(0,r.jsx)(n.code,{children:"compose.caddy.yml"})," as ",(0,r.jsx)(n.code,{children:"compose.override.yml"})," to enable Caddy."]}),"\n",(0,r.jsx)(n.pre,{children:(0,r.jsx)(n.code,{className:"language-bash",metastring:'title=".env"',children:"ZITI_CTRL_ADVERTISED_PORT=80\nZITI_ROUTER_PORT=3389\n"})}),"\n"]}),"\n"]})]})}function c(e={}){const{wrapper:n}={...(0,i.R)(),...e.components};return n?(0,r.jsx)(n,{...e,children:(0,r.jsx)(s,{...e})}):s(e)}},654:(e,n,o)=>{o.r(n),o.d(n,{assets:()=>d,contentTitle:()=>a,default:()=>u,frontMatter:()=>c,metadata:()=>r,toc:()=>l});const r=JSON.parse('{"id":"guides/self-hosting/docker","title":"Self-hosting guide for Docker","description":"","source":"@site/versioned_docs/version-0.4/guides/self-hosting/docker.mdx","sourceDirName":"guides/self-hosting","slug":"/guides/self-hosting/docker","permalink":"/docs/0.4/guides/self-hosting/docker","draft":false,"unlisted":false,"editUrl":"https://github.com/openziti/zrok/blob/main/docs/versioned_docs/version-0.4/guides/self-hosting/docker.mdx","tags":[],"version":"0.4","sidebarPosition":45,"frontMatter":{"title":"Self-hosting guide for Docker","sidebar_label":"Docker","sidebar_position":45},"sidebar":"tutorialSidebar","previous":{"title":"Personalized Frontend","permalink":"/docs/0.4/guides/self-hosting/personalized-frontend"},"next":{"title":"Kubernetes","permalink":"/docs/0.4/guides/self-hosting/kubernetes"}}');var i=o(4848),t=o(8453),s=o(1181);const c={title:"Self-hosting guide for Docker",sidebar_label:"Docker",sidebar_position:45},a=void 0,d={},l=[...s.RM];function h(e){return(0,i.jsx)(s.Ay,{})}function u(e={}){const{wrapper:n}={...(0,t.R)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(h,{...e})}):h()}},8453:(e,n,o)=>{o.d(n,{R:()=>s,x:()=>c});var r=o(6540);const i={},t=r.createContext(i);function s(e){const n=r.useContext(t);return r.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function c(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:s(e.components),r.createElement(t.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/e1dfe4fe.54de816e.js b/assets/js/e1dfe4fe.54de816e.js new file mode 100644 index 00000000..9717ead2 --- /dev/null +++ b/assets/js/e1dfe4fe.54de816e.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkwebsite=self.webpackChunkwebsite||[]).push([[3423],{1181:(e,n,r)=>{r.d(n,{Ay:()=>c,RM:()=>t});var o=r(4848),i=r(8453);const t=[{value:"Docker Instance",id:"docker-instance",level:2},{value:"DNS Configuration",id:"dns-configuration",level:3},{value:"Additional DNS Configuration for Caddy TLS",id:"additional-dns-configuration-for-caddy-tls",level:4},{value:"Create the Docker Compose Project",id:"create-the-docker-compose-project",level:3},{value:"Shortcut Option",id:"shortcut-option",level:4},{value:"Manual Option",id:"manual-option",level:4},{value:"Configure the Docker Compose Project Environment",id:"configure-the-docker-compose-project-environment",level:3},{value:"Start the Docker Compose Project",id:"start-the-docker-compose-project",level:3},{value:"Set up a User Account",id:"set-up-a-user-account",level:3},{value:"Enable the User Environment",id:"enable-the-user-environment",level:3},{value:"Firewall Configuration",id:"firewall-configuration",level:3},{value:"Required",id:"required",level:4},{value:"Troubleshooting",id:"troubleshooting",level:3}];function s(e){const n={a:"a",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,i.R)(),...e.components};return(0,o.jsxs)(o.Fragment,{children:[(0,o.jsx)(n.h2,{id:"docker-instance",children:"Docker Instance"}),"\n",(0,o.jsx)("iframe",{width:"100%",height:"315",src:"https://www.youtube.com/embed/70zJ_h4uiD8",title:"YouTube video player",frameborder:"0",allow:"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share",allowfullscreen:!0}),"\n",(0,o.jsx)(n.p,{children:"This Docker Compose project creates a zrok instance and includes a ziti controller and router. An optional Caddy container is included to provide HTTPS and reverse proxy services for the zrok API and public shares."}),"\n",(0,o.jsx)(n.h3,{id:"dns-configuration",children:"DNS Configuration"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["A wildcard record exists for the IP address where the zrok instance will run, e.g. if your DNS zone is ",(0,o.jsx)(n.code,{children:"share.example.com"}),", then your wildcard record is ",(0,o.jsx)(n.code,{children:"*.share.example.com"}),"."]}),"\n"]}),"\n",(0,o.jsx)(n.h4,{id:"additional-dns-configuration-for-caddy-tls",children:"Additional DNS Configuration for Caddy TLS"}),"\n",(0,o.jsxs)(n.p,{children:["The included Caddy container can automatically manage a wildcard certificate for your zrok instance. You can enable Caddy in this compose project by renaming ",(0,o.jsx)(n.code,{children:"compose.caddy.yml"})," as ",(0,o.jsx)(n.code,{children:"compose.override.yml"}),"."]}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["Ensure A Caddy DNS plugin is available for your DNS provider (see ",(0,o.jsx)(n.a,{href:"https://github.com/orgs/caddy-dns/repositories?type=all&q=sort%3Aname-asc",children:"github.com/caddy-dns"}),")."]}),"\n",(0,o.jsxs)(n.li,{children:["Designate A DNS zone for zrok, e.g. ",(0,o.jsx)(n.code,{children:"example.com"})," or ",(0,o.jsx)(n.code,{children:"share.example.com"})," and create the zone on your DNS provider's platform."]}),"\n",(0,o.jsx)(n.li,{children:"Created an API token in your DNS provider that has permission to manage zrok's DNS zone."}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"create-the-docker-compose-project",children:"Create the Docker Compose Project"}),"\n",(0,o.jsx)(n.p,{children:"Create a working directory on your Docker host and save these Docker Compose project files."}),"\n",(0,o.jsx)(n.h4,{id:"shortcut-option",children:"Shortcut Option"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Run this script to download the files in the current directory."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"curl https://get.openziti.io/zrok-instance/fetch.bash | bash\n"})}),"\n",(0,o.jsx)(n.p,{children:"Or, specify the Compose project directory."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"curl https://get.openziti.io/zrok-instance/fetch.bash | bash -s /path/to/compose/project/dir\n"})}),"\n"]}),"\n"]}),"\n",(0,o.jsx)(n.h4,{id:"manual-option",children:"Manual Option"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Get the zrok repo ZIP file."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"wget https://github.com/openziti/zrok/archive/refs/heads/main.zip\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Unzip the zrok-instance files into the project directory."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"unzip -j -d . main.zip '*/docker/compose/zrok-instance/*'\n"})}),"\n"]}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"configure-the-docker-compose-project-environment",children:"Configure the Docker Compose Project Environment"}),"\n",(0,o.jsxs)(n.p,{children:["Create an ",(0,o.jsx)(n.code,{children:".env"})," file in the working directory."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",metastring:'title=".env required"',children:"ZROK_DNS_ZONE=share.example.com\n\nZROK_USER_EMAIL=me@example.com\nZROK_USER_PWD=zrokuserpw\n\nZITI_PWD=zitiadminpw\nZROK_ADMIN_TOKEN=zroktoken\n"})}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",metastring:'title=".env options"',children:"# Caddy TLS option: rename compose.caddy.yml to compose.override.yml; allow CADDY_HTTPS_PORT in firewall\n\n#\n## set these in .env for providers other than Route53\n#\n# plugin name for your DNS provider\nCADDY_DNS_PLUGIN=cloudflare\n# API token from your DNS provider\nCADDY_DNS_PLUGIN_TOKEN=abcd1234\n# use the staging API until you're sure everything is working to avoid hitting the rate limit\nCADDY_ACME_API=https://acme-staging-v02.api.letsencrypt.org/directory\n\n#\n## set these in .env for Route53\n#\n# AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}\n# AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}\n# AWS_REGION: ${AWS_REGION}\n# AWS_SESSION_TOKEN: ${AWS_SESSION_TOKEN} # if temporary credential, e.g., from STS\n\n#\n## if not using Caddy for TLS, uncomment to publish the insecure ports to the internet\n#\n#ZROK_INSECURE_INTERFACE=0.0.0.0\n\n# these insecure ports must be proxied with TLS for security\nZROK_CTRL_PORT=18080\nZROK_FRONTEND_PORT=8080\nZROK_OAUTH_PORT=8081\n\n# these secure ports must be published to the internet\nZITI_CTRL_ADVERTISED_PORT=80\nZITI_ROUTER_PORT=3022\nCADDY_HTTPS_PORT=443\n\n# optionally configure oauth for public shares\n#ZROK_OAUTH_HASH_KEY=oauthhashkeysecret\n#ZROK_OAUTH_GITHUB_CLIENT_ID=abcd1234\n#ZROK_OAUTH_GITHUB_CLIENT_SECRET=abcd1234\n#ZROK_OAUTH_GOOGLE_CLIENT_ID=abcd1234\n#ZROK_OAUTH_GOOGLE_CLIENT_SECRET=abcd1234\n\n# zrok version, e.g., 1.0.0\nZROK_CLI_TAG=latest\n# ziti version, e.g., 1.0.0\nZITI_CLI_TAG=latest\n"})}),"\n",(0,o.jsx)(n.h3,{id:"start-the-docker-compose-project",children:"Start the Docker Compose Project"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Start the zrok instance."}),"\n",(0,o.jsxs)(n.p,{children:["The container images for zrok (including caddy) are built in this step. This provides a simple configuration to get started. You can modify the templates named like ",(0,o.jsx)(n.code,{children:"*.envsubst"})," or mount a customized configuration file to mask the one that was built in."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose up --build --detach\n"})}),"\n"]}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"set-up-a-user-account",children:"Set up a User Account"}),"\n",(0,o.jsxs)(n.p,{children:["This step creates a user account. You will log in to the zrok web console with the account password created in this step. The ZROK_USER_EMAIL and ZROK_USER_PWD variables are set in the ",(0,o.jsx)(n.code,{children:".env"})," file. You can create more user accounts the same way by substituting a different email and password."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",metastring:'title="Create the first user account"',children:"docker compose exec zrok-controller bash -xc 'zrok admin create account ${ZROK_USER_EMAIL} ${ZROK_USER_PWD}'\n"})}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-buttonless",metastring:'title="Example output"',children:"+ zrok admin create account me@example.com zrokuserpw\n[ 0.000] INFO zrok/controller/store.Open: database connected\n[ 0.002] INFO zrok/controller/store.(*Store).migrate: applied 0 migrations\nheMqncCyxZcx\n"})}),"\n",(0,o.jsx)(n.p,{children:"Create additional users by running the command again with a different email and password."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",metastring:'title="Create another user"',children:"docker compose exec zrok-controller zrok admin create account \n"})}),"\n",(0,o.jsx)(n.h3,{id:"enable-the-user-environment",children:"Enable the User Environment"}),"\n",(0,o.jsx)(n.p,{children:"You must enable each device environment with the account token obtained when the account was created. This is separate from the account password that's used to log in to the web console."}),"\n",(0,o.jsxs)(n.p,{children:["Follow ",(0,o.jsx)(n.a,{href:"/docs/getting-started#installing-the-zrok-command",children:"the getting started guide"})," to install the zrok CLI on some device and enable a zrok environment."]}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsxs)(n.p,{children:["Configure the environment with the zrok API. Substitute the API endpoint with the one you're using, e.g. ",(0,o.jsx)(n.code,{children:"https://zrok.${ZROK_DNS_ZONE}"}),"."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"zrok config set apiEndpoint https://zrok.share.example.com\n"})}),"\n",(0,o.jsx)(n.p,{children:"or, if not using Caddy for TLS:"}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"zrok config set apiEndpoint http://zrok.share.example.com:18080\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Enable an environment on this device with the account token from the previous step."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"zrok enable heMqncCyxZcx\n"})}),"\n"]}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"firewall-configuration",children:"Firewall Configuration"}),"\n",(0,o.jsxs)(n.p,{children:["The ",(0,o.jsx)(n.code,{children:"ziti-quickstart"})," and ",(0,o.jsx)(n.code,{children:"caddy"})," containers publish ports to all devices that use zrok shares. The ",(0,o.jsx)(n.code,{children:"zrok-controller"})," and ",(0,o.jsx)(n.code,{children:"zrok-frontend"})," containers expose ports only to the ",(0,o.jsx)(n.code,{children:"caddy"})," container and the Docker host's loopback interface."]}),"\n",(0,o.jsx)(n.h4,{id:"required",children:"Required"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:[(0,o.jsx)(n.code,{children:"443/tcp"})," - reverse proxy handles HTTPS requests for zrok API, OAuth, and public shares (published by container ",(0,o.jsx)(n.code,{children:"caddy"}),")"]}),"\n",(0,o.jsxs)(n.li,{children:[(0,o.jsx)(n.code,{children:"80/tcp"})," - ziti ctrl plane (published by container ",(0,o.jsx)(n.code,{children:"ziti-quickstart"}),")"]}),"\n",(0,o.jsxs)(n.li,{children:[(0,o.jsx)(n.code,{children:"3022/tcp"})," - ziti data plane (published by container ",(0,o.jsx)(n.code,{children:"ziti-quickstart"}),")"]}),"\n"]}),"\n",(0,o.jsx)(n.p,{children:'See "My internet connection can only send traffic to common ports" below about changing the required ports.'}),"\n",(0,o.jsx)(n.h3,{id:"troubleshooting",children:"Troubleshooting"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Check the ziti and zrok logs."}),"\n",(0,o.jsxs)(n.p,{children:["You can substitute the service container name of each to check their logs individually: ",(0,o.jsx)(n.code,{children:"ziti-quickstart"}),", ",(0,o.jsx)(n.code,{children:"zrok-controller"}),", ",(0,o.jsx)(n.code,{children:"zrok-frontend"}),"."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose logs zrok-controller\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Check the Caddy logs."}),"\n",(0,o.jsxs)(n.p,{children:["It can take a few minutes for Caddy to obtain the wildcard certificate. You can check the logs to see if there were any errors completing the DNS challenge which involves using the Caddy DNS plugin to create a TXT record in your DNS zone. This leverages the API token you provided in the ",(0,o.jsx)(n.code,{children:".env"})," file, which must have permission to create DNS records in the zrok DNS zone."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose logs caddy\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Caddy keeps failing to obtain a wildcard certificate because it timed out waiting for DNS."}),"\n",(0,o.jsx)(n.p,{children:"Symptom: the Caddy log contains \"timed out waiting for record to fully propagate.\" This means that Caddy added a DNS record with your DNS provider's API to prove to the CA it controls the zrok DNS zone, but it wasn't able to verify the record was created successfully with a DNS query."}),"\n",(0,o.jsx)(n.p,{children:"Solutions:"}),"\n",(0,o.jsxs)(n.ul,{children:["\n",(0,o.jsxs)(n.li,{children:["Add ",(0,o.jsx)(n.code,{children:"propagation_delay"})," in your ",(0,o.jsx)(n.code,{children:"Caddyfile"})," to delay the first DNS verification query. This avoids caching a verification query failure by waiting a few minutes for the record to become available so the verification query will succeed on the first attempt. Caddy will be unable to verify the DNS record if the failure remains in the cache too long."]}),"\n",(0,o.jsxs)(n.li,{children:["If the prior solution fails, you can override the default resolves/nameservers with ",(0,o.jsx)(n.code,{children:"resolvers"}),", a space-separated list of DNS servers. This gives you more control over if and where the verification query result is cached."]}),"\n"]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{children:"tls {\n dns {CADDY_DNS_PLUGIN} {CADDY_DNS_PLUGIN_TOKEN}\n\tpropagation_timeout 60m # default 2m\n propagation_delay 5m # default 0m\n}\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsxs)(n.p,{children:[(0,o.jsx)(n.code,{children:"zrok enable"})," fails certificate verification: ensure you are not using the staging API for Let's Encrypt."]}),"\n",(0,o.jsxs)(n.p,{children:["If you are using the staging API, you will see an error about the API certificate when you use the zrok CLI. You can switch to the production API by removing the overriding assignment of the ",(0,o.jsx)(n.code,{children:"CADDY_ACME_API"})," variable."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-buttonless",metastring:'title="Example output"',children:'there was a problem enabling your environment!\nyou are trying to use the zrok service at: https://zrok.share.example.com\nyou can change your zrok service endpoint using this command:\n\n$ zrok config set apiEndpoint \n\n(where newEndpoint is something like: https://some.zrok.io)\n[ERROR]: error creating service client (error getting version from api endpoint \'https://zrok.share.example.com\': Get "https://zrok.share.example.com/api/v1/version": tls: failed to verify certificate: x509: certificate signed by unknown authority: Get "https://zrok.share.example.com/api/v1/version": tls: failed to verify certificate: x509: certificate signed by unknown authority)\n'})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Validate the Caddyfile."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose exec caddy caddy validate --config /etc/caddy/Caddyfile\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Verify the correct DNS provider module was built-in to Caddy."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose exec caddy caddy list-modules | grep dns.providers\n"})}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-buttonless",metastring:'title="Example output"',children:"dns.providers.cloudflare\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Use the Caddy admin API."}),"\n",(0,o.jsxs)(n.p,{children:["You can use the Caddy admin API to check the status of the Caddy instance. The admin API is available on port ",(0,o.jsx)(n.code,{children:"2019/tcp"})," inside the Docker Compose project. You can modify ",(0,o.jsx)(n.code,{children:"compose.override.yml"})," to publish the port if you want to access the admin API from the Docker host or elsewhere."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose exec caddy curl http://localhost:2019/config/ | jq\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"My DNS provider credential is composed of several values, not a single API token."}),"\n",(0,o.jsxs)(n.p,{children:["As long as your DNS provider is supported by Caddy then it will work. Here's a checklist for DNS providers like Route53 with credentials expressed as multiple values, e.g., ",(0,o.jsx)(n.code,{children:"AWS_ACCESS_KEY_ID"}),", ",(0,o.jsx)(n.code,{children:"AWS_SECRET_ACCESS_KEY"}),"."]}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["Define env vars in ",(0,o.jsx)(n.code,{children:".env"})," file."]}),"\n",(0,o.jsxs)(n.li,{children:["Declare env vars in ",(0,o.jsx)(n.code,{children:"compose.override.yml"})," file on ",(0,o.jsx)(n.code,{children:"caddy"}),"'s ",(0,o.jsx)(n.code,{children:"environment"}),"."]}),"\n",(0,o.jsxs)(n.li,{children:["Modify ",(0,o.jsx)(n.code,{children:"Caddyfile"})," according to the DNS plugin author's instructions (",(0,o.jsx)(n.a,{href:"https://github.com/caddy-dns/route53",children:"link to Route53 README"}),"). This means modifying the ",(0,o.jsx)(n.code,{children:"Caddyfile"})," to reference the env vars. The provided file ",(0,o.jsx)(n.code,{children:"route53.Caddyfile"})," serves as an example."]}),"\n"]}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"My internet connection can only send traffic to common ports like 80, 443, and 3389."}),"\n",(0,o.jsxs)(n.p,{children:["You can change the required ports in the ",(0,o.jsx)(n.code,{children:".env"})," file before the first run of the Docker Compose project."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",metastring:'title=".env"',children:"ZITI_CTRL_ADVERTISED_PORT=80\nZITI_ROUTER_PORT=3389\nCADDY_HTTPS_PORT=443\n"})}),"\n"]}),"\n"]})]})}function c(e={}){const{wrapper:n}={...(0,i.R)(),...e.components};return n?(0,o.jsx)(n,{...e,children:(0,o.jsx)(s,{...e})}):s(e)}},2465:(e,n,r)=>{r.r(n),r.d(n,{assets:()=>d,contentTitle:()=>a,default:()=>u,frontMatter:()=>c,metadata:()=>o,toc:()=>l});const o=JSON.parse('{"id":"guides/self-hosting/docker","title":"Self-hosting guide for Docker","description":"","source":"@site/../docs/guides/self-hosting/docker.mdx","sourceDirName":"guides/self-hosting","slug":"/guides/self-hosting/docker","permalink":"/docs/guides/self-hosting/docker","draft":false,"unlisted":false,"editUrl":"https://github.com/openziti/zrok/blob/main/docs/../docs/guides/self-hosting/docker.mdx","tags":[],"version":"current","sidebarPosition":45,"frontMatter":{"title":"Self-hosting guide for Docker","sidebar_label":"Docker","sidebar_position":45},"sidebar":"tutorialSidebar","previous":{"title":"Personalized Frontend","permalink":"/docs/guides/self-hosting/personalized-frontend"},"next":{"title":"Kubernetes","permalink":"/docs/guides/self-hosting/kubernetes"}}');var i=r(4848),t=r(8453),s=r(1181);const c={title:"Self-hosting guide for Docker",sidebar_label:"Docker",sidebar_position:45},a=void 0,d={},l=[...s.RM];function h(e){return(0,i.jsx)(s.Ay,{})}function u(e={}){const{wrapper:n}={...(0,t.R)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(h,{...e})}):h()}},8453:(e,n,r)=>{r.d(n,{R:()=>s,x:()=>c});var o=r(6540);const i={},t=o.createContext(i);function s(e){const n=o.useContext(t);return o.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function c(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:s(e.components),o.createElement(t.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/e1dfe4fe.d8120f8e.js b/assets/js/e1dfe4fe.d8120f8e.js deleted file mode 100644 index 550b954c..00000000 --- a/assets/js/e1dfe4fe.d8120f8e.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(self.webpackChunkwebsite=self.webpackChunkwebsite||[]).push([[3423],{1181:(e,n,r)=>{r.d(n,{Ay:()=>c,RM:()=>t});var o=r(4848),i=r(8453);const t=[{value:"Docker Instance",id:"docker-instance",level:2},{value:"DNS Configuration",id:"dns-configuration",level:3},{value:"Additional DNS Configuration for Caddy TLS",id:"additional-dns-configuration-for-caddy-tls",level:4},{value:"Create the Docker Compose Project",id:"create-the-docker-compose-project",level:3},{value:"Shortcut Option",id:"shortcut-option",level:4},{value:"Manual Option",id:"manual-option",level:4},{value:"Configure the Docker Compose Project Environment",id:"configure-the-docker-compose-project-environment",level:3},{value:"Start the Docker Compose Project",id:"start-the-docker-compose-project",level:3},{value:"Set up a User Account",id:"set-up-a-user-account",level:3},{value:"Enable the User Environment",id:"enable-the-user-environment",level:3},{value:"Firewall Configuration",id:"firewall-configuration",level:3},{value:"Required",id:"required",level:4},{value:"Troubleshooting",id:"troubleshooting",level:3}];function s(e){const n={a:"a",code:"code",h2:"h2",h3:"h3",h4:"h4",li:"li",ol:"ol",p:"p",pre:"pre",ul:"ul",...(0,i.R)(),...e.components};return(0,o.jsxs)(o.Fragment,{children:[(0,o.jsx)(n.h2,{id:"docker-instance",children:"Docker Instance"}),"\n",(0,o.jsx)("iframe",{width:"100%",height:"315",src:"https://www.youtube.com/embed/70zJ_h4uiD8",title:"YouTube video player",frameborder:"0",allow:"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share",allowfullscreen:!0}),"\n",(0,o.jsx)(n.p,{children:"This Docker Compose project creates a zrok instance and includes a ziti controller and router. An optional Caddy container is included to provide HTTPS and reverse proxy services for the zrok API and public shares."}),"\n",(0,o.jsx)(n.h3,{id:"dns-configuration",children:"DNS Configuration"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["A wildcard record exists for the IP address where the zrok instance will run, e.g. if your DNS zone is ",(0,o.jsx)(n.code,{children:"share.example.com"}),", then your wildcard record is ",(0,o.jsx)(n.code,{children:"*.share.example.com"}),"."]}),"\n"]}),"\n",(0,o.jsx)(n.h4,{id:"additional-dns-configuration-for-caddy-tls",children:"Additional DNS Configuration for Caddy TLS"}),"\n",(0,o.jsxs)(n.p,{children:["The included Caddy container can automatically manage a wildcard certificate for your zrok instance. You can enable Caddy in this compose project by renaming ",(0,o.jsx)(n.code,{children:"compose.caddy.yml"})," as ",(0,o.jsx)(n.code,{children:"compose.override.yml"}),"."]}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["Ensure A Caddy DNS plugin is available for your DNS provider (see ",(0,o.jsx)(n.a,{href:"https://github.com/orgs/caddy-dns/repositories?type=all&q=sort%3Aname-asc",children:"github.com/caddy-dns"}),")."]}),"\n",(0,o.jsxs)(n.li,{children:["Designate A DNS zone for zrok, e.g. ",(0,o.jsx)(n.code,{children:"example.com"})," or ",(0,o.jsx)(n.code,{children:"share.example.com"})," and create the zone on your DNS provider's platform."]}),"\n",(0,o.jsx)(n.li,{children:"Created an API token in your DNS provider that has permission to manage zrok's DNS zone."}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"create-the-docker-compose-project",children:"Create the Docker Compose Project"}),"\n",(0,o.jsx)(n.p,{children:"Create a working directory on your Docker host and save these Docker Compose project files."}),"\n",(0,o.jsx)(n.h4,{id:"shortcut-option",children:"Shortcut Option"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Run this script to download the files in the current directory."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"curl https://get.openziti.io/zrok-instance/fetch.bash | bash\n"})}),"\n",(0,o.jsx)(n.p,{children:"Or, specify the Compose project directory."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"curl https://get.openziti.io/zrok-instance/fetch.bash | bash -s /path/to/compose/project/dir\n"})}),"\n"]}),"\n"]}),"\n",(0,o.jsx)(n.h4,{id:"manual-option",children:"Manual Option"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Get the zrok repo ZIP file."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"wget https://github.com/openziti/zrok/archive/refs/heads/main.zip\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Unzip the zrok-instance files into the project directory."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"unzip -j -d . main.zip '*/docker/compose/zrok-instance/*'\n"})}),"\n"]}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"configure-the-docker-compose-project-environment",children:"Configure the Docker Compose Project Environment"}),"\n",(0,o.jsxs)(n.p,{children:["Create an ",(0,o.jsx)(n.code,{children:".env"})," file in the working directory."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",metastring:'title=".env required"',children:"ZROK_DNS_ZONE=share.example.com\n\nZROK_USER_EMAIL=me@example.com\nZROK_USER_PWD=zrokuserpw\n\nZITI_PWD=zitiadminpw\nZROK_ADMIN_TOKEN=zroktoken\n"})}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",metastring:'title=".env options"',children:"# Caddy TLS option: rename compose.caddy.yml to compose.override.yml and set these vars; allow 80,443 in firewall\n\n#\n## set these in .env for providers other than Route53\n#\n# plugin name for your DNS provider\nCADDY_DNS_PLUGIN=cloudflare\n# API token from your DNS provider\nCADDY_DNS_PLUGIN_TOKEN=abcd1234\n# use the staging API until you're sure everything is working to avoid hitting the rate limit\nCADDY_ACME_API=https://acme-staging-v02.api.letsencrypt.org/directory\n\n#\n## set these in .env for Route53\n#\n# AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}\n# AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}\n# AWS_REGION: ${AWS_REGION}\n# AWS_SESSION_TOKEN: ${AWS_SESSION_TOKEN} # if temporary credential, e.g., from STS\n\n#\n## if not using Caddy for TLS, uncomment to publish the insecure ports to the internet\n#\n#ZROK_INSECURE_INTERFACE=0.0.0.0\n\n# these insecure ports must be proxied with TLS for security\nZROK_CTRL_PORT=18080\nZROK_FRONTEND_PORT=8080\nZROK_OAUTH_PORT=8081\n\n# these secure ziti ports must be published to the internet\nZITI_CTRL_ADVERTISED_PORT=80\nZITI_ROUTER_PORT=3022\n\n# optionally configure oauth for public shares\n#ZROK_OAUTH_HASH_KEY=oauthhashkeysecret\n#ZROK_OAUTH_GITHUB_CLIENT_ID=abcd1234\n#ZROK_OAUTH_GITHUB_CLIENT_SECRET=abcd1234\n#ZROK_OAUTH_GOOGLE_CLIENT_ID=abcd1234\n#ZROK_OAUTH_GOOGLE_CLIENT_SECRET=abcd1234\n\n# zrok version, e.g., 1.0.0\nZROK_CLI_TAG=latest\n# ziti version, e.g., 1.0.0\nZITI_CLI_TAG=latest\n"})}),"\n",(0,o.jsx)(n.h3,{id:"start-the-docker-compose-project",children:"Start the Docker Compose Project"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Start the zrok instance."}),"\n",(0,o.jsxs)(n.p,{children:["The container images for zrok (including caddy) are built in this step. This provides a simple configuration to get started. You can modify the templates named like ",(0,o.jsx)(n.code,{children:"*.envsubst"})," or mount a customized configuration file to mask the one that was built in."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose up --build --detach\n"})}),"\n"]}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"set-up-a-user-account",children:"Set up a User Account"}),"\n",(0,o.jsxs)(n.p,{children:["This step creates a user account. You will log in to the zrok web console with the account password created in this step. The ZROK_USER_EMAIL and ZROK_USER_PWD variables are set in the ",(0,o.jsx)(n.code,{children:".env"})," file. You can create more user accounts the same way by substituting a different email and password."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",metastring:'title="Create the first user account"',children:"docker compose exec zrok-controller bash -xc 'zrok admin create account ${ZROK_USER_EMAIL} ${ZROK_USER_PWD}'\n"})}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-buttonless",metastring:'title="Example output"',children:"+ zrok admin create account me@example.com zrokuserpw\n[ 0.000] INFO zrok/controller/store.Open: database connected\n[ 0.002] INFO zrok/controller/store.(*Store).migrate: applied 0 migrations\nheMqncCyxZcx\n"})}),"\n",(0,o.jsx)(n.p,{children:"Create additional users by running the command again with a different email and password."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",metastring:'title="Create another user"',children:"docker compose exec zrok-controller zrok admin create account \n"})}),"\n",(0,o.jsx)(n.h3,{id:"enable-the-user-environment",children:"Enable the User Environment"}),"\n",(0,o.jsx)(n.p,{children:"You must enable each device environment with the account token obtained when the account was created. This is separate from the account password that's used to log in to the web console."}),"\n",(0,o.jsxs)(n.p,{children:["Follow ",(0,o.jsx)(n.a,{href:"/docs/getting-started#installing-the-zrok-command",children:"the getting started guide"})," to install the zrok CLI on some device and enable a zrok environment."]}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsxs)(n.p,{children:["Configure the environment with the zrok API. Substitute the API endpoint with the one you're using, e.g. ",(0,o.jsx)(n.code,{children:"https://zrok.${ZROK_DNS_ZONE}"}),"."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"zrok config set apiEndpoint https://zrok.share.example.com\n"})}),"\n",(0,o.jsx)(n.p,{children:"or, if not using Caddy for TLS:"}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"zrok config set apiEndpoint http://zrok.share.example.com:18080\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Enable an environment on this device with the account token from the previous step."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"zrok enable heMqncCyxZcx\n"})}),"\n"]}),"\n"]}),"\n",(0,o.jsx)(n.h3,{id:"firewall-configuration",children:"Firewall Configuration"}),"\n",(0,o.jsxs)(n.p,{children:["The ",(0,o.jsx)(n.code,{children:"ziti-quickstart"})," and ",(0,o.jsx)(n.code,{children:"caddy"})," containers publish ports to all devices that use zrok shares. The ",(0,o.jsx)(n.code,{children:"zrok-controller"})," and ",(0,o.jsx)(n.code,{children:"zrok-frontend"})," containers expose ports only to the ",(0,o.jsx)(n.code,{children:"caddy"})," container and the Docker host's loopback interface."]}),"\n",(0,o.jsx)(n.h4,{id:"required",children:"Required"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:[(0,o.jsx)(n.code,{children:"443/tcp"})," - reverse proxy handles HTTPS requests for zrok API, OAuth, and public shares (published by container ",(0,o.jsx)(n.code,{children:"caddy"}),")"]}),"\n",(0,o.jsxs)(n.li,{children:[(0,o.jsx)(n.code,{children:"80/tcp"})," - ziti ctrl plane (published by container ",(0,o.jsx)(n.code,{children:"ziti-quickstart"}),")"]}),"\n",(0,o.jsxs)(n.li,{children:[(0,o.jsx)(n.code,{children:"3022/tcp"})," - ziti data plane (published by container ",(0,o.jsx)(n.code,{children:"ziti-quickstart"}),")"]}),"\n"]}),"\n",(0,o.jsx)(n.p,{children:'See "My internet connection can only send traffic to common ports" below about changing the required ports.'}),"\n",(0,o.jsx)(n.h3,{id:"troubleshooting",children:"Troubleshooting"}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Check the ziti and zrok logs."}),"\n",(0,o.jsxs)(n.p,{children:["You can substitute the service container name of each to check their logs individually: ",(0,o.jsx)(n.code,{children:"ziti-quickstart"}),", ",(0,o.jsx)(n.code,{children:"zrok-controller"}),", ",(0,o.jsx)(n.code,{children:"zrok-frontend"}),"."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose logs zrok-controller\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Check the Caddy logs."}),"\n",(0,o.jsxs)(n.p,{children:["It can take a few minutes for Caddy to obtain the wildcard certificate. You can check the logs to see if there were any errors completing the DNS challenge which involves using the Caddy DNS plugin to create a TXT record in your DNS zone. This leverages the API token you provided in the ",(0,o.jsx)(n.code,{children:".env"})," file, which must have permission to create DNS records in the zrok DNS zone."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose logs caddy\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Caddy keeps failing to obtain a wildcard certificate because it timed out waiting for DNS."}),"\n",(0,o.jsx)(n.p,{children:"Symptom: the Caddy log contains \"timed out waiting for record to fully propagate.\" This means that Caddy added a DNS record with your DNS provider's API to prove to the CA it controls the zrok DNS zone, but it wasn't able to verify the record was created successfully with a DNS query."}),"\n",(0,o.jsx)(n.p,{children:"Solutions:"}),"\n",(0,o.jsxs)(n.ul,{children:["\n",(0,o.jsxs)(n.li,{children:["Add ",(0,o.jsx)(n.code,{children:"propagation_delay"})," in your ",(0,o.jsx)(n.code,{children:"Caddyfile"})," to delay the first DNS verification query. This avoids caching a verification query failure by waiting a few minutes for the record to become available so the verification query will succeed on the first attempt. Caddy will be unable to verify the DNS record if the failure remains in the cache too long."]}),"\n",(0,o.jsxs)(n.li,{children:["If the prior solution fails, you can override the default resolves/nameservers with ",(0,o.jsx)(n.code,{children:"resolvers"}),", a space-separated list of DNS servers. This gives you more control over if and where the verification query result is cached."]}),"\n"]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{children:"tls {\n dns {CADDY_DNS_PLUGIN} {CADDY_DNS_PLUGIN_TOKEN}\n\tpropagation_timeout 60m # default 2m\n propagation_delay 5m # default 0m\n}\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsxs)(n.p,{children:[(0,o.jsx)(n.code,{children:"zrok enable"})," fails certificate verification: ensure you are not using the staging API for Let's Encrypt."]}),"\n",(0,o.jsxs)(n.p,{children:["If you are using the staging API, you will see an error about the API certificate when you use the zrok CLI. You can switch to the production API by removing the overriding assignment of the ",(0,o.jsx)(n.code,{children:"CADDY_ACME_API"})," variable."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-buttonless",metastring:'title="Example output"',children:'there was a problem enabling your environment!\nyou are trying to use the zrok service at: https://zrok.share.example.com\nyou can change your zrok service endpoint using this command:\n\n$ zrok config set apiEndpoint \n\n(where newEndpoint is something like: https://some.zrok.io)\n[ERROR]: error creating service client (error getting version from api endpoint \'https://zrok.share.example.com\': Get "https://zrok.share.example.com/api/v1/version": tls: failed to verify certificate: x509: certificate signed by unknown authority: Get "https://zrok.share.example.com/api/v1/version": tls: failed to verify certificate: x509: certificate signed by unknown authority)\n'})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Validate the Caddyfile."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose exec caddy caddy validate --config /etc/caddy/Caddyfile\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Verify the correct DNS provider module was built-in to Caddy."}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose exec caddy caddy list-modules | grep dns.providers\n"})}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-buttonless",metastring:'title="Example output"',children:"dns.providers.cloudflare\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"Use the Caddy admin API."}),"\n",(0,o.jsxs)(n.p,{children:["You can use the Caddy admin API to check the status of the Caddy instance. The admin API is available on port ",(0,o.jsx)(n.code,{children:"2019/tcp"})," inside the Docker Compose project. You can modify ",(0,o.jsx)(n.code,{children:"compose.override.yml"})," to publish the port if you want to access the admin API from the Docker host or elsewhere."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",children:"docker compose exec caddy curl http://localhost:2019/config/ | jq\n"})}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"My DNS provider credential is composed of several values, not a single API token."}),"\n",(0,o.jsxs)(n.p,{children:["As long as your DNS provider is supported by Caddy then it will work. Here's a checklist for DNS providers like Route53 with credentials expressed as multiple values, e.g., ",(0,o.jsx)(n.code,{children:"AWS_ACCESS_KEY_ID"}),", ",(0,o.jsx)(n.code,{children:"AWS_SECRET_ACCESS_KEY"}),"."]}),"\n",(0,o.jsxs)(n.ol,{children:["\n",(0,o.jsxs)(n.li,{children:["Define env vars in ",(0,o.jsx)(n.code,{children:".env"})," file."]}),"\n",(0,o.jsxs)(n.li,{children:["Declare env vars in ",(0,o.jsx)(n.code,{children:"compose.override.yml"})," file on ",(0,o.jsx)(n.code,{children:"caddy"}),"'s ",(0,o.jsx)(n.code,{children:"environment"}),"."]}),"\n",(0,o.jsxs)(n.li,{children:["Modify ",(0,o.jsx)(n.code,{children:"Caddyfile"})," according to the DNS plugin author's instructions (",(0,o.jsx)(n.a,{href:"https://github.com/caddy-dns/route53",children:"link to Route53 README"}),"). This means modifying the ",(0,o.jsx)(n.code,{children:"Caddyfile"})," to reference the env vars. The provided file ",(0,o.jsx)(n.code,{children:"route53.Caddyfile"})," serves as an example."]}),"\n"]}),"\n"]}),"\n",(0,o.jsxs)(n.li,{children:["\n",(0,o.jsx)(n.p,{children:"My internet connection can only send traffic to common ports like 80, 443, and 3389."}),"\n",(0,o.jsxs)(n.p,{children:["You can change the required ports in the ",(0,o.jsx)(n.code,{children:".env"})," file. Caddy will still use port 443 for zrok shares and API if you renamed ",(0,o.jsx)(n.code,{children:"compose.caddy.yml"})," as ",(0,o.jsx)(n.code,{children:"compose.override.yml"})," to enable Caddy."]}),"\n",(0,o.jsx)(n.pre,{children:(0,o.jsx)(n.code,{className:"language-bash",metastring:'title=".env"',children:"ZITI_CTRL_ADVERTISED_PORT=80\nZITI_ROUTER_PORT=3389\n"})}),"\n"]}),"\n"]})]})}function c(e={}){const{wrapper:n}={...(0,i.R)(),...e.components};return n?(0,o.jsx)(n,{...e,children:(0,o.jsx)(s,{...e})}):s(e)}},2465:(e,n,r)=>{r.r(n),r.d(n,{assets:()=>d,contentTitle:()=>a,default:()=>u,frontMatter:()=>c,metadata:()=>o,toc:()=>l});const o=JSON.parse('{"id":"guides/self-hosting/docker","title":"Self-hosting guide for Docker","description":"","source":"@site/../docs/guides/self-hosting/docker.mdx","sourceDirName":"guides/self-hosting","slug":"/guides/self-hosting/docker","permalink":"/docs/guides/self-hosting/docker","draft":false,"unlisted":false,"editUrl":"https://github.com/openziti/zrok/blob/main/docs/../docs/guides/self-hosting/docker.mdx","tags":[],"version":"current","sidebarPosition":45,"frontMatter":{"title":"Self-hosting guide for Docker","sidebar_label":"Docker","sidebar_position":45},"sidebar":"tutorialSidebar","previous":{"title":"Personalized Frontend","permalink":"/docs/guides/self-hosting/personalized-frontend"},"next":{"title":"Kubernetes","permalink":"/docs/guides/self-hosting/kubernetes"}}');var i=r(4848),t=r(8453),s=r(1181);const c={title:"Self-hosting guide for Docker",sidebar_label:"Docker",sidebar_position:45},a=void 0,d={},l=[...s.RM];function h(e){return(0,i.jsx)(s.Ay,{})}function u(e={}){const{wrapper:n}={...(0,t.R)(),...e.components};return n?(0,i.jsx)(n,{...e,children:(0,i.jsx)(h,{...e})}):h()}},8453:(e,n,r)=>{r.d(n,{R:()=>s,x:()=>c});var o=r(6540);const i={},t=o.createContext(i);function s(e){const n=o.useContext(t);return o.useMemo((function(){return"function"==typeof e?e(n):{...n,...e}}),[n,e])}function c(e){let n;return n=e.disableParentContext?"function"==typeof e.components?e.components(i):e.components||i:s(e.components),o.createElement(t.Provider,{value:n},e.children)}}}]); \ No newline at end of file diff --git a/assets/js/runtime~main.3f6596aa.js b/assets/js/runtime~main.19379b3e.js similarity index 96% rename from assets/js/runtime~main.3f6596aa.js rename to assets/js/runtime~main.19379b3e.js index ae2397c0..9267efce 100644 --- a/assets/js/runtime~main.3f6596aa.js +++ b/assets/js/runtime~main.19379b3e.js @@ -1 +1 @@ -(()=>{"use strict";var e,a,d,c,b,f={},t={};function r(e){var a=t[e];if(void 0!==a)return a.exports;var d=t[e]={id:e,loaded:!1,exports:{}};return f[e].call(d.exports,d,d.exports,r),d.loaded=!0,d.exports}r.m=f,r.c=t,r.amdO={},e=[],r.O=(a,d,c,b)=>{if(!d){var f=1/0;for(i=0;i=b)&&Object.keys(r.O).every((e=>r.O[e](d[o])))?d.splice(o--,1):(t=!1,b0&&e[i-1][2]>b;i--)e[i]=e[i-1];e[i]=[d,c,b]},r.n=e=>{var a=e&&e.__esModule?()=>e.default:()=>e;return r.d(a,{a:a}),a},d=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,r.t=function(e,c){if(1&c&&(e=this(e)),8&c)return e;if("object"==typeof e&&e){if(4&c&&e.__esModule)return e;if(16&c&&"function"==typeof e.then)return e}var b=Object.create(null);r.r(b);var f={};a=a||[null,d({}),d([]),d(d)];for(var t=2&c&&e;"object"==typeof t&&!~a.indexOf(t);t=d(t))Object.getOwnPropertyNames(t).forEach((a=>f[a]=()=>e[a]));return f.default=()=>e,r.d(b,f),b},r.d=(e,a)=>{for(var d in a)r.o(a,d)&&!r.o(e,d)&&Object.defineProperty(e,d,{enumerable:!0,get:a[d]})},r.f={},r.e=e=>Promise.all(Object.keys(r.f).reduce(((a,d)=>(r.f[d](e,a),a)),[])),r.u=e=>"assets/js/"+({37:"ebc0e2a0",277:"4f1777fd",351:"3fab0acb",429:"50ef9c44",471:"7dd0c8d0",598:"9939c4f4",627:"d087459a",714:"b6569025",749:"21880a4d",826:"bc32cbb6",887:"c015c796",957:"c141421f",1057:"bbbe662c",1235:"a7456010",1346:"d3a54718",1595:"1ddd36f2",1769:"aad6478e",1831:"80941509",1864:"8a9ffb5d",1939:"7f5ec875",2138:"1a4e3797",2256:"11b43341",2634:"c4f5d8e4",2757:"cda0d2e5",2759:"1ba5bc99",2867:"6a6a5bbc",3165:"c88279fc",3373:"6e881e32",3423:"e1dfe4fe",3434:"bfe99541",3574:"4cb7be2f",3588:"288b1075",3747:"01cb08ea",3786:"c304be44",3921:"36b94792",3929:"8a10c423",3979:"2c440c24",4074:"5cd0a723",4247:"d768dc0f",4277:"27b0284c",4466:"7d0a541a",4470:"f888b719",4504:"b36bb0c9",4717:"392083ed",4909:"bc747cac",4927:"47881d5c",5117:"8dbf8f84",5689:"685bed1a",5695:"f8f494be",5742:"aba21aa0",5955:"8b4ddd1a",6063:"6ad1709d",6289:"ce04f2ae",6332:"2da89d45",6381:"1f91e8db",6475:"033e8fc8",6595:"0c1cdb3d",6878:"1dd31738",6946:"2cc2e835",6969:"14eb3368",6974:"bf372175",7098:"a7bd4aaa",7216:"0c66edb9",7242:"6272ba0e",7499:"07d0b302",7599:"f7af5a99",7752:"339d500a",8051:"adf8dca1",8173:"0efac3c3",8240:"28f20845",8301:"81fb89b8",8401:"17896441",8436:"4277b6a0",8471:"2e812224",8582:"20595907",8675:"54fa7005",8746:"25ef1bb8",8875:"17f4c24e",9002:"ecf841c3",9025:"75b20590",9033:"901ef07d",9048:"a94703ab",9148:"35a60099",9253:"e2c4d679",9355:"600b2345",9471:"48341697",9476:"7452427d",9576:"61ea36d9",9631:"9af26a4e",9647:"5e95c892",9851:"e3e0bfdc",9905:"ef8afbfd"}[e]||e)+"."+{37:"5671cf6f",277:"7a01d5ed",351:"d2be5705",382:"a8e40f63",416:"36a683d5",429:"7c0dd56b",471:"b0b509b1",598:"0a8ed6f3",627:"5b953d23",714:"6245889e",749:"2545a6d9",826:"ac399eaf",887:"32854b4b",957:"94fe8bc5",962:"3828f828",1057:"0376698e",1235:"7b4b0a20",1346:"adbe71c6",1595:"031ba1fd",1769:"8dd329a2",1831:"76c5af9c",1864:"77502c26",1939:"bb718edf",2138:"b404fedf",2237:"1d1b868c",2256:"99cef784",2634:"ff3bb442",2757:"19e28221",2759:"1ceac7e5",2867:"7ff8dd0a",3165:"70a81d0d",3373:"58f05075",3423:"d8120f8e",3434:"bd20f5d0",3574:"a83087ce",3588:"7fdf1033",3747:"58ce9e89",3786:"6d7fbd06",3921:"799856c4",3929:"bf9ed799",3979:"89c5dd72",4074:"ff1769bd",4247:"7eb1170c",4277:"24ca90bb",4466:"bebc18c0",4470:"6fe13079",4504:"32b884d9",4717:"30911eae",4909:"7ee6980c",4927:"beaba6e5",5117:"b796122d",5394:"216a6dc4",5689:"cba82c70",5695:"f6c4378a",5742:"9ac6642b",5955:"c9cbe2e9",6063:"68cc20aa",6289:"4cc27842",6332:"c53388d7",6381:"2ff8779a",6475:"550a98dd",6595:"93ac86f2",6878:"b424452b",6946:"42c85917",6969:"a2fb3a9b",6974:"6ce3604a",7098:"6c642da0",7216:"a1604a49",7242:"e147ca1e",7499:"de243ccc",7599:"8573f403",7752:"749f941d",8051:"b0b219c1",8158:"900dc11d",8173:"3f261e03",8240:"b3a7ec46",8301:"8e503f5a",8401:"1409512a",8436:"4bd27697",8471:"6dc7f702",8582:"3e569479",8585:"e93703b4",8675:"cf645e57",8746:"5af8d370",8875:"17d254d5",8913:"83bce4ad",9002:"7d4c9847",9025:"c44edc33",9033:"08f99ecd",9048:"43814358",9148:"7bc9aad5",9253:"dd14fdd8",9355:"18130102",9471:"f4018882",9476:"951c0809",9576:"f59265a3",9631:"b4a6cf60",9647:"6794ea18",9851:"c7a4408d",9905:"dbcbe2ba"}[e]+".js",r.miniCssF=e=>{},r.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),r.o=(e,a)=>Object.prototype.hasOwnProperty.call(e,a),c={},b="website:",r.l=(e,a,d,f)=>{if(c[e])c[e].push(a);else{var t,o;if(void 0!==d)for(var n=document.getElementsByTagName("script"),i=0;i{t.onerror=t.onload=null,clearTimeout(s);var b=c[e];if(delete c[e],t.parentNode&&t.parentNode.removeChild(t),b&&b.forEach((e=>e(d))),a)return a(d)},s=setTimeout(l.bind(null,void 0,{type:"timeout",target:t}),12e4);t.onerror=l.bind(null,t.onerror),t.onload=l.bind(null,t.onload),o&&document.head.appendChild(t)}},r.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},r.p="/",r.gca=function(e){return e={17896441:"8401",20595907:"8582",48341697:"9471",80941509:"1831",ebc0e2a0:"37","4f1777fd":"277","3fab0acb":"351","50ef9c44":"429","7dd0c8d0":"471","9939c4f4":"598",d087459a:"627",b6569025:"714","21880a4d":"749",bc32cbb6:"826",c015c796:"887",c141421f:"957",bbbe662c:"1057",a7456010:"1235",d3a54718:"1346","1ddd36f2":"1595",aad6478e:"1769","8a9ffb5d":"1864","7f5ec875":"1939","1a4e3797":"2138","11b43341":"2256",c4f5d8e4:"2634",cda0d2e5:"2757","1ba5bc99":"2759","6a6a5bbc":"2867",c88279fc:"3165","6e881e32":"3373",e1dfe4fe:"3423",bfe99541:"3434","4cb7be2f":"3574","288b1075":"3588","01cb08ea":"3747",c304be44:"3786","36b94792":"3921","8a10c423":"3929","2c440c24":"3979","5cd0a723":"4074",d768dc0f:"4247","27b0284c":"4277","7d0a541a":"4466",f888b719:"4470",b36bb0c9:"4504","392083ed":"4717",bc747cac:"4909","47881d5c":"4927","8dbf8f84":"5117","685bed1a":"5689",f8f494be:"5695",aba21aa0:"5742","8b4ddd1a":"5955","6ad1709d":"6063",ce04f2ae:"6289","2da89d45":"6332","1f91e8db":"6381","033e8fc8":"6475","0c1cdb3d":"6595","1dd31738":"6878","2cc2e835":"6946","14eb3368":"6969",bf372175:"6974",a7bd4aaa:"7098","0c66edb9":"7216","6272ba0e":"7242","07d0b302":"7499",f7af5a99:"7599","339d500a":"7752",adf8dca1:"8051","0efac3c3":"8173","28f20845":"8240","81fb89b8":"8301","4277b6a0":"8436","2e812224":"8471","54fa7005":"8675","25ef1bb8":"8746","17f4c24e":"8875",ecf841c3:"9002","75b20590":"9025","901ef07d":"9033",a94703ab:"9048","35a60099":"9148",e2c4d679:"9253","600b2345":"9355","7452427d":"9476","61ea36d9":"9576","9af26a4e":"9631","5e95c892":"9647",e3e0bfdc:"9851",ef8afbfd:"9905"}[e]||e,r.p+r.u(e)},(()=>{var e={5354:0,1869:0};r.f.j=(a,d)=>{var c=r.o(e,a)?e[a]:void 0;if(0!==c)if(c)d.push(c[2]);else if(/^(1869|5354)$/.test(a))e[a]=0;else{var b=new Promise(((d,b)=>c=e[a]=[d,b]));d.push(c[2]=b);var f=r.p+r.u(a),t=new Error;r.l(f,(d=>{if(r.o(e,a)&&(0!==(c=e[a])&&(e[a]=void 0),c)){var b=d&&("load"===d.type?"missing":d.type),f=d&&d.target&&d.target.src;t.message="Loading chunk "+a+" failed.\n("+b+": "+f+")",t.name="ChunkLoadError",t.type=b,t.request=f,c[1](t)}}),"chunk-"+a,a)}},r.O.j=a=>0===e[a];var a=(a,d)=>{var c,b,f=d[0],t=d[1],o=d[2],n=0;if(f.some((a=>0!==e[a]))){for(c in t)r.o(t,c)&&(r.m[c]=t[c]);if(o)var i=o(r)}for(a&&a(d);n{"use strict";var e,a,d,c,b,f={},t={};function r(e){var a=t[e];if(void 0!==a)return a.exports;var d=t[e]={id:e,loaded:!1,exports:{}};return f[e].call(d.exports,d,d.exports,r),d.loaded=!0,d.exports}r.m=f,r.c=t,r.amdO={},e=[],r.O=(a,d,c,b)=>{if(!d){var f=1/0;for(i=0;i=b)&&Object.keys(r.O).every((e=>r.O[e](d[o])))?d.splice(o--,1):(t=!1,b0&&e[i-1][2]>b;i--)e[i]=e[i-1];e[i]=[d,c,b]},r.n=e=>{var a=e&&e.__esModule?()=>e.default:()=>e;return r.d(a,{a:a}),a},d=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,r.t=function(e,c){if(1&c&&(e=this(e)),8&c)return e;if("object"==typeof e&&e){if(4&c&&e.__esModule)return e;if(16&c&&"function"==typeof e.then)return e}var b=Object.create(null);r.r(b);var f={};a=a||[null,d({}),d([]),d(d)];for(var t=2&c&&e;"object"==typeof t&&!~a.indexOf(t);t=d(t))Object.getOwnPropertyNames(t).forEach((a=>f[a]=()=>e[a]));return f.default=()=>e,r.d(b,f),b},r.d=(e,a)=>{for(var d in a)r.o(a,d)&&!r.o(e,d)&&Object.defineProperty(e,d,{enumerable:!0,get:a[d]})},r.f={},r.e=e=>Promise.all(Object.keys(r.f).reduce(((a,d)=>(r.f[d](e,a),a)),[])),r.u=e=>"assets/js/"+({37:"ebc0e2a0",277:"4f1777fd",351:"3fab0acb",429:"50ef9c44",471:"7dd0c8d0",598:"9939c4f4",627:"d087459a",714:"b6569025",749:"21880a4d",826:"bc32cbb6",887:"c015c796",957:"c141421f",1057:"bbbe662c",1235:"a7456010",1346:"d3a54718",1595:"1ddd36f2",1769:"aad6478e",1831:"80941509",1864:"8a9ffb5d",1939:"7f5ec875",2138:"1a4e3797",2256:"11b43341",2634:"c4f5d8e4",2757:"cda0d2e5",2759:"1ba5bc99",2867:"6a6a5bbc",3165:"c88279fc",3373:"6e881e32",3423:"e1dfe4fe",3434:"bfe99541",3574:"4cb7be2f",3588:"288b1075",3747:"01cb08ea",3786:"c304be44",3921:"36b94792",3929:"8a10c423",3979:"2c440c24",4074:"5cd0a723",4247:"d768dc0f",4277:"27b0284c",4466:"7d0a541a",4470:"f888b719",4504:"b36bb0c9",4717:"392083ed",4909:"bc747cac",4927:"47881d5c",5117:"8dbf8f84",5689:"685bed1a",5695:"f8f494be",5742:"aba21aa0",5955:"8b4ddd1a",6063:"6ad1709d",6289:"ce04f2ae",6332:"2da89d45",6381:"1f91e8db",6475:"033e8fc8",6595:"0c1cdb3d",6878:"1dd31738",6946:"2cc2e835",6969:"14eb3368",6974:"bf372175",7098:"a7bd4aaa",7216:"0c66edb9",7242:"6272ba0e",7499:"07d0b302",7599:"f7af5a99",7752:"339d500a",8051:"adf8dca1",8173:"0efac3c3",8240:"28f20845",8301:"81fb89b8",8401:"17896441",8436:"4277b6a0",8471:"2e812224",8582:"20595907",8675:"54fa7005",8746:"25ef1bb8",8875:"17f4c24e",9002:"ecf841c3",9025:"75b20590",9033:"901ef07d",9048:"a94703ab",9148:"35a60099",9253:"e2c4d679",9355:"600b2345",9471:"48341697",9476:"7452427d",9576:"61ea36d9",9631:"9af26a4e",9647:"5e95c892",9851:"e3e0bfdc",9905:"ef8afbfd"}[e]||e)+"."+{37:"5671cf6f",277:"7a01d5ed",351:"d2be5705",382:"a8e40f63",416:"36a683d5",429:"7c0dd56b",471:"b0b509b1",598:"0a8ed6f3",627:"5b953d23",714:"6245889e",749:"2545a6d9",826:"ac399eaf",887:"32854b4b",957:"94fe8bc5",962:"3828f828",1057:"0376698e",1235:"7b4b0a20",1346:"adbe71c6",1595:"031ba1fd",1769:"8dd329a2",1831:"76c5af9c",1864:"77502c26",1939:"bb718edf",2138:"b404fedf",2237:"1d1b868c",2256:"99cef784",2634:"ff3bb442",2757:"19e28221",2759:"1ceac7e5",2867:"7ff8dd0a",3165:"70a81d0d",3373:"58f05075",3423:"54de816e",3434:"bd20f5d0",3574:"a83087ce",3588:"7fdf1033",3747:"58ce9e89",3786:"6d7fbd06",3921:"799856c4",3929:"bf9ed799",3979:"89c5dd72",4074:"ff1769bd",4247:"7eb1170c",4277:"24ca90bb",4466:"bebc18c0",4470:"6fe13079",4504:"32b884d9",4717:"30911eae",4909:"7ee6980c",4927:"beaba6e5",5117:"b796122d",5394:"216a6dc4",5689:"47dd5dfa",5695:"f6c4378a",5742:"9ac6642b",5955:"c9cbe2e9",6063:"68cc20aa",6289:"4cc27842",6332:"c53388d7",6381:"2ff8779a",6475:"550a98dd",6595:"93ac86f2",6878:"b424452b",6946:"42c85917",6969:"a2fb3a9b",6974:"6ce3604a",7098:"6c642da0",7216:"a1604a49",7242:"e147ca1e",7499:"de243ccc",7599:"8573f403",7752:"749f941d",8051:"b0b219c1",8158:"900dc11d",8173:"3f261e03",8240:"b3a7ec46",8301:"8e503f5a",8401:"1409512a",8436:"4bd27697",8471:"6dc7f702",8582:"3e569479",8585:"e93703b4",8675:"cf645e57",8746:"5af8d370",8875:"17d254d5",8913:"83bce4ad",9002:"7d4c9847",9025:"c44edc33",9033:"08f99ecd",9048:"43814358",9148:"7bc9aad5",9253:"dd14fdd8",9355:"18130102",9471:"f4018882",9476:"951c0809",9576:"f59265a3",9631:"b4a6cf60",9647:"6794ea18",9851:"c7a4408d",9905:"dbcbe2ba"}[e]+".js",r.miniCssF=e=>{},r.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),r.o=(e,a)=>Object.prototype.hasOwnProperty.call(e,a),c={},b="website:",r.l=(e,a,d,f)=>{if(c[e])c[e].push(a);else{var t,o;if(void 0!==d)for(var n=document.getElementsByTagName("script"),i=0;i{t.onerror=t.onload=null,clearTimeout(s);var b=c[e];if(delete c[e],t.parentNode&&t.parentNode.removeChild(t),b&&b.forEach((e=>e(d))),a)return a(d)},s=setTimeout(l.bind(null,void 0,{type:"timeout",target:t}),12e4);t.onerror=l.bind(null,t.onerror),t.onload=l.bind(null,t.onload),o&&document.head.appendChild(t)}},r.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},r.p="/",r.gca=function(e){return e={17896441:"8401",20595907:"8582",48341697:"9471",80941509:"1831",ebc0e2a0:"37","4f1777fd":"277","3fab0acb":"351","50ef9c44":"429","7dd0c8d0":"471","9939c4f4":"598",d087459a:"627",b6569025:"714","21880a4d":"749",bc32cbb6:"826",c015c796:"887",c141421f:"957",bbbe662c:"1057",a7456010:"1235",d3a54718:"1346","1ddd36f2":"1595",aad6478e:"1769","8a9ffb5d":"1864","7f5ec875":"1939","1a4e3797":"2138","11b43341":"2256",c4f5d8e4:"2634",cda0d2e5:"2757","1ba5bc99":"2759","6a6a5bbc":"2867",c88279fc:"3165","6e881e32":"3373",e1dfe4fe:"3423",bfe99541:"3434","4cb7be2f":"3574","288b1075":"3588","01cb08ea":"3747",c304be44:"3786","36b94792":"3921","8a10c423":"3929","2c440c24":"3979","5cd0a723":"4074",d768dc0f:"4247","27b0284c":"4277","7d0a541a":"4466",f888b719:"4470",b36bb0c9:"4504","392083ed":"4717",bc747cac:"4909","47881d5c":"4927","8dbf8f84":"5117","685bed1a":"5689",f8f494be:"5695",aba21aa0:"5742","8b4ddd1a":"5955","6ad1709d":"6063",ce04f2ae:"6289","2da89d45":"6332","1f91e8db":"6381","033e8fc8":"6475","0c1cdb3d":"6595","1dd31738":"6878","2cc2e835":"6946","14eb3368":"6969",bf372175:"6974",a7bd4aaa:"7098","0c66edb9":"7216","6272ba0e":"7242","07d0b302":"7499",f7af5a99:"7599","339d500a":"7752",adf8dca1:"8051","0efac3c3":"8173","28f20845":"8240","81fb89b8":"8301","4277b6a0":"8436","2e812224":"8471","54fa7005":"8675","25ef1bb8":"8746","17f4c24e":"8875",ecf841c3:"9002","75b20590":"9025","901ef07d":"9033",a94703ab:"9048","35a60099":"9148",e2c4d679:"9253","600b2345":"9355","7452427d":"9476","61ea36d9":"9576","9af26a4e":"9631","5e95c892":"9647",e3e0bfdc:"9851",ef8afbfd:"9905"}[e]||e,r.p+r.u(e)},(()=>{var e={5354:0,1869:0};r.f.j=(a,d)=>{var c=r.o(e,a)?e[a]:void 0;if(0!==c)if(c)d.push(c[2]);else if(/^(1869|5354)$/.test(a))e[a]=0;else{var b=new Promise(((d,b)=>c=e[a]=[d,b]));d.push(c[2]=b);var f=r.p+r.u(a),t=new Error;r.l(f,(d=>{if(r.o(e,a)&&(0!==(c=e[a])&&(e[a]=void 0),c)){var b=d&&("load"===d.type?"missing":d.type),f=d&&d.target&&d.target.src;t.message="Loading chunk "+a+" failed.\n("+b+": "+f+")",t.name="ChunkLoadError",t.type=b,t.request=f,c[1](t)}}),"chunk-"+a,a)}},r.O.j=a=>0===e[a];var a=(a,d)=>{var c,b,f=d[0],t=d[1],o=d[2],n=0;if(f.some((a=>0!==e[a]))){for(c in t)r.o(t,c)&&(r.m[c]=t[c]);if(o)var i=o(r)}for(a&&a(d);n