How to use ziti-edge-tunnel run-host?

./ziti-edge-tunnel run-host -i snowman.json
I am not 100% sure what it does.
i understand ziti-edge-tunnel run (similar to desktop version) for intercept traffic and send it to overlay network.
ziti-edge-tunnel run-host show it's connected and service event (added) in the log.
My ziti client is connected/intercept the traffic but it just disconnect (connection refuse).
Say i have a port 80 http server running on the host i want to exposed. How do I go about doing that?

Thank you in advance!

The run-host mode provides a subset of features: no Ziti DNS or forward proxy, only reverse proxy. It's a terminus for a Ziti service to the regular network. For example, you can use it to publish a localhost port with Ziti.

As such, it doesn't require any special privileges. It will bind/host any Ziti service that's authorized with a Bind Service Policy for the identity.

Ensure the services you authorize have a host config, e.g. host.v1. It tells the hosting tunneler where to send traffic exiting the Ziti service, i.e., the target address.

coolness - i was using intercept.v1 to limit scope just port 80.
this would be great if i can expose the whole host.
I will play around with it.
What would the dialer part look like?

You would use a port range. 1-65535. Or any range you like. :smiley: Oh also set up the host side to forward the port

lesson learned for me.

I was tear out my hair to see why this isn't working for me.
everything in ZAC looks good. had similar issue for nginx-ziti module as well.
I was trying to use make up name nginix.ziti, myhost.ziti.
those get resolve into 100.64.0.4 address and packet just get dropped.
if I use the ip for the host then it auto-magically work.

clue 1:
curl -vvv http://myhost.ziti

  • Host ubee.ziti:80 was resolved.
  • IPv6: (none)
  • IPv4: 100.64.0.8
  • Trying 100.64.0.8:80...
  • Immediate connect fail for 100.64.0.8: Can't assign requested address
  • Failed to connect to ubee.ziti port 80 after 2 ms: Couldn't connect to server
  • Closing connection

turn out to be zscaler

both openziti and zscaler use 100.64.0.0/10

ziti by itself
netstat -rn |grep 100
100.64/10 link#20 UCS utun4
100.64.0.1 100.64.0.1 UH utun4
100.64.0.3 link#20 UHWIi utun4

Zscaler by itself
netstat -rn |grep 100
1 100.64.0.1 UGSc en0
2/7 100.64.0.1 UGSc en0
4/6 100.64.0.1 UGSc en0
8/5 100.64.0.1 UGSc en0

when i had zscale and ziti:
netstat -rn |grep 100
100.64/16 100.64.0.1 UGSc en0 <-- culprit
100.64/10 link#21 UCS utun5
100.64.0.1 100.64.0.1 UH utun5
100.64.0.2 link#21 UHWIig utun5

now i make sure zscaler exit cleanly. all the intercept rule works beautifully.
however the part about intercept IP vs HOST is a scar tissue that I wont' soon forget.

You can configure the IP range used by the Ziti intercepting tunneler to ensure the two use discrete IP ranges. For example, if the other app always uses 100.64/10, you could configure Ziti to use any private IP range large enough to accommodate the number of concurrent Ziti services authorized for all your loaded identities.

thank you very much!

I have so many RFC1918 space, CGN-NAT space is perfect for these overlapping private ranges.
damn you zscaler!

100% agree. i found that options but want to make sure I understand it better before i make changes.
I assume that IP range is locally significant to my laptop only?

Yes, the IPs returned from ziti-edge-tunnel's DNS server are only seen by local processes (unless you've gone out of your way to set up your laptop as a DNS server for other hosts on your network).

edit: clarification - unless you've set up other hosts on your network to use your laptop as a DNS server.