Public share not working

I'm trying to test out zrok to see if it will do what I need.

For testing purposes I have a zrok ephemeral public share running on my server that routes the proxy backend to my local reverse proxy. I'm using one of my custom domain names with a CNAME record to point to the ephemeral share domain, and I'm routing port 8920 for the test. When I try to open it in a browser, it brings up a blank page that spins forever, zrok reports traffic, and my reverse proxy never gets any connection.

My Setup

I have a working reverse proxy that does TLS termination of a few different publicly valid domains running on my local server. I have rules to allow port 8920 as an alternative to port 443 for these domains. I've setup split DNS on my home network so I'm able to confirm that I can navigate to these domains on either port 443 or 8920 while within my network using the real domain name, and I can reach the service.

For outside my local network, my current solution is a cloud hosted VPS running wireguard that my local system connects to. The VPS has firewall rules to masquerade-route incoming traffic on port 443 or 8920 to the same port at the other end of the wireguard tunnel. I create public DNS A records for my custom domains that point to the VPS public IP address, so resolution of my domain names routes to the VPS and then to the server on my local network. This is tested and confirmed working.

The pathway looks like this:

client browser--> DNS lookup --> VPS --wireguard--> local server --> reverse proxy (TLS termination) --> my web app

What I'm testing

What I'm trying to do now is setup zrok on my local server with a proxy backend and a public share. Eventually I'd reserve a name in zrok and then setup a CNAME record for my custom domain name to point to the zrok public share URL, but for now I just used an ephemeral public share.

This would attempt to make the pathway:

client browser --> DNS lookup --> zrok public share endpoint --zrok--> zrok on local server --> local reverse proxy --> my web app

So I run:
zrok share public --backend-mode proxy --insecure https://localhost:8920

Alternatively, I run:
zrok share public --backend-mode proxy https://mydomain.com:8920 (zrok is within my local network, so a DNS lookup for mydomain.com will give the local LAN IP address).

Both seem to run ok according to the zrok TUI, and I see traffic in the zrok metrics when I navigate to my custom domain on port 8920 from outside my local network, but my reverse proxy logs don't indicate that any of the zrok traffic reached it. Just to verify it, doing curl https://mydomain.com:8920 from within my local network does register in the reverse proxy logs, as does https://localhost:8920 (the latter with an error in the logs because no proxied domain was specified in the original client request).

You can somewhat customize the share domain with zrok reserve public --unique-name, and DNS aliases won't work at all with zrok share domains because the HTTP request must contain the share domain to properly route to the backend. zrok parses the host header to identify the correct backend.

One option is to point your custom DNS at your VPS and run zrok access there to listen on a TCP proxy port that's bound to a particular zrok private share running somewhere else, like behind your firewall.

The next option would be running your own dedicated zrok instance which is totally doable even on a lightweight VPS. That would give you a zrok frontend that uses your own domain name.

Let me know which way you want to go or if a more specific example would be helpful for that direction.

Welcome to the community!

Ah thanks for the clarification and the quick reply. I hadn't seen anything about the low-level particulars like that in the sparse zrok documentation. It certainly makes sense from a technological perspective, I just hadn't thought of it.

I'm glad a focus is being placed on the ephemeral simple sharing, the tools so far are excellent and extremely easy for that.

For sure, and thanks for any more notes you might have about docs, UX, etc.

I've also worked on self-hosting options for zrok: Linux package, Docker, and Kubernetes. I'm happy to help with those if you want full custom DNS.

The other option I mentioned was running zrok access private {token} --headless --bind 0.0.0.0:443 on your VPS, for example, which would open the default HTTPS port as a raw TCP proxy for whatever zrok private share on your VPS's public IP.