Issue creating tunnel service doesn't work in GUI but does through command line

Clint - not sure if this is the GUI issue that you have or not, but I went on to extend the demo by tunneling my mythtv web app through Ziti. Should be easy enough as it is basically a copy of http.svc. So, I went and did it through the GUI - didn’t work. Did it through the command line and works as treat.

So, what works:

ziti edge create config mythtv.intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses":["mythtv.ziti"], "portRanges":[{"low":80, "high":80}]}'
ziti edge create config mythtv.host.v1 host.v1 '{"protocol":"tcp", "address":"192.168.9.2", "port":80}'
ziti edge create service mythtv.svc --configs mythtv.intercept.v1,mythtv.host.v1
ziti edge create service-policy mythtv.policy.dial Dial --service-roles "@mythtv.svc" --identity-roles '#http-clients'
ziti edge create service-policy mythtv.policy.bind Bind --service-roles '@mythtv.svc' --identity-roles "@ziti-private-blue"

That gives me a GUI config as per these pictures

image1827×956 87.1 KB

image1113×593 29.5 KB

image1172×1507 68.2 KB

image1092×1496 66.2 KB

image1081×1601 70.8 KB

image1113×898 38.1 KB

and I get the tunnel and all work mint.

When I do the same things configurations through the gui I get what looks like encrypted traffic in the web server logs. Pictures of config are as follows:

image632×871 33.1 KB

image1048×604 48.7 KB

image624×520 21.6 KB

and I get this in the weblogs:

192.168.9.253 - - [04/Jun/2022:10:21:27 +1200] "\xbff?\x7f\xaa\x07\xfe\xa8\xf7V\xba\xc2\xe0\xd2\xdf\xb6\x06\x14\xb4\xffb\x8d\xf2\xfe\x04\x13 \xfdZ\xbbt\xc9\xb5\x94\xc1\xef\xf5\xb5\x83\x05:#\x8b;\x88>.\x8f\x98V\xb8\\5=\x89yT\xe6\x99\xc9\xedF\xac\xff\xb3\xc0q_\x85<ZO\x03\xb1\xa0zP\xf7\x7ff\xf9\xd8i\x16\xf9\xd9P\x17\t\xb8\x94\x8d\xf4\xbe\x8c\xf3<\xb6\xf2\xce\xd68S{\\v\x8d\x12\xf5\xb7{\x950\x89\x19_2\x98(Ji\xa7\xe2R>a\xa6\xed\x9a'" 400 0 "-" "-"

192.168.9.253 is where the tunnel router is coming from, so that correct.

Any ideas? FYI - I have changed the conenct time out value up as I see this is the only visual difference that I am seeing.

Also, here is a ‘feature’. If I go into Service Configurations > mythtv.intercept.v1, click into identity and type a #, I get returned to the login page. Do you get that?

mmm must be a bug in the UI. the only way to really verify would be to make the services and then output them as json and diff them.

I see the “encryption is required” in your screen shot. i thought perhaps that was not set to true at first but that’s not the problem. The connect timeout was another thought I was going to ask about but you covered that in a follow-up. I expect you didn’t modify the terminator, i expect it’s just an informational image. You shouldn’t have to modify that . There must be a subtle bug in the UI that’s not faithfully translating the json properly. We can look to reproduce that problem.

I can confirm when I enter a pound/hash into the identity field of the form when editing an existing intercept.v1 config I get logged out. I’ll file a bug for that too.

@jeremy.tellier - confirmed ZAC bug here Forced logout when typing '#' into intercept.v1 · Issue #27 · openziti/ziti-console · GitHub

I can’t test it - but since you gave me the ziti cli commands (thanks!) i can try to reproduce the config differences too. i’ll give that a shot

What are the command to output as JSON? Might be quicker?

ziti edge list services "limit none" -j
ziti edge list configs "limit none" -j

that’ll dump all services and all configs

i wouldn’t expect the service-policies to be relevant since those are for authorizing the services for bind/dial.

I have them - just need to find a way to get them through to you. Performing the diff gives me these

diff mythtv.configs.good mythtv.configs.bad
5,7d4
<                 "configs": {
<                     "href": "./services/cW9iWDYmBG/configs"
<                 },
9,18c6
<                     "href": "./services/cW9iWDYmBG"
<                 },
<                 "service-edge-router-policies": {
<                     "href": "./services/cW9iWDYmBG/service-edge-router-policies"
<                 },
<                 "service-policies": {
<                     "href": "./services/cW9iWDYmBG/service-policies"
<                 },
<                 "terminators": {
<                     "href": "./services/cW9iWDYmBG/terminators"
---
>                     "href": "./configs/-bBQqnGHZl"
21,22c9,10
<             "createdAt": "2022-06-03T10:07:27.491Z",
<             "id": "cW9iWDYmBG",
---
>             "createdAt": "2022-06-03T22:01:32.917Z",
>             "id": "-bBQqnGHZl",
24,38c12,29
<             "updatedAt": "2022-06-03T11:33:59.296Z",
<             "config": {},
<             "configs": [
<                 "3slM-DYmBG",
<                 "C6KiWyYmBG"
<             ],
<             "encryptionRequired": true,
<             "name": "http.svc",
<             "permissions": [
<                 "Bind",
<                 "Dial"
<             ],
<             "postureQueries": [],
<             "roleAttributes": null,
<             "terminatorStrategy": "smartrouting"
---
>             "updatedAt": "2022-06-03T22:01:32.917Z",
>             "configType": {
>                 "_links": {
>                     "self": {
>                         "href": "./config-types/NH5p4FpGR"
>                     }
>                 },
>                 "entity": "config-types",
>                 "id": "NH5p4FpGR",
>                 "name": "host.v1"
>             },
>             "configTypeId": "NH5p4FpGR",
>             "data": {
>                 "address": "192.168.9.2",
>                 "port": 80,
>                 "protocol": "tcp"
>             },
>             "name": "mythtv.host.v1"
42,44d32
<                 "configs": {
<                     "href": "./services/tPtnoIFSCl/configs"
<                 },
46,55c34,99
<                     "href": "./services/tPtnoIFSCl"
<                 },
<                 "service-edge-router-policies": {
<                     "href": "./services/tPtnoIFSCl/service-edge-router-policies"
<                 },
<                 "service-policies": {
<                     "href": "./services/tPtnoIFSCl/service-policies"
<                 },
<                 "terminators": {
<                     "href": "./services/tPtnoIFSCl/terminators"
---
>                     "href": "./configs/3slM-DYmBG"
>                 }
>             },
>             "createdAt": "2022-06-03T10:07:00.320Z",
>             "id": "3slM-DYmBG",
>             "tags": {},
>             "updatedAt": "2022-06-03T10:07:00.320Z",
>             "configType": {
>                 "_links": {
>                     "self": {
>                         "href": "./config-types/g7cIWbcGg"
>                     }
>                 },
>                 "entity": "config-types",
>                 "id": "g7cIWbcGg",
>                 "name": "intercept.v1"
>             },
>             "configTypeId": "g7cIWbcGg",
>             "data": {
>                 "addresses": [
>                     "http.ziti"
>                 ],
>                 "portRanges": [
>                     {
>                         "high": 80,
>                         "low": 80
>                     }
>                 ],
>                 "protocols": [
>                     "tcp"
>                 ]
>             },
>             "name": "http.intercept.v1"
>         },
>         {
>             "_links": {
>                 "self": {
>                     "href": "./configs/C6KiWyYmBG"
>                 }
>             },
>             "createdAt": "2022-06-03T10:07:21.938Z",
>             "id": "C6KiWyYmBG",
>             "tags": {},
>             "updatedAt": "2022-06-03T10:07:21.938Z",
>             "configType": {
>                 "_links": {
>                     "self": {
>                         "href": "./config-types/NH5p4FpGR"
>                     }
>                 },
>                 "entity": "config-types",
>                 "id": "NH5p4FpGR",
>                 "name": "host.v1"
>             },
>             "configTypeId": "NH5p4FpGR",
>             "data": {
>                 "address": "web-test-blue",
>                 "port": 8000,
>                 "protocol": "tcp"
>             },
>             "name": "http.host.v1"
>         },
>         {
>             "_links": {
>                 "self": {
>                     "href": "./configs/Ps1-RIFSZl"
58,59c102,103
<             "createdAt": "2022-06-03T23:12:58.434Z",
<             "id": "tPtnoIFSCl",
---
>             "createdAt": "2022-06-03T22:01:03.859Z",
>             "id": "Ps1-RIFSZl",
61,75c105,136
<             "updatedAt": "2022-06-03T23:12:58.434Z",
<             "config": {},
<             "configs": [
<                 "nuenQnFHZl",
<                 "rbtIonFSZl"
<             ],
<             "encryptionRequired": true,
<             "name": "mythtv.svc",
<             "permissions": [
<                 "Bind",
<                 "Dial"
<             ],
<             "postureQueries": [],
<             "roleAttributes": null,
<             "terminatorStrategy": "smartrouting"
---
>             "updatedAt": "2022-06-03T22:28:30.635Z",
>             "configType": {
>                 "_links": {
>                     "self": {
>                         "href": "./config-types/g7cIWbcGg"
>                     }
>                 },
>                 "entity": "config-types",
>                 "id": "g7cIWbcGg",
>                 "name": "intercept.v1"
>             },
>             "configTypeId": "g7cIWbcGg",
>             "data": {
>                 "addresses": [
>                     "mythtv.ziti"
>                 ],
>                 "dialOptions": {
>                     "connectTimeoutSeconds": 0,
>                     "identity": "http-client"
>                 },
>                 "portRanges": [
>                     {
>                         "high": 80,
>                         "low": 80
>                     }
>                 ],
>                 "protocols": [
>                     "tcp"
>                 ],
>                 "sourceIp": ""
>             },
>             "name": "mythtv.intercept.v1"
80,81d140
<             "name",
<             "terminatorStrategy",
86c145,146
<             "roleAttributes"
---
>             "name",
>             "type"
91c151
<             "totalCount": 2
---
>             "totalCount": 4

[kelvins@Server2 ~]$ diff mythtv.services.good mythtv.services.bad
43c43
<                     "href": "./services/tPtnoIFSCl/configs"
---
>                     "href": "./services/tz8XqIGSCl/configs"
46c46
<                     "href": "./services/tPtnoIFSCl"
---
>                     "href": "./services/tz8XqIGSCl"
49c49
<                     "href": "./services/tPtnoIFSCl/service-edge-router-policies"
---
>                     "href": "./services/tz8XqIGSCl/service-edge-router-policies"
52c52
<                     "href": "./services/tPtnoIFSCl/service-policies"
---
>                     "href": "./services/tz8XqIGSCl/service-policies"
55c55
<                     "href": "./services/tPtnoIFSCl/terminators"
---
>                     "href": "./services/tz8XqIGSCl/terminators"
58,59c58,59
<             "createdAt": "2022-06-03T23:12:58.434Z",
<             "id": "tPtnoIFSCl",
---
>             "createdAt": "2022-06-03T22:02:04.002Z",
>             "id": "tz8XqIGSCl",
61c61
<             "updatedAt": "2022-06-03T23:12:58.434Z",
---
>             "updatedAt": "2022-06-03T22:02:04.002Z",
64,65c64,65
<                 "nuenQnFHZl",
<                 "rbtIonFSZl"
---
>                 "-bBQqnGHZl",
>                 "Ps1-RIFSZl"
67c67
<             "encryptionRequired": true,
---
>             "encryptionRequired": false,

I cannot change the encryption through the GUI

once made, i don’t think you can change it back. i was worried about the encryption though. i saw that it was defaulting to ‘off’ recently. you can just delete/remake the service.

oh one more fun thing - if you have any service policies that refer to the service by name, and you delete the service, you’ll have to remake those policies.

i’ll see if ziti cli allows the update of the encryption

yah - ziti CLI allows you to change the encryption from OFF to ON:

ziti edge update service mythtv.svc.ui --encryption ON

@jeremy.tellier - also added cannot update encryption once service is created · Issue #28 · openziti/ziti-console · GitHub

Thanks. Flipping the encryption through the console fixes the issue.

Just to round this out for someone else. I didn't need to recreate the policies through the GUI (if doing it all through the GUI) ... just associate the new service name to them.

Right, that’s what I was trying to indicate. When you refer to the service directly using the @ symbol, if you delete the service you’ll need to either re-associate the service via an ‘update’, or recreate the policy if you prefer. All I wanted to highlight is that deleting the service will break the linkage to the policy if you use the @. Should you use attribute-based policies, this wouldn’t be necessary.