Securing ZAC and management

Right now after going through the standard Linux deployment tweaking a few settings my /zac page is publicly accessible, everything on the controller is listening on the same port (443)

I'm pretty sure that's not the right way to have this setup right?

My (shortened) controller config:
ctrl:
fqdn:443
0.0.0.0:443
edge:
fqdn:443
web:
0.0.0.0:443
fqdn:443
apis:
-edge-manaagement
-edge-client
-fabric
-zac

Would the fix be to add another web section and move zac and mgt to it?

web2:
0.0.0.0:444 (don't expose this port publicly)
apis:
-edge-management
-zac

it's a fine way to set it up sure.... If you want, removing the management port from the internet (and subsequently removing your zac from the internet) is a great way to do it.

What you have shown, is the recommended way to go about it now-a-days, yes! :slight_smile:

You'd likely want to make a router near the controller and service that lets you access the ZAC after you do that too.

1 Like

I was also confused about this, I'm trying to follow the example at Example Enabling BrowZer | OpenZiti

with the idea that we were going to be securing the Zac Console, but following the instructions and halfway through the ZAC console was publicly available on my controller host port at the /zac/login endpoint. I was so confused thinking surely we'll move it during the demo and expose it only through BrowZer, but the demo didn't cover that. I would like to do that, is there a setting in the binding that we use to move it to a different port?

The binding section in my .yaml config near edge-management is set up per the demo:

     - binding: zac
        options:
          location: ./zac
          indexFile: index.html

Hi @apinohixcorp, I can understand why you're confused. In the last year, we have started to transition to deploying the ZAC along with the controller using the mechanism you are highlighting here. The video and guide were recorded using the "node-based" ZAC, which was the prior version of the ZAC. We probably need to update that video, and subsequently update that page with a refreshed version of how to do this.

I didn't go through it all, but you should be able to replicate what that page will have you do. You'll need to substitute the management port instead of the specified offload_port=1408 and you'll need to specify "scheme": "https", in the targetArray.

I'll prepare to go through this page live on Ziti TV this coming Friday. If you don't get it working before then and you're interested, you can watch live at 11 AM ET this coming Friday.

1 Like

Awesome, you can bet I'll be there live on Friday! I'll definitely see if I can sort it out on my own ahead of that. Thank you for your prompt responses, I'm very excited about OpenZiti and impressed with all your work!

Just made a forum post with the link, but it's here as well. See you Friday: https://www.youtube.com/watch?v=L2ctuKOlAR4