Is it possible to CNAME to the zrok share URL and also use letsencrypt to get TLS support?

Is it possible to CNAME to the zrok share URL and also use letsencrypt to get TLS support?

Basically can this be done?

I'd like to hide the ZROK share URL and use my own domain?

For example go to NYC New Proposed Property Tax Calculator 2024 based on recent tax advisory commission proposal
This redirects to NYC New Proposed Property Tax Calculator 2024 based on recent tax advisory commission proposal

But I'd rather CNAME and subdomain such as appv2.tidalforce.org to propmarketing.share.zrok.io

and redirect to appv2.tidalforce.org

But I do not have TLS / letsencrypt set up for appv2.tidalforce.org

With the public frontend on zrok.io, it's not possible as that uses the Host header to route traffic to the correct share.

What you COULD do is pick up a cheap VPS or container hosting and run your own zrok access private, and put a CNAME in front of that. If you wanted TLS, stick the zrok access private behind an nginx or Caddy proxy with TLS configured.

Check out this thread:

@michael.quigley Thank you very much.

I thought so.

Therefore, I was trying to load the entire openziti and ZROK on a VPS using docker.

Are you saying that I only need a VPS and install nginx/caddy, letsencrypt for TLS and ZROK and I can use the public facing ZROK.io interface? I apologize for the question. Thanks.

Do I need letsencrypt at all or it appears that Caddy says it supports on demand TLS?

If you wanted to use the service at zrok.io to be your OpenZiti and zrok infrastructure, you could install just zrok access private <your share token>, fronted by an nginx/Caddy reverse proxy and have your own custom domain with TLS today.

You don't need to self-host all of zrok and OpenZiti unless you want to.

So you would create a private share using zrok share private, and then your VPS would be your "frontend", accepting web requests from the internet. But the traffic between them would traverse the shared zrok instance at zrok.io.

I'll try and put a picture of this model together next week, so it's clearer.

I've recently had success with both of these approaches,

• Caddy (with TLS and oauth) reverse-proxying private shares on a VPS using my own domain
• Self-hosted zrok+openziti using this guide using my own domain

Here are my mermaid diagrams.

zrok.io hosted

• private shares
• TLS handled by Caddy
• oauth handled by zrok
  
  

  image930×784 40 KB

graph
D["DNS"]
R["Requester"]
​subgraph VPS
	C["Caddy"]
end
A1["Private Endpoint 1"]
A2["Private Endpoint 2"]
note1>"Auth (google OAuth2)"]:::note 
note2>"zrok access private"]:::note 
note3>"zrok share private"]:::note
classDef note fill:#fff9c4
R -->|"*.mydomain.io"| D
D -->|"static\nIP address"| C
C --> A1
C --> A2
note1 -.- C
note2 -.- C
A1 & A2 -.- note3

Self-hosted

• public shares
• TLS handled by Caddy
• oauth handled by Caddy (caddy-security)
  
  

  image1230×564 44.2 KB

graph
D["DNS"]
R["Requester"]
subgraph VPS
	C["Caddy+zrok"]
end
A1["Private Endpoint 1"]
A2["Private Endpoint 2"]
note3>"zrok share public oauth"]:::note
note4>"Caddy configured for\neach public share"]:::note
classDef note fill:#fff9c4
R -->|"*.mydomain.io"| D
D -->|"static\nIP address"| C
A1 -->|"reserved public share + oauth"| C 
A2 -->|"reserved public share + oauth"| C
note3 -.- A1
note3 -.- A2
note4 -.- C

I wrote the Linux and Docker self-hosting guides, and I recommend the Docker approach for administrative convenience, assuming you're comfortable with Docker Compose.

The Linux guide doesn't yet provide any packaging for system services, etc., but that's a feature of Docker. Additionally, it's easy to manage the configuration of the zrok instance and upgrade/downgrade zrok versions. The Linux guide mentions using Nginx and provides an example, but the Docker guide has a built-in option for Caddy, which can also manage your TLS certificate renewals. It's the best option for a tiny scale zrok instance IMO.

https://docs.zrok.io/docs/guides/self-hosting/docker/