Hello again!
I find ZAC easy to use and so far had minimal use for the command line.
It looks like host.v1 configs automatically create terminators (or at lease I could see a terminator being attached to the service when creating a simple service from ZAC).
However, when defining an advanced service in ZAC, there will be no terminators attached for the endpoints I've defined in the v2 config.
I need a host.v2 config because there is a single application server that is listening on multiple ports.
Is this by design? should I be creating the terminators for each endpoint defined in the v2 config using the cli?
Hi @TaoVonQi,
If your not seeing terminators, but the identity is authorized there might be something else going on. Do you have any steps to reproduce the situation you're seeing? When you use a host.v1 or host.v2, and authorize an identity to bind the service, terminators should be created by the system. If that's not happening, it seems like there might be a bug. Having steps to reproduce would help us figure out if there's a bug somewhere or if you're maybe doing something that triggers the issue.
Is it possible to have a small set of steps you're using to reproduce the issue?
Yes, absolutely. Please allow me to give a brief summary on what I'm trying to accomplish as I think it will help.
I have two application servers (hbbs & hbbr) running on the same machine where the openziti controller & edge router services are running.
-
hbbs listens on the following ports:
- 21115 (TCP)
- 21116 (TCP & UDP)
- 21118 (TCP)
-
hbbr listens on the following ports:
For the sake of simplicity, as far as openziti is concerned, it will be defined as just one service. Correct me if I'm wrong here, (do I need two openziti services?) I'm under the impression that a host config only needs the IP address (in this case: localhost) and a range of ports (in this case 21115-21119). Which means the traffic will be directed to the correct application server listening on that port even if it is defined as just one service in openziti?
Okay, with that out of the way; I already have 3 identities configured with the specific role attributes. In this case 2 identities for 2 clients and 1 identity for the server hosting the 2 services mentioned above.
So I proceed with creating an advanced service, selecting host.v2 and add terminators like so:
I repeat the above step for all required ports, but I'm unable to attach the host config to the service due to the following errors:
I found out from the json that the proxy along with some other json objects are defined but empty, like so:
So after deleting the empty json objects, I was able to create and attach the host.v2 config to the service:
Then I create an intercept config, without problems after pressing "Create and Attach":
After that, I create a bind service policy to allow the server to host the service and a dial policy to allow the two clients to connect to the service.
This is what I'm left with, still no terminators:
I don't think host.v2 is required in your situation. Given what you showed me, if it were me, I would create a single service with a host.v1 config and an intercept.v1 config. Host.v2, for what I do is rarely required (though it should work fine).
One thing about your host config, you shouls almost certainly not forward ALL traffic to one port (21115). You should "forward port" and "forward protocol" since you have a mix of tcp/udp and a mix of ports.
I would not use 'localhost' if your local network is setup as IPv4/v6. We've seen a problem where services that use localhost sometimes end up with traffic going to ::1, but the hosting app specifically binds IPv4. It's just "safer" to use 127.0.0.1.
The next step you should do is use the ziti CLI and run:
ziti edge policy-advisor identities -q
Find your hosting service and make sure it's authorized to bind the service.
1 Like
