I built the network according to the Local - Docker Composite in quickstarts.
I can also log in and access the 1408 console panel correctly
I follow the Zero Trust Host Access under services in quickstarts. Because I use the docker-compose method, there are some steps I did not operate. I don’t know if this is correc
for example
I didn’t execute the second step in Configuring the Overlay - Overview
I didn’t execute the eighth step in Configuring the Overlay - Overview, and the ninth step is the jwt certificate directly loaded on the downloaded tunnel client
in step 7 http_ server_id The variable I assign is the id of the ziti-edge-router
In the last step, ping http.ziti Is successful
But curl http.ziti prompts operation timed out
And the console prompt of docker-compose
WARNING edge/router/xgress_edge.(*edgeClientConn).processConnect [ch{edge}->u{classic}->i{D8Am}]: {connId=[3] type=[EdgeConnectType] chSeq=[74] edgeSeq=[0] error=[exceeded maximum [2] retries creating circuit [c/qFpkxpT9c]: error creating route for [s/qFpkxpT9c] on [r/97qZuDIvzZ] (error creating route for [c/qFpkxpT9c]: dial tcp 172.18.0.2:80: connect: connection refused)] token=[f0298c62-67e6-457b-9af7-df46137754ba]} failed to dial fabric
Hi @Fancy, welcome to OpenZiti and to the community!
It looks like a simple issue of the router not being able to access to “docker whale” at the target port. What you did seems right to me only I personally would not have used ziti-edge-router for the router, I would have chosen ziti-private-blue, but given the imperfect nature of the docker network setup in that quickstart, it should have worked. I bet it’s going to be a port issue, port 8000 vs 80 or something like that…
I’m going to go through Zero Trust Host Access | OpenZiti, using the current docker compose quickstart for the OpenZiti overlay and I’ll relay and changes there are here.
Thank you very much for your reply
You mean that the id set in step 7 should be ziti-private-blue, is that right? In fact, I tried step 7 on every router, including ziti-private-blue, but still curl time out
When you say port problem, you mean that the port 80 of http.ziti I set is not open, right?
I am a mobile developer, so I may not be familiar with these concepts. What should I do?
I’m actually still getting back to answering this question, I’ve just gotten distracted with other things all day. Sorry about that. I plan to get you an answer sometime soon…
Thank you very much
There will be a little time difference between us, so I see the message will be a little late, it is 7 am here
I will always pay attention to your reply, thank you again
Ok I’ve had the chance to go through and find the differences. The problem is indeed a port 80 vs 8000 issue. If you follow this guide for ZTHA, it has you stand up the web server on port 80, so the bind policy offloads from the overlay onto the underlay at port 80… The problem is that when you’re inside the docker container, it’s listening on port 8000… So when running in docker, you need to update that bind from port 80 to port 8000. You had all the other stuff correct…
You should be able to update that intercept using this command:
If you want to start over fresh and clean, when running through these steps from a CLEAN docker compose environment (after running docker-compose --project-name docker down -v), here are the steps I performed:
docker-compose --project-name docker up (turns on the environment under a predictable name)
exec into the controller container: docker exec -it docker_ziti-controller_1 bash
issue zitiLogin to authenticate
create the http-client identity per step #1 of the guide
SKIP step 2 - not needed with docker compose env
execute step 3 exactly as shown
set the variable of the server name the docker whale runs at: http_server=web-test-blue
execute step 4 but change port from 80 to 8000!!
execute step 5 as shown
execute step 6 as shown
find the identity of ziti-private-blue router by running: ziti edge list identities 'name = "ziti-private-blue"'
set http_server_id: http_server_id=Wg5mznGmAR
execute step 7 as shown
at this point you can finish off the quickstart and it should work fine.
It worked well yesterday. The test this morning found that 401 was always displayed. I tried to re-docker-compose up, but it didn’t work
However, I changed the password of the console through the panel yesterday. I don’t know whether it has anything to do with it. If it has something to do with it, how can I solve it if I want to do ZitiLogin through the terminal again?
You will unfortunately need to down your whole docker-compose environment ... you MUST down with -v and have docker remove the volume that exists. After you restart, take note of the password! If you down/up the password stashed into the ziti.env file will change...
I changed 80 to 8000 as you said. Now I can curl http.ziti
Thank you so much
What I know about the whole architecture is still superficial, and I will continue to study it
Awesome!! Glad to hear you were successful. There’s kind of “a lot” to OpenZiti. Hopefully the doc will teach you all you need. There are lots of videos on the youtube channel if you’re not familiar with it, and like videos, you might like some of that content too.
Have fun learning OpenZIti! We’ll see you around the forum.
Because I’m a Chinese, I don’t know much English, and I use translation software to communicate with you, so it’s very likely that I can’t understand youtube, haha
Anyway, thank you very much for your help and hope everything goes well
See 