BrowZer network zone / install location

You cannot terminate TLS for any OpenZiti comms tech. It will probably be fine to terminate TLS in very certain circumstances around API invocations (like to the controller's REST api, etc), but in general, OpenZiti operates with mTLS from the client (inclusive of BrowZer's bits) to the OpenZiti Routers. As such, terminating TLS will break mTLS and things won't work.

With that said, HA proxy is useful for other things such as using it for host routing via SNI to have "all your ports be port 443" for example. I believe we covered this in a prior post, but this post is another good one to have a look at.

If it were me, I would put an edge router as close to the final destination/target as possible. Ideally, co-located is the best approach. That would be what we call "ZTHA" (zero trust host access) and all your services bind to the underlay on the loopback/127.0.0.1 and all your OpenZiti services offload to localhost/127.0.0.1 and OS firewalls block all inbound traffic. With this deployment model, every host is a DMZ of it's own.

That's not always feasible, so if you want to traverse your "trusted" network, then an edge router inside that trusted network is the next best plan, and everything else outside of that trusted zone and put into the DMZ is the right approach. I don't quite think that's what you have in your diagram from what i can tell. i would add a third layer.

Green and purple allow for private "trusted" network space traversal (ZTNA)
Blue has router and https server on same VM/machine (ZTHA)

zero trust models review, if interested...

1 Like