We have self hosted zrok by following the tutorial mentioned exactly at Self-hosting guide for Docker | Zrok. We even set our wildcard subdomain correctly. We did not set up for caddy as we do not want TLS. When we reach out to our deployed instance at http://zrok.metal.podiumpe.com:18080 it shows connection refused with the IP of the machine where the zrok is deployed. When we ran docker compose logs zrok-frontend we saw the first few lines as:-
INFO ziti/ziti/cmd/helpers.StandardErrorMessage: Connection error: Get https://ziti.metal.podiumpe.com:1280/.well-known/est/cacerts: dial tcp 172.27.0.2:1280: connect: connection refused
I don't why it is looking for https version of ziti. We did not set up any TLS. There is an issue with the tutorial. It is missing something
Hi @sbansal793, welcome to the community and to OpenZiti. I took a quick look at the PR and it seems like you have gotten things working for yourself that's great! I'm not sure what Ken had in mind with using 127.0.0.1 in that way, but I'm sure it was a good reason. I'll loop up with him and one of us will take a look and comment/approve the pr.
Thanks again for the pr, happy zrok'ing!
@sbansal793 Thanks for the suggestion to change the default listening interface from loopback to all.
You made the correct change to accept the risks of running zrok insecurely and publish zrok's API and frontend ports without TLS.
I thought it's best to let zrok's non-TLS servers listen only on loopback because I guessed users would be disappointed if the default was not secure.
What do you think of this change to set the insecure ports listening interface with a variable ZROK_INSECURE_INTERFACE
?
I made a PR here: clarify no-TLS option by qrkourier · Pull Request #628 · openziti/zrok · GitHub
@qrkourier That is a very good way to do it.
1 Like
@qrkourier You would also need to update the tutorial for self-hosting.