Securing ZAC and management

justin-lo · August 23, 2024, 5:39pm

Right now after going through the standard Linux deployment tweaking a few settings my /zac page is publicly accessible, everything on the controller is listening on the same port (443)

I'm pretty sure that's not the right way to have this setup right?

My (shortened) controller config:
ctrl:
fqdn:443
0.0.0.0:443
edge:
fqdn:443
web:
0.0.0.0:443
fqdn:443
apis:
-edge-manaagement
-edge-client
-fabric
-zac

Would the fix be to add another web section and move zac and mgt to it?

web2:
0.0.0.0:444 (don't expose this port publicly)
apis:
-edge-management
-zac

TheLumberjack · August 23, 2024, 5:41pm

it's a fine way to set it up sure.... If you want, removing the management port from the internet (and subsequently removing your zac from the internet) is a great way to do it.

What you have shown, is the recommended way to go about it now-a-days, yes!

You'd likely want to make a router near the controller and service that lets you access the ZAC after you do that too.

apinohixcorp · August 25, 2024, 8:11pm

I was also confused about this, I'm trying to follow the example at Example Enabling BrowZer | OpenZiti

with the idea that we were going to be securing the Zac Console, but following the instructions and halfway through the ZAC console was publicly available on my controller host port at the /zac/login endpoint. I was so confused thinking surely we'll move it during the demo and expose it only through BrowZer, but the demo didn't cover that. I would like to do that, is there a setting in the binding that we use to move it to a different port?

The binding section in my .yaml config near edge-management is set up per the demo:

     - binding: zac
        options:
          location: ./zac
          indexFile: index.html

TheLumberjack · August 25, 2024, 9:03pm

Hi @apinohixcorp, I can understand why you're confused. In the last year, we have started to transition to deploying the ZAC along with the controller using the mechanism you are highlighting here. The video and guide were recorded using the "node-based" ZAC, which was the prior version of the ZAC. We probably need to update that video, and subsequently update that page with a refreshed version of how to do this.

I didn't go through it all, but you should be able to replicate what that page will have you do. You'll need to substitute the management port instead of the specified offload_port=1408 and you'll need to specify "scheme": "https", in the targetArray.

I'll prepare to go through this page live on Ziti TV this coming Friday. If you don't get it working before then and you're interested, you can watch live at 11 AM ET this coming Friday.

apinohixcorp · August 25, 2024, 11:42pm

Awesome, you can bet I'll be there live on Friday! I'll definitely see if I can sort it out on my own ahead of that. Thank you for your prompt responses, I'm very excited about OpenZiti and impressed with all your work!

TheLumberjack · August 26, 2024, 1:01pm

Just made a forum post with the link, but it's here as well. See you Friday: https://www.youtube.com/watch?v=L2ctuKOlAR4

Topic		Replies	Views
Best practices of securing controller (and ZAC) Ziti Overlay	23	700	March 8, 2023
ZAC On different host than the controller General Questions	7	361	July 18, 2023
Dark ZAC with Management API on Localhost 18441 Ziti Administration Console	3	287	August 9, 2022
Questions from a newbie about my planned setup	19	109	October 28, 2024
Controller client and management apis Building/Development	2	427	June 24, 2022

Securing ZAC and management

Related Topics