BrowZer Multi-Service Support, NGINX Module Logging, and Multi-Tenant Design in OpenZiti

Hi:

We are building a SaaS platform based on OpenZiti BrowZer to provide agentless secure access to internal web applications.
Our requirements include:

• Hiding real network topology and service locations (network stealth)

• Fine-grained, identity-based access control (dynamic authorization)

• Multi-tenant isolation (logical first, physical optional)

• Unified connectivity across hybrid/multi-cloud environments

During testing, we observed some limitations and would like clarification and best-practice guidance from the OpenZiti team.

Current versions tested:

• openziti v1.5.4

• ziti-browzer-bootstrapper 0.90.0

Questions

1. targetArray Path Matching Behavior

   • Does BrowZer currently only support the root path / for targetArray.path?

   • When setting path: "/test", why does the request still fall back to the IdP or the default service?

   • Is there any plan to support prefix / sub-path matching (similar to reverse proxy longest-prefix match) in future releases?

2. Multiple Services on the Same VHost

   • Is it possible to map different Ziti Services under the same vhost using different path values?

   • Or is it the best practice to always use subdomains (e.g., tenant-a.example.com, tenant-b.example.com) instead of paths?

   • If subdomains are the recommended approach, can you share any official guidelines or best practices?

3. BrowZer and Private Edge Routers

   • Does BrowZer always require at least one Public WSS Edge Router as the browser entry point?

   • Is it possible for a browser via BrowZer to connect directly to a private edge router without going through a public WSS router?

   • For multi-tenant environments, is the recommended design Public WSS → Private Edge Router → Service?

4. Multi-Tenant Isolation

   • What are the recommended best practices for achieving multi-tenant isolation with BrowZer and Ziti? For example:

     • Logical isolation as primary, physical isolation as optional

     • Shared infrastructure with independent security boundaries

     • Centralized management, tenant-specific configuration

     • Dynamic resource allocation

   • Should each tenant have its own private edge router, or is it acceptable to share routers but rely on Service Policies / Router Policies for isolation?

5. Identity and Authorization (IdP / OIDC)

   • In the same BrowZer bootstrapper configuration, is it supported to assign different IdP issuers / client_ids per vhost?

   • What is the best current approach to achieve per-tenant IdP integration (e.g., each tenant using its own OIDC provider)?

6. Roadmap and Future Enhancements

   • Is there a roadmap to add more advanced routing rules in BrowZer (e.g., path-based routing, regex matching)?

   • Are there any upcoming plans for multi-tenant management tooling or APIs (e.g., tenant templates, automated provisioning)?

Expected Outcome / Clarification Needed

• Clarify whether BrowZer’s path handling is limited by design, and if support for sub-path/prefix routing is planned.

• Best practices for multi-service mapping: path vs. subdomain strategy.

• Recommended approach for BrowZer with private edge routers in multi-tenant deployments.

• Guidance on multi-tenant isolation setup: router design, service policies, resource allocation.

• Feasibility of per-tenant IdP integration in BrowZer.

• Insights on the roadmap for routing enhancements and multi-tenant management features.

We’d greatly appreciate your clarification and guidance on the above questions. Thanks!

Hi @sherry-sun-webcomm - Welcome to the community!

We haven’t been putting a ton of resources into BrowZer, but I know the main developer of it from NetFoundry watches this forum. We’ve instead been focusing our efforts on NetFoundry Frontdoor for this use case. You can see the preliminary docs here: NetFoundry Docs Portal | NetFoundry Documentation

Alongside Dave’s comment, I would mention that topics like multi-tenant isolation, per-tenant IdP integration, automated provisioning, etc, (and far more besides) are all things we already built into the NetFoundry platform (thus also covering NF Frontdoor). Building them is non-trivial, I would guestimate $300k-1M, depending how robust and scalable you want it, with a steady-state run-rate of $300-600k per year. I covered some of the differences between NetFoundry and OpenZiti in this blog - Comparing NetFoundry and OpenZiti - NetFoundry.

(I’ll also note that NetFoundry supports OEM/Whitelabling of NetFoundry Frontdoor, which might be closer to meeting your use case - let me know if you’d like somebody to reach out to you to discuss further)