Separate port on controller for auth and apply changes for controller

Building/Development
1

If I’m not mistaken there is only one port for auth identities and applying changes for manipulations. I think it’ll be more secure to hide administrative part and zitified it.
Or may be there is a way to limit api calls for changing from untrusted networks?

1 Like
2

I was thinking the same.... as I started to work through how to setup an edge router on a remote server.

What I understand is that you need to modify the controller yaml file.. so that the auth can only be done on the controller.. you do this my modifying the listener.

@TheLumberjack has provided some great insights in the following page.. that I am still working through

My understanding is that once you do this.. you will only be able to log into the controller from the controller as local host.

creating a ziti host to manage the auth controller api

is this possible.. I don't really know.. but I would definitely like to know

The reason is.. when you want to create a new public edge router.... its best to log into the controller to make the yaml file.. create the edge router identity.. and enroll the identity on the remote server.

however.. all of this requires that the controller can be remotely accessed.

So.. if you make the login on the controller.. only accessible to the local host of the controller.. this would no longer be possible

Hence.. I am trying to work out a way to manage this in a production instance.. so that you can implement a new edge router.. without having to shut down / turn on the controller to open up access and then remove it again.. after the edge router has been deployed.

Keen to discuss and learn more about this for sure.

3

This can be done with the something like the following in the web section of the controller yaml

web:

  • name: client-management
    bindPoints:
    • interface: 0.0.0.0:443
      address: “public ip of router:443”
      options: { }
      apis:
    • binding: health-checks
      options: { }
    • binding: edge-client
      options: { }
  • name: edge-management
    bindPoints:
    • interface: 127.0.0.1:8443
      address: 127.0.0.1:8443
      options:
      apis:
    • binding: fabric
      options: { }
    • binding: edge-management
      options: { }

Where management(change) apis could only be reached on 127.0.0.1:8443

2 Likes