I’ve done some searching here, but haven’t seen the info I’m looking for on this next lab example I’m working on. Before I waste a ton of time, I figured I would lay out the basic exercise and ask for advice.
In this scenario, I’m running a self-hosted Ziti controller and edge router on one baremetal Ubuntu host, and on a separate VM host (on a different server and IP network segment entirely) I’m running NextCloud AIO in a Docker container. In this case, I’ve installed NextCloud in “normal mode” since using Ziti should obviate the need for a reverse proxy approach (right?). I also have only 1 externally reachable IP address, and in the past I would use reverse proxy services and/or port forwarding to distinguish multiple servers which internally run on the same ports (such as 80, 8080, etc.). As I understand it, I shouldn’t have to do that if I create intercepts correctly with Ziti. Users will all be running ZDE clients.
Here’s NextCloud’s explanation of this stage of configuration, right from the admin interface:
In the old world approach to non-ABC security, at this stage of initial setup with NextCloud AIO, you would open up ports through the firewall to continue basic configuration and allow access, which needs an Internet-available FQDN to get certs to make anything work.
What’s the best way forward here? Can someone explain the following?
Do I need to run an edge router or tunneller on the host running NextCloud? If so, can I just use the tunneller docker container and run it alongside NextCloud on that same Docker instance? (Feel free to just paste in links to documentation areas as we go here, thanks.)
What do I need to configure on the controller in this case? The graphic above shows the NextCloud requirements. I presume I’ll need to add identities and services, what else?
Do I need to maybe try to host my own CA setup here for this to work?
If I can get some help figuring this out I’d be happy to create and share documentation or a tutorial for other new users with this very common homelab sort of example. It’s fairly representative of what a lot of self-hosters and small businesses may need to do since NextCloud has such a large installed base. If there is already a guide that can easily be adapted to my purposes, please share the link(s).
Addendum: Not sure if it matters, but as far as DNS, I point a real Internet subdomain to this single external IP address and can create whatever records may be necessary or verify certs that way with DNS measures.
"On the host" -- no. You need an edge-router or ziti-edge-tunnel that can create a connection to the underlay port NextCloud listens on.
Yes exactly. You would run a ziti-edge-tunnel or edge-router in "host only" mode (meaning it doesn't try to intercept network calls, it's used only to 'host' services)
If this was me, and I knew I was going to have many users access this service, I would:
create an intercept.v1 config and specify the intercept I want clients to use: my.nextcloud.ziti or whatever
create a host.v1 config and specify the docker-host name, docker ip, whatever you like as the target for the hosted service
create a single service using these two configs named "@nextcloud"
create a service policy allowing identities with the attribute #nextcloud to dial the service @nextcloud
create a service policy allowing the identity in docker to bind the service @nextcloud
create one or more identities and add the attribute nextcloud to each identity, authorizing all those identities to dial the nextcloud service.
No? Do you want the nextcloud server to present some kind of certificate? Then you'd need to make sure the intercept address you use matches whatever the nextcloud server presents. At this point, I start to lose the ability to help. I've never setup a NextCloud server so it'll be hard for me to give good/better info there.
That'd be amazing. I'm sure we'll get it all working
Awesome, @TheLumberjack - that gives me PLENTY to get working on over the weekend. Totally understand that this is not a NextCloud support forum.
I’m still pretty murky on certificates in a Ziti world, so I’m sure I’m not asking all the right questions, but I’ll continue along the path you kindly provided and see what I can learn and return here if I have more questions that make sense. I may have to move to a different implementation of the NextCloud server or try to manually configure some things, but hopefully I’ll figure it out. Thanks as always.
Actually… Let’s do this. Start as though you were going to do it the old-world way. Get that all setup and working. Once you have NextCloud setup and working, with exposed/forwarded ports, just… close the firewall.
At that point you know it’s setup and you know it works. You then “just” have to get it working using OpenZiti. And at that point, it’ll be trivial for me to help you get it working! Also at that point all the things I wrote above might just click.
But that’s what I always do myself. I get it working “how I would pre-OpenZiti” and then I just take it dark…
If you think of it that way, I think it might help.
One final point. I'd say you almost never actually have to deal with these. It's rare that the OpenZiti PKI comes into play at all for everything except maybe the server certs presented by the controller API and the ZAC. So you should be able to ignore the whole PKI until you're ready to dive into that down the road. (if ever)