Obfuscating the ports on the QuickStart example

I am aware that you can use which ever ports you want for the services… allowing you to obfuscate the ports using ports 443 and 80.

I am not 100% sure how to set this up… and though to check the following

8441 (either 80 / 443)
8442 (either 80 / 443)
6262 (control plane)
10080 (control plane)

Does this make senes?

I am about to embark on this very journey. I want all clients comms to be on 443 as this is most likely to be open. Ideally router to router as well. However want to use the least number of servers/public IPs. Looks like you need at least two IPs for 443 comms: one for controller and one for edge router. The other components can stay on standard ports because you will know when you set up and can then open firewall ports. That said I want tunnellers behind customer firewalls to use 443 as is always open but not the other ports (use case is sending devices to client sites to allow remote connection to)

1 Like

Makes perfect sense @markamind. Yes, you need 4 total ports open for the overlay network to be fully functional and robust. The easiest way to do this imo is to move away from the router provided by the quickstart and simply deeply your public router on a different vm. Then you have two port 80/443 combinations and you’ll be good to go.

It’s also a better practice to move the routers to separate machines for scaling purposes, once you’ve learned enough about OpenZiti to decide you want to deploy more of them.

1 Like

Oh and if you did that, you could choose to keep that initially provisioned quickstart edge router if you want, just don’t have it form inbound links and it’ll be fine. You do that by disabling the link listener section in the config file turning it into a private offload point. Then you could use it to access your controllers dark apis, provide ssh access instead of using the web ACL etc.

1 Like

Got it… I have done that before… :slight_smile:

Ok… have setup the remote edge router… and are now ready to change the port numbers.

Just to confirm I have this correct… I change the ports as shown below.

Assumptions

  • the second compute has ports 80 and 443 open
  • The controller yaml file is reconfigured to set 80 as the control plane instead of port 6262

One small problem with this configuration that I am hitting is that there appears to be a service already using 443 one my second compute.

sudo lsof -i :443 

COMMAND       PID   USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
osms-agen 1518200   root   17u  IPv4 133711462      0t0  TCP instance-20220518-1244.subnet04151442.vcn04151442.oraclevcn.com:54582->140.204.42.145:https (CLOSE_WAIT)
runcomman 1518265 ocarun   15u  IPv4 137725209      0t0  TCP instance-20220518-1244.subnet04151442.vcn04151442.oraclevcn.com:60812->140.204.42.220:https (ESTABLISHED)

This causes the bind to fail as shown below when I start up the second public edge router.

error listening [edge] (listen tcp 0.0.0.0:443: bind: permission denied)

any tips?

I dont have much idea what these services are doing on the Oracle Compute instance…

Looks right to me. You’ll change the controller and router and don’t forget the .env file if you still want to use that. You by no means need to keep using the .env file, but if you use any of the functions/aliases you’ll want to change that too.

As for what blocks port 443, I don’t know. You’ll have to use that pid and Oracle docs to figure out what that process is and why.

1 Like

I have been looking around trying to find the ‘standard’ port numbers, and all the quickstarts etc have ports numbers that all differ from each other, and I cannot seem to find a “These are the ports required” type page and by what. The best I have found is here: Host OpenZiti Anywhere | OpenZiti.

So, I am wondering for anyone else coming across this, until it is in the docs somewhere (that I haven’t seen probably) that is not in a particular quickstart that we define what is actually required (default ports) for each type of component. Something like this

|---------|------------------|------------------------------------------------------|
| Default |                  |                                                      |
| Port    | Used By          | Function                                             |
|---------|------------------|------------------------------------------------------|
|  1280   | Controller       | Clients connect to controller to get configuration   |
|  6262   | Controller       | edge routers connecting to controller for config     |
|  3022   | Edge Router      | Clients communication to edge                        |
| 10080   | Edge Router      | Fabric routers to edge router use this port          |
|---------|------------------|------------------------------------------------------|

So, if you did not use Fabric routers, then you could remove 10080 requirement. The other three are actually required.

Just my 2c worth.

1 Like

Great points… which was one of the reasons why I posted this summary… which I will be making a pull request on later today.

I do agree that 10080 is not required for a situation where you do not use the fabric links…

I will extend this summary to expand on this more more detail… as it will be required when you want to connect to hosts on a private subnet etc

let me know if you have anything else that I should include :slight_smile:

Looks like it’s an important service…

that being the case… are there other alternative port numbers you can recommend… for situations where port 80 or 443 is already in use?

https://blogs.oracle.com/developers/post/manage-your-compute-instances-like-a-pro-with-the-os-management-service-on-the-oracle-cloud

For me, personally, I’d try to figure out how to move or disable that service. Every cloud provider is different in these ways. I’m not in a place where I could try it out on my own for a long while. Perhaps someone else will discover the way to placate Oracle cloud here.

1 Like

Hmmm. I thought the only quickstart that was dramatically different was the host it anywhere, which overrides only two of those four ports you listed.

Your summary is spot on though. The default ports, without overriding are as you listed. See

1 Like

Looking at that blog and assuming it is it I would probably disable/remove the service. Annoying if it is that taking up 443. I have just spun up a Ubuntu server in Oracle cloud (for controller) and don’t have that installed. If everything is being hosted in Oracle cloud, then that would be OK to use that. However, if you have infrastructure elsewhere, then better to use your current patching regime instead - something like Ansible to configure/update the machine.

1 Like