I am running zrok inside docker. I followed this guide. I have nginx in this machine. So, can't use port 80. I choose another port, 8006. Modified some lines in compose.yml file. Replaced ${ZITI_CTRL_ADVERTISED_PORT} with 8006 on ports and expose under ziti-quickstart service. Everything is working fine, like creating user using cli, accessing the frontend, enabling environment in the client. But, when I run zrok share public localhost:3000 it returns [ERROR]: error creating proxy backend (error listening: failed to listen: no apiSession, authentication attempt failed: Post "https://ziti.zrok.example.com:80/edge/client/v1/authenticate?method=cert": http: server gave HTTP response to HTTPS client). Maybe I misconfigured something, but, I really have no clue what. And I followed this guide to add nginx reverse proxy.
Welcome back to the forum, @sigoko7829. That's right, you can use any port number for any ziti or zrok server that's part of your Dockerized zrok instance.
For example, to use port 8006 for your ziti-controller, you must assign it in the .env file before the first run.
ZITI_CTRL_ADVERTISED_PORT=8006
It's all open and you're more than welcome to hack it, but if you replace the variable with the hard-coded value, then a few things will break.
It's because the variables from .env are inherited by the compose file and inherited by the Docker build, which influences the ziti and zrok configuration files inside the containers.
As for Nginx, you found the Nginx guide for Linux, and you mentioned you have Nginx running on the Docker host. Do you want to use that same Nginx instance on the Docker host as the TLS proxy for your zrok instance in Docker?
The guide you found for self-hosting zrok in Docker talks about using Caddy because it manages your wildcard certificate for you. Alternatively, you could use Nginx Proxy Manager, which can manage certificates as well.
for the ziti part, I removed the previous directory and created a new one, run curl https://get.openziti.io/zrok-instance/fetch.bash | bash. And my .env contains this,
ZROK_DNS_ZONE=zrok.example.com
ZROK_USER_EMAIL=me@example.com
ZROK_USER_PWD=zrokuserpw
ZITI_PWD=zitiadminpw
ZROK_ADMIN_TOKEN=zroktoken
ZITI_CTRL_ADVERTISED_PORT=8006
But, after running docker compose up --build -d, zrok-zrok-frontend and zrok-zrok-controller image/container not running/exited.
Thanks for sharing your process. I assume zrok isn't happy for some reason. What do those two containers' logs say the reason was?
Let's make sure you have the latest stable zrok image, too. If this triggers a download, then the new version will be used next time you "build" your compose project.
docker pull openziti/zrok:latest && docker run --rm openziti/zrok:latest version
for zrok-zrok-frontend, last two lines are,
{"file":"github.com/openziti/ziti/ziti/cmd/helpers/helpers.go:130","func":"github.com/openziti/ziti/ziti/cmd/helpers.StandardErrorMessage","level":"info","msg":"Connection error: Get https://ziti.zrok.example.com:8006/.well-known/est/cacerts: dial tcp 172.19.0.2:8006: connect: connection refused","time":"2025-02-28T20:43:12.484Z"}
The connection to the server ziti.zrok.example.com:8006 was refused - did you specify the right host or port?
and the other ones log,
{"file":"/__w/zrok/zrok/controller/bootstrap.go:34","func":"github.com/openziti/zrok/controller.Bootstrap","level":"info","msg":"connecting to the ziti edge management api","time":"2025-02-28T20:44:13.387Z"}
panic: error connecting to the ziti edge management api: Get "https://ziti.zrok.example.com:8006/edge/management/v1/.well-known/est/cacerts": dial tcp 172.19.0.2:8006: connect: connection refused
Cool, thanks. I see the zrok is unable to connect to ziti because ziti is not listening at the expected address.
zrok is trying to connect to ziti at https://ziti.${ZROK_DNS_ZONE}:${ZITI_CTRL_ADVERTISED_PORT}, and the ziti container has an alias ziti.${ZROK_DNS_ZONE} that zrok uses to connect directly inside the Docker network.
This will show you if ziti is running and which ports are exposed inside the Docker network and which ports are published/forwarded to the Docker host.
docker compose ps ziti-quickstart
here's the output,
zrok-ziti-quickstart-1 docker.io/openziti/ziti-cli:latest "bash -euc 'ZITI_CMD…" ziti-quickstart 32 minutes ago Up 9 seconds (healthy) 0.0.0.0:3022->3022/tcp, 0.0.0.0:8006->8006/tcp
I think port forwarding is wrong. Shouldn't be 8006 -> 80?
Those are OK published/forwarded ports if you want your ziti control plane on 8006 and ziti data on 3022. No, ziti's ports are published directly, not through the LB/reverse proxy like Nginx.
I think I've seen this before and never figured out precisely what was happening. The symptom I remember was the Docker network gets split somehow, and things can't connect internally. Try restarting everything and check if zrok can connect.
docker compose up --detach --build --force-recreate
docker compose logs zrok-controller
zrok-controller-1 | {"file":"/__w/zrok/zrok/controller/store/store.go:57","func":"github.com/openziti/zrok/controller/store.Open","level":"info","msg":"database connected","time":"2025-02-28T21:06:03.703Z"}
zrok-controller-1 | {"file":"/__w/zrok/zrok/controller/store/store.go:89","func":"github.com/openziti/zrok/controller/store.(*Store).migrate","level":"info","msg":"applied 0 migrations","time":"2025-02-28T21:06:03.705Z"}
zrok-controller-1 | {"file":"/__w/zrok/zrok/controller/bootstrap.go:34","func":"github.com/openziti/zrok/controller.Bootstrap","level":"info","msg":"connecting to the ziti edge management api","time":"2025-02-28T21:06:03.705Z"}
zrok-controller-1 | panic: error connecting to the ziti edge management api: Get "https://ziti.zrok.example.com:8006/edge/management/v1/.well-known/est/cacerts": dial tcp 172.19.0.2:8006: connect: connection refused
zrok-controller-1 |
zrok-controller-1 | goroutine 1 [running]:
zrok-controller-1 | main.(*adminBootstrap).run(0xc001810270, 0xc000839bb0?, {0xc0003c6260?, 0x0?, 0x0?})
zrok-controller-1 | /__w/zrok/zrok/cmd/zrok/adminBootstrap.go:40 +0xf6
zrok-controller-1 | github.com/spf13/cobra.(*Command).execute(0xc000478308, {0xc0003c6240, 0x2, 0x2})
zrok-controller-1 | /github/home/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:989 +0xa91
zrok-controller-1 | github.com/spf13/cobra.(*Command).ExecuteC(0x62d6320)
zrok-controller-1 | /github/home/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1117 +0x3ff
zrok-controller-1 | github.com/spf13/cobra.(*Command).Execute(...)
zrok-controller-1 | /github/home/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1041
zrok-controller-1 | main.main()
zrok-controller-1 | /__w/zrok/zrok/cmd/zrok/main.go:121 +0x1a
lol, I am sorry, I should research more and tell you more what's going on rather than just copy pasting errors
zrok was able to look up the DNS name for ziti and got Docker network IP 172.19.0.2, but apparently that's not the right IP address because ziti is running (on another address) and listening on 8006/TCP because you checked with ps.
Before we get in deeper, what all did you need to change in the compose file?
Double-check that ziti and zrok containers have the same "network" in your compose file(s).
I don't know much about docker. compose.yml's ziti-quickstart and ziti-controller has the same lines.
networks:
zrok-instance:
aliases:
- zrok.${ZROK_DNS_ZONE}
How do I know they are running on the same network?
Good stuff. They're both using the Docker network from the example named zrok-instance.
Does ziti have the IP zrok is trying to connect to?
docker compose ps --format='{{.Names}}' | xargs -I {} sh -c 'echo -n "{}: "; docker inspect -f "{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" {}' | column -t
I guess yes,
zrok-ziti-quickstart-1: 172.19.0.2
zrok-zrok-controller-1:
zrok-zrok-frontend-1:
Does ziti's log look happy? It was running when you ran docker compose ps ziti-quickstart before. Is is still running constantly, not bouncing? Can you connect to ziti, even though zrok cannot for some reason?
curl -sSfk https://ziti.zrok.example.com:8006/edge/client/v1/version
should take you to the same place as this when it's run on the Docker host:
curl -sSfk https://127.0.0.1:8006/edge/client/v1/version
You can also try cURL'ing from the zrok container, which I expect gets the same "connection refused" error.
docker compose run --rm --entrypoint= --no-deps zrok-controller curl -sSfk https://ziti.zrok.example.com:8006/edge/client/v1/version
using localhost it returned curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:8006. and curl says Couldn't connect to server for domain
At least that's consistent and probably means it's not a Docker network issue after all.
maybe firewall issue? but, I checked with firewall disabled
Probably not firewall.
Is ziti complaining about something?
docker compose logs ziti-quickstart --follow
there are so much to consume. maybe you will find something useful
ziti-quickstart-1 | [ 0.406] INFO ziti/controller/server.(*Controller).Run: starting edge
ziti-quickstart-1 | [ 0.406] INFO ziti/controller.(*Controller).Run.GoroutinesPoolMetricsConfigF.func1.1: {poolType=[pool.listener.ctrl] idleTime=[10s] maxQueueSize=[1] maxWorkers=[16] minWorkers=[1]} starting goroutine pool
ziti-quickstart-1 | [ 0.406] INFO channel/v3.(*UnderlayDispatcher).Run: started
ziti-quickstart-1 | [ 0.408] INFO ziti/controller/server.(*Controller).checkEdgeInitialized: edge initialized
ziti-quickstart-1 | [ 0.494] INFO xweb/v2.(*Server).Start: starting ApiConfig to listen and serve tls on 0.0.0.0:80 for server client-management with APIs: [edge-management edge-client fabric]
ziti-quickstart-1 | [ 0.495] INFO ziti/controller/network.(*Network).Run: started
ziti-quickstart-1 | timed out waiting for controller: https://ziti.zrok.example.com:8006
ziti-quickstart-1 | Environment left intact at: /home/ziggy/quickstart
ziti-quickstart-1 exited with code 0