Curl http.ziti operation timed out

I built the network according to the Local - Docker Composite in quickstarts.
I can also log in and access the 1408 console panel correctly
I follow the Zero Trust Host Access under services in quickstarts. Because I use the docker-compose method, there are some steps I did not operate. I don’t know if this is correc
for example
I didn’t execute the second step in Configuring the Overlay - Overview
I didn’t execute the eighth step in Configuring the Overlay - Overview, and the ninth step is the jwt certificate directly loaded on the downloaded tunnel client
in step 7 http_ server_id The variable I assign is the id of the ziti-edge-router
In the last step, ping http.ziti Is successful
But curl http.ziti prompts operation timed out
And the console prompt of docker-compose
WARNING edge/router/xgress_edge.(*edgeClientConn).processConnect [ch{edge}->u{classic}->i{D8Am}]: {connId=[3] type=[EdgeConnectType] chSeq=[74] edgeSeq=[0] error=[exceeded maximum [2] retries creating circuit [c/qFpkxpT9c]: error creating route for [s/qFpkxpT9c] on [r/97qZuDIvzZ] (error creating route for [c/qFpkxpT9c]: dial tcp connect: connection refused)] token=[f0298c62-67e6-457b-9af7-df46137754ba]} failed to dial fabric

Which step is wrong? Please help me

Hi @Fancy, welcome to OpenZiti and to the community!

It looks like a simple issue of the router not being able to access to “docker whale” at the target port. What you did seems right to me only I personally would not have used ziti-edge-router for the router, I would have chosen ziti-private-blue, but given the imperfect nature of the docker network setup in that quickstart, it should have worked. I bet it’s going to be a port issue, port 8000 vs 80 or something like that…

I’m going to go through Zero Trust Host Access | OpenZiti, using the current docker compose quickstart for the OpenZiti overlay and I’ll relay and changes there are here.

Thank you very much for your reply
You mean that the id set in step 7 should be ziti-private-blue, is that right? In fact, I tried step 7 on every router, including ziti-private-blue, but still curl time out
When you say port problem, you mean that the port 80 of http.ziti I set is not open, right?
I am a mobile developer, so I may not be familiar with these concepts. What should I do?

I’m actually still getting back to answering this question, I’ve just gotten distracted with other things all day. Sorry about that. I plan to get you an answer sometime soon…

Thank you very much
There will be a little time difference between us, so I see the message will be a little late, it is 7 am here
I will always pay attention to your reply, thank you again

Ok I’ve had the chance to go through and find the differences. The problem is indeed a port 80 vs 8000 issue. If you follow this guide for ZTHA, it has you stand up the web server on port 80, so the bind policy offloads from the overlay onto the underlay at port 80… The problem is that when you’re inside the docker container, it’s listening on port 8000… So when running in docker, you need to update that bind from port 80 to port 8000. You had all the other stuff correct…

You should be able to update that intercept using this command:

ziti edge update config -d '{"protocol":"tcp", "address":"'"${http_server}"'", "port":8000}'

If you want to start over fresh and clean, when running through these steps from a CLEAN docker compose environment (after running docker-compose --project-name docker down -v), here are the steps I performed:

  1. docker-compose --project-name docker up (turns on the environment under a predictable name)
  2. exec into the controller container: docker exec -it docker_ziti-controller_1 bash
  3. issue zitiLogin to authenticate
  4. create the http-client identity per step #1 of the guide
  5. SKIP step 2 - not needed with docker compose env
  6. execute step 3 exactly as shown
  7. set the variable of the server name the docker whale runs at: http_server=web-test-blue
  8. execute step 4 but change port from 80 to 8000!!
  9. execute step 5 as shown
  10. execute step 6 as shown
  11. find the identity of ziti-private-blue router by running: ziti edge list identities 'name = "ziti-private-blue"'
  12. set http_server_id: http_server_id=Wg5mznGmAR
  13. execute step 7 as shown

at this point you can finish off the quickstart and it should work fine.

Thank you very much for testing this problem in your busy schedule. I will try it again according to your instructions.

But I now encounter a new problem. I can now enter the controller container, but when I execute zitiLogin, 401 will be displayed

It worked well yesterday. The test this morning found that 401 was always displayed. I tried to re-docker-compose up, but it didn’t work

However, I changed the password of the console through the panel yesterday. I don’t know whether it has anything to do with it. If it has something to do with it, how can I solve it if I want to do ZitiLogin through the terminal again?

So you have hit a bug that we just filed today I’m sorry to report! :frowning: See docker env password is renewed at each `docker-compose up` · Issue #1013 · openziti/ziti · GitHub

You will unfortunately need to down your whole docker-compose environment … :frowning: you MUST down with -v and have docker remove the volume that exists. After you restart, take note of the password! If you down/up the password stashed into the ziti.env file will change…

I changed 80 to 8000 as you said. Now I can curl http.ziti
Thank you so much
What I know about the whole architecture is still superficial, and I will continue to study it

Awesome!! Glad to hear you were successful. There’s kind of “a lot” to OpenZiti. Hopefully the doc will teach you all you need. There are lots of videos on the youtube channel if you’re not familiar with it, and like videos, you might like some of that content too.

Have fun learning OpenZIti! We’ll see you around the forum.

Because I’m a Chinese, I don’t know much English, and I use translation software to communicate with you, so it’s very likely that I can’t understand youtube, haha

Anyway, thank you very much for your help and hope everything goes well

在这种情况下。祝你顺利。我敢打赌 YouTube 可以合理地将英文翻译成中文。 :slight_smile:

(In that case. I wish you well. I bet YouTube can translate from English to Chinese reasonably. :slight_smile: )

Ha ha, you are really a lovely and helpful person. I will try to go to yutube