Hello. I've been testing Openziti for a few months now and loving it for configuring my internal infrastructure! It's amazing!
I'm trying to create some topologies to test the environment. I wanted to know if it's possible to redirect all web traffic (ports 80 and 443) to a private router (acting as a gateway for my local network), which, in turn, to a public-edge router. I'd like to know if this topology is viable and if anyone has a tutorial on how I can start this configuration.
Hi @barbosa, welcome to the community and to OpenZiti (and zrok and browzer)! We're pleased you're enjoying OpenZiti!
Have you found this section of doc? Use a Router as a Local Gateway | OpenZiti I think it has some of the information you're looking for and might show you what you need?
What's not entirely clear to me from your question is if you're using an OpenZiti tunneler on the clients. Are they all running a tunneler?
Hi @TheLumberjack. Thanks for the response!
I'm not using Tunneler in the clients. In my case, I want all connections to clients to be transparent, without any tunneler or Sdk. I want to create a private router, and all HTTP/HTTPS traffic from the clients for any website goes through a private router-> public-edge router. I consider that the private router is the gateway to my local network, and Openziti encrypts the traffic between the private router and the public-edge router. The main point is how to perform this for all HTTP/HTTPS traffic instead of some addresses like mysimpleservice.ziti. If the client wants to reach www.google.com, for example, he must pass by the private router, then the public-edge router, and the last one, acting as the gateway for the internet.
It`s possible?
Best regards,
Hmmm, I don't think that will be possible, I don't think. I'm not well versed with http proxies but I don't believe we have support for acting like an http proxy.
I'll ask around and see if anyone else knows more
You can deploy a service like Squid on the public router, then publish this Squid service as proxy.ziti. Use iptables to forward traffic to the Squid port, with ACL controlled by Squid. I believe this can achieve the functionality you're looking for.
Indeed, my explanation sounds like a proxy.
On the other hand, I`m trying to test some topologies and if I'm successful, I'll come back here too.
Thank you!
Thank you, @toadzhou! I can try it too. I believe that Squid is a good idea.
