last time it was updated was 2-3 years ago. nothing wrong with that.
just want to know if using nginix with ziti module consider anti-pattern?
I see it a quick way to expose value of ziti without doing much heavy lifting.
Saying goes don't look gift horse in the mouth.
burden of the knowledge is a thing.
so far it's an awesome project but for a new comer whom have yet know what's up/down/left/right.
it's confusing when something work but not other.
From reading discourse there seems to be a growing backlog of documentation need updating.
this page Tunneling to NGINX Upstreams | OpenZiti
reference to
docker pull docker.io/elblag91/ziti-nginx-ingress
Using default tag: latest
Error response from daemon: manifest for elblag91/ziti-nginx-ingress:latest not found: manifest unknown: manifest unknown
quick google -
docker pull elblag91/ziti-nginx-ingress:3.0.2
or
docker pull docker.io/elblag91/ziti-nginx-ingress:3.0.2
as latest tag doesn't seem to be there.
more of an issue for container images tagging and not documentation issue.
Hi @snowman,
It depends on what you're doing and how you're doing it. If you expose nginx to the internet and tunnel to a VM in the same virtual network in the same cloud, i suppose you could consider that an anti-pattern. However, if that target server was behind any other firewall, any other vpc, anywhere else in the world, then no, I wouldn't consider that to be an anti-pattern. That's one of the great things about OpenZiti is it's firewall friendliness. No IPs to manage, pick it up and move the install whenever/wherever you want.
As for the project's status, we will often make something and then support it as demand appears. So if there's something broken, we generally will make every effort to fix it and get it back operational if someone want to use it.
On the doc page you reference, I don't see a "pull" reference. It asks you to build the docker image
Did you find the github readme? it's really good imo and might get you more what you're after? GitHub - openziti/ngx_ziti_module: An NGINX module that allows OpenZiti to front upstream servers
1 Like
Thank you Clint!
I am still trying to wrap my head around identifies, service, policy.
edge tunnel vs router vs desktop edge.
simple use case -
mac osx using ziti desktop edge access public router
access a service running in private "cloud" that's frontend by Nginx-ziti-module.
I assume nginix-ziti-module is "SDK". However if i don't expose any port how does "service discovery" work in Ziti? there is DNS intercept but i am not understanding it.
no a-ha momement just yet.
I had a look at it. It's a bit out of date. I expect the instructions to work but I think we should probably decide as a project if we plan to support it longer term. If so, we should incorporate a newer SDK into that project. I'll poke the rest of the team and see where we stand on it...
It depends on your personal definition of service discovery. When you run a tunneler, the tunnelers will routinely contact the controller using a poll. When/if a service becomes available (or disappears) an event is fired in the C SDK, this event is processed by the tunneler software and the service is added/removed. Does that answer the question?
just had my mind blown moment with ziti 
2 quotes comes to mind:
"any sufficiently advanced technology is indistinguishable from magic" -
I come from cloudflared tunneling and their marketing of zero trust framing.
that's how I found ziti project. I want to do something similar to cloudflare but without a third party.
"All problems in computer science can be solved by another level of indirection"
Reading the word(s) vs seeing it work together.
intercept <-- I know what that word meant... oh that's what it meant.
deploy overlay network with controller, ZAC, edge router(public/private).
create user for my laptop.
create snowman using ziti cli or zac
get copy of snowman.jwt
download osx ziti desktop edge and install.
open snowman.jwt and enrolled with controller.
.jwt become .json (similar to pkcs12 but without the password)
.jwt have controller url baked in.
will documents the steps I take and shared once it's clean up a bit.
2 Likes
“Any sufficiently advanced technology is indistinguishable from magic” ... I used that exact quote while using Harry Potter analogies to explain my job to my daughter many years ago, which ended up in this blog - Demystifying Zero Trust Networking.
Also, "I want to do something similar to cloudflare but without a third party"; IMHO OpenZiti goes far far beyond what CF offers. That said, if you haven't already sen it, we created zrok - https://zrok.io/ - as an abstraction on top of Ziti, which could be useful for your goals.