Hello there,
I'm trying to create a catch-all HTTPS service in my OpenZiti network. The idea would be for it to be similar to the "Exit node" Tailscale's feature. Basically, one identity that had access to this service would have all of their outbound HTTPS traffic proxied through the router that had a terminator for that service. I tried to create the service like this:
But it didn't really work, even though a terminator was created for that service.
Am I missing something?
Thank you
Hi, I have faced the same use case. I use k8s. And I just created ziti-service for the ingress controller. And other Ziti services bind to that ingress.
I've found the issue. Even though ZAC says "enter values separated with a comma", I've entered the allowed address "0.0.0.0/0" and typed space. That resulted in the route being recognized as "0.0.0.0/0 " with a trailing space.
Thanks @Pehesi97 - filed space ends up in intercept config · Issue #695 · openziti/ziti-console · GitHub to track that
I have a question about this: If every connection (0.0.0.0/0) is routed to the exit node, then this would also make the local subnet of the exit node reachable.
Did you manage to route only non-private addresses through it? In other words, 0.0.0.0/0 without the RFC1918 address blocks?
EDIT: Have you also managed to route domain calls to foo.com, bar.org, ... via it?
For me this only works if I allow the addresses *.com and *.org in the host and intercept-config. A wildcard mask like "*", "*.*" does sadly not work to allow all domains.
