From c3523e34fb4b6a17963427df629556df3d8fe01d Mon Sep 17 00:00:00 2001
From: Kenneth Bingham <kenneth.bingham@netfoundry.io>
Date: Wed, 13 Nov 2024 16:18:10 -0500
Subject: [PATCH] use 80/tcp instead of 1280/tcp to increase compatibility with
 restrictive egress firewalls

---
 CHANGELOG.md                                  |  2 ++
 docker/compose/zrok-instance/Caddyfile        |  8 ++++----
 docker/compose/zrok-instance/README.md        | 20 +++++++++++++------
 .../compose/zrok-instance/compose.caddy.yml   |  4 ++--
 docker/compose/zrok-instance/compose.yml      | 10 +++++-----
 5 files changed, 27 insertions(+), 17 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0320d0dd..1fc3f373 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,8 @@ FIX: Docker reserved private share startup error (https://github.com/openziti/zr
 FIX: Correct the download URL for the armv7 Linux release (https://github.com/openziti/zrok/issues/782)
 
 
+CHANGE: Let the zrok instance for Docker use port 80 as an edge listener instead of HTTP redirect (https://github.com/openziti/zrok/issues/793)
+
 ## v0.4.44
 
 FIX: Fix for goreleaser build action to align with changed ARM64 build path.
diff --git a/docker/compose/zrok-instance/Caddyfile b/docker/compose/zrok-instance/Caddyfile
index 0e9a913f..6c6cc43e 100644
--- a/docker/compose/zrok-instance/Caddyfile
+++ b/docker/compose/zrok-instance/Caddyfile
@@ -4,9 +4,9 @@
 	admin 0.0.0.0:2019
 }
 
-http:// {
-	redir https://{host}{uri} permanent
-}
+# http:// {
+# 	redir https://{host}{uri} permanent
+# }
 
 *.{$ZROK_DNS_ZONE} {
 	tls {
@@ -22,7 +22,7 @@ http:// {
 
 	# ziti administration console uses :443 for the benefit of a web UI cert and accesses the ziti edge-management API
 	@ziti host ziti.{$ZROK_DNS_ZONE}
-	reverse_proxy @ziti ziti-quickstart:{$ZITI_CTRL_ADVERTISED_PORT:1280} {
+	reverse_proxy @ziti ziti-quickstart:{$ZITI_CTRL_ADVERTISED_PORT:80} {
 		transport http {
 			tls_insecure_skip_verify
 		}
diff --git a/docker/compose/zrok-instance/README.md b/docker/compose/zrok-instance/README.md
index 8975e2be..f42a6d58 100644
--- a/docker/compose/zrok-instance/README.md
+++ b/docker/compose/zrok-instance/README.md
@@ -79,7 +79,7 @@ ZROK_FRONTEND_PORT=8080
 ZROK_OAUTH_PORT=8081
 
 # ziti ports must be published to the internet and allowed by firewall
-ZITI_CTRL_ADVERTISED_PORT=1280
+ZITI_CTRL_ADVERTISED_PORT=80
 ZITI_ROUTER_PORT=3022
 
 # configure oauth for public shares
@@ -157,14 +157,13 @@ The `ziti-quickstart` and `caddy` containers publish ports to all devices that u
 #### Required
 
 1. `443/tcp` - reverse proxy handles HTTPS requests for zrok API, OAuth, and public shares (published by container `caddy`)
-1. `1280/tcp` - ziti ctrl plane (published by container `ziti-quickstart`)
+1. `80/tcp` - ziti ctrl plane (published by container `ziti-quickstart`)
 1. `3022/tcp` - ziti data plane (published by container `ziti-quickstart`)
 
-#### Optional
-
-1. `80/tcp` - reverse proxy redirects non-HTTPS requests to `443/tcp` (published by container `caddy`)
 <!-- 1. 443/udp used by Caddy for HTTP/3 QUIC protocol (published by container `caddy`) -->
 
+See "My internet connection can only send traffic to common ports" below about changing the required ports.
+
 ### Troubleshooting
 
 1. Check the ziti and zrok logs.
@@ -222,7 +221,7 @@ The `ziti-quickstart` and `caddy` containers publish ports to all devices that u
     docker compose exec caddy curl http://localhost:2019/config/ | jq
     ```
 
-1. My provider, e.g., Route53 doesn't give me a single API token.
+1. My DNS provider credential is composed of several values, not a single API token.
 
     As long as your DNS provider is supported by Caddy then it will work. You can modify the Caddyfile to use a different set of properties than the example. Here's how the `tls` section should look for Route53. You must declare any environment variables introduced in the `.env` file in `docker.compose.override` on the `caddy` service to ensure they are passed through to the Caddy container.
 
@@ -240,3 +239,12 @@ The `ziti-quickstart` and `caddy` containers publish ports to all devices that u
     AWS_ACCESS_KEY_ID=abcd1234
     AWS_SECRET_ACCESS_KEY=abcd1234
     ```
+
+1. My internet connection can only send traffic to common ports like 80, 443, and 3389.
+
+    You can change the required ports in the `.env` file. Caddy will still use port 443 for zrok shares and API if you renamed `compose.caddy.yml` as `compose.override.yml` to enable Caddy.
+
+    ```bash title=".env"
+    ZITI_CTRL_ADVERTISED_PORT=80
+    ZITI_ROUTER_PORT=3389
+    ```
diff --git a/docker/compose/zrok-instance/compose.caddy.yml b/docker/compose/zrok-instance/compose.caddy.yml
index 9423485a..8a0531a5 100644
--- a/docker/compose/zrok-instance/compose.caddy.yml
+++ b/docker/compose/zrok-instance/compose.caddy.yml
@@ -17,12 +17,12 @@ services:
       ZROK_FRONTEND_PORT: ${ZROK_FRONTEND_PORT:-8080}
       ZROK_OAUTH_PORT: ${ZROK_OAUTH_PORT:-8081}
     expose:
-      - 80/tcp
+      # - 80/tcp
       - 443/tcp
       - 443/udp   # Caddy's HTTP/3 (QUIC) (not published)
       - 2019/tcp  # Caddy's admin API     (not published)
     ports:
-      - ${CADDY_INTERFACE:-0.0.0.0}:80:80
+      # - ${CADDY_INTERFACE:-0.0.0.0}:80:80
       - ${CADDY_INTERFACE:-0.0.0.0}:443:443
       # - ${CADDY_INTERFACE:-0.0.0.0}:443:443/udp"  # future: HTTP/3 (QUIC)
     volumes:
diff --git a/docker/compose/zrok-instance/compose.yml b/docker/compose/zrok-instance/compose.yml
index 251b60ac..80b9b143 100644
--- a/docker/compose/zrok-instance/compose.yml
+++ b/docker/compose/zrok-instance/compose.yml
@@ -14,7 +14,7 @@ services:
       - -euc
       - |
         ZITI_CMD+=" --ctrl-address ziti.${ZROK_DNS_ZONE}"\
-        " --ctrl-port ${ZITI_CTRL_ADVERTISED_PORT:-1280}"\
+        " --ctrl-port ${ZITI_CTRL_ADVERTISED_PORT:-80}"\
         " --router-address ziti.${ZROK_DNS_ZONE}"\
         " --router-port ${ZITI_ROUTER_PORT:-3022}"\
         " --password ${ZITI_PWD:-admin}"
@@ -31,10 +31,10 @@ services:
       # directory, ZITI_HOME 
       - ${ZITI_HOME:-ziti_home}:/home/ziggy
     ports:
-      - ${ZITI_INTERFACE:-0.0.0.0}:${ZITI_CTRL_ADVERTISED_PORT:-1280}:${ZITI_CTRL_ADVERTISED_PORT:-1280}
+      - ${ZITI_INTERFACE:-0.0.0.0}:${ZITI_CTRL_ADVERTISED_PORT:-80}:${ZITI_CTRL_ADVERTISED_PORT:-80}
       - ${ZITI_INTERFACE:-0.0.0.0}:${ZITI_ROUTER_PORT:-3022}:${ZITI_ROUTER_PORT:-3022}
     expose:
-      - ${ZITI_CTRL_ADVERTISED_PORT:-1280}
+      - ${ZITI_CTRL_ADVERTISED_PORT:-80}
       - ${ZITI_ROUTER_PORT:-3022}
     depends_on:
       ziti-quickstart-init:
@@ -94,7 +94,7 @@ services:
         ZROK_CLI_IMAGE: ${ZROK_CLI_IMAGE:-openziti/zrok}
         ZROK_CLI_TAG: ${ZROK_CLI_TAG:-latest}
         ZROK_DNS_ZONE: ${ZROK_DNS_ZONE}  # e.g., "example.com" or "127.0.0.1.sslip.io"
-        ZITI_CTRL_ADVERTISED_PORT: ${ZITI_CTRL_ADVERTISED_PORT:-1280}
+        ZITI_CTRL_ADVERTISED_PORT: ${ZITI_CTRL_ADVERTISED_PORT:-80}
         ZROK_ADMIN_TOKEN: ${ZROK_ADMIN_TOKEN} # zrok controller admin password
         ZROK_CTRL_PORT: ${ZROK_CTRL_PORT:-18080}
         ZITI_PWD: ${ZITI_PWD} # ziti controller admin password
@@ -155,7 +155,7 @@ services:
       ZROK_API_ENDPOINT: http://zrok-controller:${ZROK_CTRL_PORT:-18080} # bridge address of the zrok controller
       ZROK_FRONTEND_SCHEME: http
       ZROK_FRONTEND_PORT: ${ZROK_FRONTEND_PORT:-8080}
-      ZITI_CTRL_ADVERTISED_PORT: ${ZITI_CTRL_ADVERTISED_PORT:-1280}
+      ZITI_CTRL_ADVERTISED_PORT: ${ZITI_CTRL_ADVERTISED_PORT:-80}
       ZITI_PWD: ${ZITI_PWD} # ziti controller admin password
 
 volumes: