Client API exposes json payload with all API endpoints in public

zypresse-lack-8z · June 29, 2025, 7:23am

Hi! I am new to OpenZiti and deployed a fully self hosted environment consisting of a controller with an edge router (public) on VM A in DMZ A paired wit a second edge router (private) on VM B in DMZ B. The application server ist reachable via private edge router. Everything works absolutely fine! iOS Client connects to controller and edge router (public) and traffic is released on edge router (private). Perfect...

Now my sense for extreme security kicks in, which is why I already splatted API access and control plane to different IPs and Ports.

Management API is only internally reachable (Port 1281). ZAC is on a whole different Port (8443) and only reachable from internal with Client Certificate (no password auth possible).

Client API is available in on public IP with Port 1280 (binding edge-client and edge-idc). Controller listens to 1280 on public IP.

If I do connect to https://:1280 from external, I will get presented a full list of all api endpoints as a json payload.
Browser asks for Client Certificate to select first, but if I click cancel on that, I will get presented the endpoints list without auth.
Is this a normal behavior or have I forgot something?
Would it be possible to deny all requests without correct client certificate? The specific endpoints or api calls won't work without certificate (NOT_AUTHENTICATED), but I would like to have NO response without a certificate. I don't like someone fiddling around with the API.

TheLumberjack · June 30, 2025, 10:58am

Hi @zypresse-lack-8z, welcome to the community and to OpenZiti!

At this time the client API exposes the version endpoint so the clients can make decisions about the network its connecting to before authenticating. It's one of the very few endpoints that is actually public. There's no way at this time to make the client api deny inbound requests without certificate. It's something we have considered enabling in the future but it's not on the roadmap just yet. We do talk about it now-and-then though so my bet is that it'll happen at some point, just not sure when.

andrew.martinez · June 30, 2025, 2:09pm

I take the stance that security through obscurity is not viable security, at best it slows an attacker down. Defense in depth is a much better approach which is where all the other security features of OpenZiti come into play.

zypresse-lack-8z · July 2, 2025, 3:21pm

Thanks for your explanation. Is there a list of those "actually public" endpoints or is it easier to click through the api documentation?

Topic		Replies	Views
Trying to understand how the edge-router "authenticates" edge-clients General Questions	4	55	October 24, 2024
Configuring a ziti network with a completely private router controlplane General Questions	3	208	June 4, 2024
Making ZAC and management API accessible only through service General Questions	7	81	February 18, 2025
Managing TLS Certs for HTTPS APIs via OpenZiti	2	32	June 25, 2025
Troubleshoot error - "invalid client certificate for api session" General Questions	40	524	November 12, 2022

Client API exposes json payload with all API endpoints in public

Related topics