extern/zrok
1
1
Fork 0
mirror of https://github.com/openziti/zrok.git synced 2025-03-11 21:38:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

use 80/tcp instead of 1280/tcp to increase compatibility with

Browse Source 
restrictive egress firewalls
This commit is contained in:
Kenneth Bingham 2024-11-13 16:18:10 -05:00
parent 6169a61902
commit c3523e34fb
No known key found for this signature in database
GPG Key ID: 31709281860130B6
5 changed files with 27 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -21,6 +21,8 @@ FIX: Docker reserved private share startup error (https://github.com/openziti/zr
FIX: Correct the download URL for the armv7 Linux release (https://github.com/openziti/zrok/issues/782) FIX: Correct the download URL for the armv7 Linux release (https://github.com/openziti/zrok/issues/782)
CHANGE: Let the zrok instance for Docker use port 80 as an edge listener instead of HTTP redirect (https://github.com/openziti/zrok/issues/793)
## v0.4.44 ## v0.4.44
FIX: Fix for goreleaser build action to align with changed ARM64 build path. FIX: Fix for goreleaser build action to align with changed ARM64 build path.

8
docker/compose/zrok-instance/Caddyfile
View File

@ -4,9 +4,9 @@
admin 0.0.0.0:2019 admin 0.0.0.0:2019
} }
http:// { # http:// {
redir https://{host}{uri} permanent # redir https://{host}{uri} permanent
} # }
*.{$ZROK_DNS_ZONE} { *.{$ZROK_DNS_ZONE} {
tls { tls {
@ -22,7 +22,7 @@ http:// {
# ziti administration console uses :443 for the benefit of a web UI cert and accesses the ziti edge-management API # ziti administration console uses :443 for the benefit of a web UI cert and accesses the ziti edge-management API
@ziti host ziti.{$ZROK_DNS_ZONE} @ziti host ziti.{$ZROK_DNS_ZONE}
reverse_proxy @ziti ziti-quickstart:{$ZITI_CTRL_ADVERTISED_PORT:1280} { reverse_proxy @ziti ziti-quickstart:{$ZITI_CTRL_ADVERTISED_PORT:80} {
transport http { transport http {
tls_insecure_skip_verify tls_insecure_skip_verify
} }

20
docker/compose/zrok-instance/README.md
View File

@ -79,7 +79,7 @@ ZROK_FRONTEND_PORT=8080
ZROK_OAUTH_PORT=8081 ZROK_OAUTH_PORT=8081
# ziti ports must be published to the internet and allowed by firewall # ziti ports must be published to the internet and allowed by firewall
ZITI_CTRL_ADVERTISED_PORT=1280 ZITI_CTRL_ADVERTISED_PORT=80
ZITI_ROUTER_PORT=3022 ZITI_ROUTER_PORT=3022
# configure oauth for public shares # configure oauth for public shares
@ -157,14 +157,13 @@ The `ziti-quickstart` and `caddy` containers publish ports to all devices that u
#### Required #### Required
1. `443/tcp` - reverse proxy handles HTTPS requests for zrok API, OAuth, and public shares (published by container `caddy`) 1. `443/tcp` - reverse proxy handles HTTPS requests for zrok API, OAuth, and public shares (published by container `caddy`)
1. `1280/tcp` - ziti ctrl plane (published by container `ziti-quickstart`) 1. `80/tcp` - ziti ctrl plane (published by container `ziti-quickstart`)
1. `3022/tcp` - ziti data plane (published by container `ziti-quickstart`) 1. `3022/tcp` - ziti data plane (published by container `ziti-quickstart`)
#### Optional
1. `80/tcp` - reverse proxy redirects non-HTTPS requests to `443/tcp` (published by container `caddy`)
<!-- 1. 443/udp used by Caddy for HTTP/3 QUIC protocol (published by container `caddy`) --> <!-- 1. 443/udp used by Caddy for HTTP/3 QUIC protocol (published by container `caddy`) -->
See "My internet connection can only send traffic to common ports" below about changing the required ports.
### Troubleshooting ### Troubleshooting
1. Check the ziti and zrok logs. 1. Check the ziti and zrok logs.
@ -222,7 +221,7 @@ The `ziti-quickstart` and `caddy` containers publish ports to all devices that u
docker compose exec caddy curl http://localhost:2019/config/ | jq docker compose exec caddy curl http://localhost:2019/config/ | jq
``` ```
1. My provider, e.g., Route53 doesn't give me a single API token. 1. My DNS provider credential is composed of several values, not a single API token.
As long as your DNS provider is supported by Caddy then it will work. You can modify the Caddyfile to use a different set of properties than the example. Here's how the `tls` section should look for Route53. You must declare any environment variables introduced in the `.env` file in `docker.compose.override` on the `caddy` service to ensure they are passed through to the Caddy container. As long as your DNS provider is supported by Caddy then it will work. You can modify the Caddyfile to use a different set of properties than the example. Here's how the `tls` section should look for Route53. You must declare any environment variables introduced in the `.env` file in `docker.compose.override` on the `caddy` service to ensure they are passed through to the Caddy container.
@ -240,3 +239,12 @@ The `ziti-quickstart` and `caddy` containers publish ports to all devices that u
AWS_ACCESS_KEY_ID=abcd1234 AWS_ACCESS_KEY_ID=abcd1234
AWS_SECRET_ACCESS_KEY=abcd1234 AWS_SECRET_ACCESS_KEY=abcd1234
``` ```
1. My internet connection can only send traffic to common ports like 80, 443, and 3389.
You can change the required ports in the `.env` file. Caddy will still use port 443 for zrok shares and API if you renamed `compose.caddy.yml` as `compose.override.yml` to enable Caddy.
```bash title=".env"
ZITI_CTRL_ADVERTISED_PORT=80
ZITI_ROUTER_PORT=3389
```

4
docker/compose/zrok-instance/compose.caddy.yml
View File

@ -17,12 +17,12 @@ services:
ZROK_FRONTEND_PORT: ${ZROK_FRONTEND_PORT:-8080} ZROK_FRONTEND_PORT: ${ZROK_FRONTEND_PORT:-8080}
ZROK_OAUTH_PORT: ${ZROK_OAUTH_PORT:-8081} ZROK_OAUTH_PORT: ${ZROK_OAUTH_PORT:-8081}
expose: expose:
- 80/tcp # - 80/tcp
- 443/tcp - 443/tcp
- 443/udp # Caddy's HTTP/3 (QUIC) (not published) - 443/udp # Caddy's HTTP/3 (QUIC) (not published)
- 2019/tcp # Caddy's admin API (not published) - 2019/tcp # Caddy's admin API (not published)
ports: ports:
- ${CADDY_INTERFACE:-0.0.0.0}:80:80 # - ${CADDY_INTERFACE:-0.0.0.0}:80:80
- ${CADDY_INTERFACE:-0.0.0.0}:443:443 - ${CADDY_INTERFACE:-0.0.0.0}:443:443
# - ${CADDY_INTERFACE:-0.0.0.0}:443:443/udp" # future: HTTP/3 (QUIC) # - ${CADDY_INTERFACE:-0.0.0.0}:443:443/udp" # future: HTTP/3 (QUIC)
volumes: volumes:

10
docker/compose/zrok-instance/compose.yml
View File

@ -14,7 +14,7 @@ services:
- -euc - -euc
- | - |
ZITI_CMD+=" --ctrl-address ziti.${ZROK_DNS_ZONE}"\ ZITI_CMD+=" --ctrl-address ziti.${ZROK_DNS_ZONE}"\
" --ctrl-port ${ZITI_CTRL_ADVERTISED_PORT:-1280}"\ " --ctrl-port ${ZITI_CTRL_ADVERTISED_PORT:-80}"\
" --router-address ziti.${ZROK_DNS_ZONE}"\ " --router-address ziti.${ZROK_DNS_ZONE}"\
" --router-port ${ZITI_ROUTER_PORT:-3022}"\ " --router-port ${ZITI_ROUTER_PORT:-3022}"\
" --password ${ZITI_PWD:-admin}" " --password ${ZITI_PWD:-admin}"
@ -31,10 +31,10 @@ services:
# directory, ZITI_HOME # directory, ZITI_HOME
- ${ZITI_HOME:-ziti_home}:/home/ziggy - ${ZITI_HOME:-ziti_home}:/home/ziggy
ports: ports:
- ${ZITI_INTERFACE:-0.0.0.0}:${ZITI_CTRL_ADVERTISED_PORT:-1280}:${ZITI_CTRL_ADVERTISED_PORT:-1280} - ${ZITI_INTERFACE:-0.0.0.0}:${ZITI_CTRL_ADVERTISED_PORT:-80}:${ZITI_CTRL_ADVERTISED_PORT:-80}
- ${ZITI_INTERFACE:-0.0.0.0}:${ZITI_ROUTER_PORT:-3022}:${ZITI_ROUTER_PORT:-3022} - ${ZITI_INTERFACE:-0.0.0.0}:${ZITI_ROUTER_PORT:-3022}:${ZITI_ROUTER_PORT:-3022}
expose: expose:
- ${ZITI_CTRL_ADVERTISED_PORT:-1280} - ${ZITI_CTRL_ADVERTISED_PORT:-80}
- ${ZITI_ROUTER_PORT:-3022} - ${ZITI_ROUTER_PORT:-3022}
depends_on: depends_on:
ziti-quickstart-init: ziti-quickstart-init:
@ -94,7 +94,7 @@ services:
ZROK_CLI_IMAGE: ${ZROK_CLI_IMAGE:-openziti/zrok} ZROK_CLI_IMAGE: ${ZROK_CLI_IMAGE:-openziti/zrok}
ZROK_CLI_TAG: ${ZROK_CLI_TAG:-latest} ZROK_CLI_TAG: ${ZROK_CLI_TAG:-latest}
ZROK_DNS_ZONE: ${ZROK_DNS_ZONE} # e.g., "example.com" or "127.0.0.1.sslip.io" ZROK_DNS_ZONE: ${ZROK_DNS_ZONE} # e.g., "example.com" or "127.0.0.1.sslip.io"
ZITI_CTRL_ADVERTISED_PORT: ${ZITI_CTRL_ADVERTISED_PORT:-1280} ZITI_CTRL_ADVERTISED_PORT: ${ZITI_CTRL_ADVERTISED_PORT:-80}
ZROK_ADMIN_TOKEN: ${ZROK_ADMIN_TOKEN} # zrok controller admin password ZROK_ADMIN_TOKEN: ${ZROK_ADMIN_TOKEN} # zrok controller admin password
ZROK_CTRL_PORT: ${ZROK_CTRL_PORT:-18080} ZROK_CTRL_PORT: ${ZROK_CTRL_PORT:-18080}
ZITI_PWD: ${ZITI_PWD} # ziti controller admin password ZITI_PWD: ${ZITI_PWD} # ziti controller admin password
@ -155,7 +155,7 @@ services:
ZROK_API_ENDPOINT: http://zrok-controller:${ZROK_CTRL_PORT:-18080} # bridge address of the zrok controller ZROK_API_ENDPOINT: http://zrok-controller:${ZROK_CTRL_PORT:-18080} # bridge address of the zrok controller
ZROK_FRONTEND_SCHEME: http ZROK_FRONTEND_SCHEME: http
ZROK_FRONTEND_PORT: ${ZROK_FRONTEND_PORT:-8080} ZROK_FRONTEND_PORT: ${ZROK_FRONTEND_PORT:-8080}
ZITI_CTRL_ADVERTISED_PORT: ${ZITI_CTRL_ADVERTISED_PORT:-1280} ZITI_CTRL_ADVERTISED_PORT: ${ZITI_CTRL_ADVERTISED_PORT:-80}
ZITI_PWD: ${ZITI_PWD} # ziti controller admin password ZITI_PWD: ${ZITI_PWD} # ziti controller admin password
volumes: volumes: