extern/zrok
1
1
Fork 0
mirror of https://github.com/openziti/zrok.git synced 2024-11-21 23:53:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

doc update (#704)

Browse Source
This commit is contained in:
Michael Quigley 2024-07-25 11:43:42 -04:00
parent 3e42d32a50
commit 8ed89d3400
No known key found for this signature in database
GPG Key ID: 9B60314A9DD20A62
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
docs/guides/self-hosting/interstitial-page.md
View File

@ -6,17 +6,19 @@ sidebar_position: 18
On large zrok installations that support open registration and shared public frontends, abuse can become an issue. In order to mitigate phishing and other similar forms of abuse, zrok offers an interstitial page that announces to the visiting user that the share is hosted through zrok, and probably isn't their financial institution.
Interstitial pages can be enabled on a per-frontend basis, allowing the interstitial to be enabled on shared public frontends, but not private, closed frontends. The interstitial page requirement can also be overridden on a per-account basis, allowing shares created by specific accounts to bypass the interstitial requirement on frontends that enable it.
Interstitial pages can be enabled on a per-frontend basis. This allows the interstitial to be enabled on open public frontends, but not closed public frontends (closed public frontends require a grant to use).
The interstitial page requirement can also be overridden on a per-account basis, allowing shares created by specific accounts to bypass the interstitial requirement on frontends that enable it. This facilitates building infrastructure that grants trusted users additional privileges.
By default, if you do not specifically enable interstitial pages, then your self-hosted service instance will not offer them.
Let's take a look at how the interstitial pages mechanism works:
Let's take a look at how the interstitial pages mechanism works. The following diagram shows the share configuration rendezvous made between the zrok controller and a zrok frontend:
![zrok_interstitial_rendezvous](../../images/zrok_interstitial_rendezvous.png)
Every zrok share has a _config_ recorded in the underlying OpenZiti network. The config is of type `zrok.proxy.v1`. The frontend uses the information in this config to understand the disposition of the share. The config can contain an `interstitial: true` setting. If the config has this setting, and the frontend is configured to enable interstitial pages, then end users accessing the share will receive the interstitial page on first visit.
By default the zrok controller will record `interstitial: true` in the share config _unless_ a row is present in the `skip_interstitial_grants` table in the underlying database. The `skip_interstitial_grants` table is a basic SQL structure that allows inserting a row per account.
By default the zrok controller will record `interstitial: true` in the share config _unless_ a row is present in the `skip_interstitial_grants` table in the underlying database for the account creating the share. The `skip_interstitial_grants` table is a basic SQL structure that allows inserting a row per account.
```
create table skip_interstitial_grants (
@ -30,9 +32,9 @@ create table skip_interstitial_grants (
);
```
If an account has a row present in this table when creating a share, then the controller will write `interstitial: false` into the config for the share, which will bypass the interstitial regardless of frontend configuration.
If an account has a row present in this table when creating a share, then the controller will write `interstitial: false` into the config for the share, which will bypass the interstitial regardless of frontend configuration. The `skip_interstitial_grants` controls what the zrok controller will store in the share config when creating the share.
The frontend config looks like this:
The frontend configuration controls what the frontend will do with the share config it finds in OpenZiti. The new stanza looks like this:
```
# Setting the `interstitial` setting to `true` will allow this frontend
@ -42,7 +44,7 @@ The frontend config looks like this:
#interstitial: true
```
Simply setting `interstitial: true` in the controller config will allow the configured frontend to offer interstitial pages.
Simply setting `interstitial: true` in the controller config will allow the configured frontend to offer an interstitial page if the share config enables the interstitial page for that share.
## Bypassing the Interstitial