No Controllers Available

Ziti Administration Console
17

Okay now I see how it works.

Since I have my controller behind a NAT, I have only one interface to listen to. So I changed the mgmt/fabric port on a port which is not exposed to the WAN, and accessible only with specific addresses:

web:
  - name: client-management
    bindPoints:
      - interface: 0.0.0.0:48440 # Internet facing
        address: hidden
    identity:
      ca:          "pki/root/certs/root.cert"
      key:         "pki/intermediate/keys/server.key"
      server_cert: "pki/intermediate/certs/server.chain.pem"
      cert:        "pki/intermediate/certs/client.chain.pem"
    options:
      idleTimeout: 5000ms
      readTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: edge-client
        options: { }

  - name: zac-console
    bindPoints:
      - interface: 0.0.0.0:48442  # Only LAN
        address: 192.168.X.X:48442
        address: console.ziti:443
    identity:
      ca:          "pki/root/certs/root.cert"
      key:         "pki/intermediate/keys/server.key"
      server_cert: "pki/intermediate/certs/server.chain.pem"
      cert:        "pki/intermediate/certs/client.chain.pem"
    options:
      idleTimeout: 5000ms 
      readTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: zac
        options:
          location: /opt/openziti/share/console
          indexFile: index.html
      - binding: edge-management

  - name: mgmt-fabric
    bindPoints:
      - interface: 0.0.0.0:48443  # Only LAN
        address: 127.0.0.1:48443        # Local management
        address: 192.168.X.X:48443    # Admin Network
    identity:
      ca:          "pki/root/certs/root.cert"
      key:         "pki/intermediate/keys/server.key"
      server_cert: "pki/intermediate/certs/server.chain.pem"
      cert:        "pki/intermediate/certs/client.chain.pem"
    options:
      idleTimeout: 5000ms
      readTimeout: 5000ms
      writeTimeout: 100000ms
      minTLSVersion: TLS1.2
      maxTLSVersion: TLS1.3
    apis:
      - binding: edge-management
      - binding: fabric

Thanks to your advice I managed to hide the edge-management and fabric endpoints to the LAN only.

Recently I covered using a router colocated with the controller to allow for exactly this, and thus you can only access/manage/maintain the controller if you're ON the openziti overlay itself here Making ZAC and management API accessible only through service

Yes I read this post before sending mine, that is how I minded to manage ziti too, for now I do not use command line but can be useful for automation. Currently, only managing through the ZAC through ziti (console.ziti) network and as backup if for X reasons ziti network do not work, through the LAN.

1 Like