Hi there, I'm not very good with zrok, just started, I was hoping someone could help me with a problem.
So I'm running zrok on win11 and Zrock(arm64) on an Android phone through termux with a Ubuntu proot distro. I have a docker desktop container called openwebui on localhost:3000 that I want to access on my mobile phone and wanted to use the reserve private command in order to have access to it permanently. First I managed to make it work with: share private 3000 and a Zrock access share token if I remember well.
Everything was working, now when I tried with reserve: zrok reserve private 3000 --unique-name myopenwebui, it creates it locally on my win11 PC but when I try to access on my phone with zrok share reserved myopenwebui, I get an the following:
root@localhost:~# zrok --verbose share reserved myopenwebui
[ 0.761] INFO main.(*shareReservedCommand).run: sharing target: 'http://127.0.0.1:3000'
[ 0.762] INFO main.(*shareReservedCommand).run: using existing backend target: http://127.0.0.1:3000
[ 0.800] DEBUG sdk-golang/ziti.(*ContextImpl).authenticate: attempting to authenticate
[ 0.805] DEBUG sdk-golang/edge-apis.(*ClientTransportPoolRandom).SetActiveTransport: {key=[https://cc7da54f-8086-4ff9-b96d-6137124f6380.production.netfoundry.io:443/edge/client/v1]} setting active controller
[ 1.589] DEBUG sdk-golang/edge-apis.(*BaseClient[...]).ProcessControllers: no additional controllers reported, continuing with 1 default configured controller
[ 1.590] DEBUG sdk-golang/ziti.(*ContextImpl).refreshServices: checking if service updates available
[ 1.718] DEBUG sdk-golang/ziti.(*ContextImpl).refreshServices: refreshing services
[ 1.963] DEBUG sdk-golang/ziti.(*ContextImpl).processServiceUpdates: processing service updates with 0 services
[ERROR]: unable to create proxy backend handler (error listening: service 'myopenwebui' not found in ziti network)
It's working fine with the share private but not the reserve command, I don't know why, I looked across the forum and used some chat gpt to help, watch the tutorial, but I'm terrible at this, if anybody has any idea...
Thanks a lot
Hi @skye1, welcome to the community and to zrok (and OpenZiti/BrowZer)!
Are you sure you want a truly 'private' reserved share or would a 'public' share be ok? When you share a private share with zrok, you'll need another computer running zrok in order to access that share. Unfortunately, there is no zrok for Android, and because of that, you can't use a private share from a Windows device and access that share from an Android phone -- UNLESS -- your Android phone is on the same network as some other computer running the zrok access.
I dunno if that makes sense or not, but if it doesn't lemme know.
Thank you. What I find weird is that was able to make it work great with just a share private command between my PC and my phone (different network though), I was able to access my localhost 3000 on the docker container; but when using the reserve private it was not working, didnt find the env in openziti. Maybe it is a problem of support, could be the proot distro of Ubuntu 24.04 working on non rooted android is the problem, at least it works partially only with share private.
I wanted the reserve private to avoid doing the process everytime, also to be safe, and somehow automatize the process on my win 11 at startup, still figuring that out. Maybe there is another way ?
Thanks for taking the time to answer
I will try the reserve public command, though what about security ? Any other method to reinforce that, maybe reserve public is totally fine I don't know much about that.
A private share is DEFINITELY the most secure way of attaching. Howeverr, zrok offers other ways to add some security to your connection. zrok can enforce your browzer authenticate to and IdP: OAuth Public Frontend Configuration | Zrok or if that's too much you can also just add a simple user/password (basic auth) to your public endpoint.
Also, since it's a reserved share it'll be exceptionally hard for an attacker to discover the endpoint (not that that's 'security' mind you, but it helps reduce who will be able to find/attack your service).
You can also turn it on/off when you like so - it's up to you if public is "good enough"
I don't know your full use case so, definitely take my response with some "grains of salt", as one might say.
Then, in Android web browser, assuming the chroot shares a loopback interface, navigate to http://127.0.0.1:3000.
You're running Docker Desktop on the Open WebUI machine, so you also have the option to follow this Docker private share example. This gives you an always-on background service for your zrok private share command that auto-starts after a reboot.
One thing to note is that there is technically no difference between a reserved share and an ephemeral share, other than the lifespan of the allocated name. So if you ran into a difference between the two, the culprit is likely in your environment somewhere.
Reserved share names are tied to the environment they were created in. So if you run zrok reserve on one environment (zrok enable) and then try to share it from another environment, you will run into a "not found" error like that.
And technically an "environment" corresponds to a $HOME/.zrok folder... that's where the artifacts and configuration land when you zrok enable. So, if the $HOME/.zrok changes between your zrok reserve and zrok share reserved, you'll get a "not found" error like that.
Thank you all for your help. I think I gonna give up, I'm way over my head with this. I tried qrkourier command and I ended in a Zrock not found page on my mobile phone. I tried the reserve public with basic-auth but I had the same issue after login. So based on what Michael.quigley said, does it mean I should like copy paste my .Zrock folder from my win11 to my phone and it could work?
Assuming you were able to enable a zrok environment in Termux's chroot, then I'm guessing it doesn't share localhost with Android, so your mobile web browser can't "see" the zrok access frontend at http://127.0.0.1:3000. We can debug it together here if you want. Just let me know and we'll go step by step if you show me what you did and the terminal output. If it's impossible to paste the text transcript as a code block here, maybe using adb to log in to Termux, you could send screenshots.
Still, the easier way is a public share, which will work with any regular web browser. There's no need to install anything extra. All you need is a web browser to access a public share. You can secure a public share with a password or OAuth, e.g., Google login.
That would be great if you could help but i don't know very much about network/linux.
Well i installed zrok on the pc win 11 and android with termux ubuntu on proot-distro and enable the account using the same token given on my email adress, so now i see on the api.zrok.io my pc and android phone as two distinct environnement linked to my gmail. I entered the same command you provided.
On android:
zrok access private --headless --bind "127.0.0.1:3000" "myopenwebui"
So then i get this error in the termux terminal:
oot@localhost:~# zrok access private --headless --bind "127.0.0.1:3000" "myopenwebui"
[ 1.720] INFO main.(*accessPrivateCommand).run: allocated frontend 'rMs24k60nJIc'
[ 1.762] INFO main.(*accessPrivateCommand).run: access the zrok share at the following endpoint: http://127.0.0.1:3000
[ 38.118] INFO main.(*accessPrivateCommand).run: -> GET /
[ 38.775] ERROR zrok/endpoints/proxy.newServiceProxy.func3: error proxying: unable to dial service 'myopenwebui': dial failed: service 5o1zRADCiVhFbYmIrr7Kf has no terminators
[ 38.953] INFO main.(*accessPrivateCommand).run: -> GET /favicon.ico
[ 39.200] ERROR zrok/endpoints/proxy.newServiceProxy.func3: error proxying: unable to dial service 'myopenwebui': dial failed: service 5o1zRADCiVhFbYmIrr7Kf has no terminators
[ 39.726] INFO sdk-golang/ziti.(*ContextImpl).connectEdgeRouter.func1: connection to tls:8e55f926-faa1-4bdd-97fa-3a4338b408dc.production.netfoundry.io:443 already established, closing duplicate connection
[ 39.840] INFO sdk-golang/ziti.(*ContextImpl).connectEdgeRouter.func1: connection to tls:ed9935f5-5d9d-4898-a3cf-4a8a05b4e4a6.production.netfoundry.io:443 already established, closing duplicate connection.
So i tried like you mentionned a public share with --closed, oauth-provider and access grant limited to my email, it works fine, but there are some issue because openwebui(github) use some api to connect to some ai server, and so it doesnt work well, maybe i could add an exception somewhere in docker so it thinks its fine to use, but that would mean i would have to enter a specific share.zrok.io website eveytime, so not very pratical.
When i use a private share, everything works even the external api calls, and it's forwaded to port 9191 on my mobile phone, if it would be a reserve private it would be even better, so i wouldnt have to create a new share eveytime. I was trying to make a bash script to automatize capturing the token from the terminal, but it's harder that i thought to capture it, i kinda made it work and sent to me with a telegram bot, somehow the env doesnt disapear when i close the terminal and i have to manualy closed in the api.zrok.io console.
Thanks for reading if you had the courage. Any help would be greatly appreciated : )
it's just the private share that requires a zrok endpoint that runs 'access'.