Routing to the web server

Hi @himeose. I don’t have a video yet but I wanted to follow up. I think this is what you’re doing, and I did it in my own lab:

To accomplish this, here’s exactly what I did:

Prerequisites:

  1. Provisioned two VMs in a single AWS VPC
  2. Ran the quickstart on one VM and verified it works as expected
  3. Ran the docker container crccheck/hello-world and exposed it on port 80 (this is the web server that shows the docker whale) docker run --rm --name web-test -p 80:8000 crccheck/hello-world

Enable “private.web” access

  1. obtain a docker env file and the simplified compose file in whatever folder you like:

     curl -sO https://raw.githubusercontent.com/openziti/ziti/release-next/quickstart/docker/.env
     curl -s https://raw.githubusercontent.com/openziti/ziti/release-next/quickstart/docker/simplified-docker-compose.yml > docker-compose.yml
    
  2. update the .env file to look similar to this. Hopefully obvious, replace advertised.address with your externally accessible address. like ‘ec2-3-134-108-218.us-east-2.compute.amazonaws.com’ for example etc

     # OpenZiti Variables
     ZITI_IMAGE=openziti/quickstart
     ZITI_VERSION=latest
    
     # OpenZiti Variables
     ZITI_IMAGE=openziti/quickstart
     ZITI_VERSION=latest
    
     # The duration of the enrollment period (in minutes), default if not set
     # shown - 7days
     ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION=10080
     ZITI_EDGE_ROUTER_ENROLLMENT_DURATION=10080
    
     # controller address/port information
     ZITI_CONTROLLER_RAWNAME=ziti-controller
     ZITI_CONTROLLER_HOSTNAME=ec2-3-134-108-218.us-east-2.compute.amazonaws.com
     ZITI_CTRL_PORT=8440
    
     ZITI_EDGE_CONTROLLER_RAWNAME=ziti-edge-controller
     ZITI_EDGE_CONTROLLER_HOSTNAME=ec2-3-134-108-218.us-east-2.compute.amazonaws.com
     ZITI_EDGE_CONTROLLER_PORT=8441
     #ZITI_EDGE_CONTROLLER_IP_OVERRIDE=172.17.0.1
    
     # router address/port information
     ZITI_EDGE_ROUTER_RAWNAME=ec2-3-134-108-218.us-east-2.compute.amazonaws.com
     ZITI_EDGE_ROUTER_PORT=8442
     #ZITI_EDGE_ROUTER_IP_OVERRIDE=172.17.0.1
    
  3. start docker - IMPORTANT: notice I used -p openziti to start docker. That produces a predictable name used in step 5 below. Make sure you either understand what the -p flag is doing here, or just run it exactly as shown! :slight_smile:

     # this removes EVERYTHING:
     docker-compose -p openziti down -v
     # start docker here
     docker-compose -p openziti up
    
  4. optional: If needed, get the latest ziti binaries and have them added to the path for you if needed

     source /dev/stdin <<< "$(wget -qO- https://get.openziti.io/quick/ziti-cli-functions.sh)"; getZiti "yes"
    
  5. setup a file to source to make it easy to login to the environment. This pulls information from the container and makes a “docker.env” file that you can source and use to ziti login

     docker exec openziti_ziti-controller_1 grep 'export ZITI_EDGE_CTRL_ADVERTISED' /persistent/ziti.env > docker.env
     docker exec openziti_ziti-controller_1 grep 'export ZITI_USER' /persistent/ziti.env >> docker.env
     docker exec openziti_ziti-controller_1 grep 'export ZITI_PWD' /persistent/ziti.env >> docker.env
     source docker.env
    
     ziti edge login $ZITI_EDGE_CTRL_ADVERTISED -u $ZITI_USER -p $ZITI_PWD -y
    
  6. Configure the OpenZiti overlay for the private web service and identity. (notice I used MY ip=172.31.50.50 of my private web server)

     service="private.web"
     private_web_server_ip=172.31.50.50
     ziti edge create config "${service}.intercept.v1" intercept.v1 '{"protocols":["tcp"],"addresses":["'${service}'"], "portRanges":[{"low":80, "high":80}]}'
     ziti edge create config "${service}.host.v1" host.v1 '{"protocol":"tcp", "address":"'${private_web_server_ip}'","port":80}'
     ziti edge create service ${service} --configs "${service}.intercept.v1","${service}.host.v1"
     ziti edge create service-policy "${service}.bind" Bind --service-roles "@${service}" --identity-roles "#${service}.binders"
     ziti edge create service-policy "${service}.dial" Dial --service-roles "@${service}" --identity-roles "#${service}.dialers"
    
     ## authorize dialers...
     ziti edge create identity user awsdockerclint -a "${service}.dialers" -o awsdockerclint.jwt
    
  7. authorize the router identity to bind the service. Notice i used the name of MY edge router here (ec2-3-134-108-218.us-east-2.compute.amazonaws.com) - you have to replace with yours:

     ziti edge update identity ec2-3-134-108-218.us-east-2.compute.amazonaws.com -a "${service}.binders"
    

I’ll make a video demo’ing all this in a bit