The pricing page for zrok states that the free tier is limited to 10GB of traffic per day.
Is this what applies if we use the easy method? Sharing HTTP Servers | Zrok
To get around this limitation:
- We can self host, probably with the docker-compose setup.
- (not scalable) switch to another zrok account?
I think until I learn how to establish the former, if I want to share my software and data resources with family, colleagues and friends in a low-friction way I could resort to option 2 a little bit if I happen to overrun the 10GB in a day bandwidth use?
I have been reading about the Ziti based projects and it seems exciting but also sounds in many ways a bit too good to be true.
It seems like there is no shortage of detailed information going around, which is great since I overcommunication is valuable, but I think what is lacking are really focused instructions and walkthroughs for the simple common use cases. I can see several of these in a few places but the main problem is not enough clarity around things like when would we want to use zrok frontdoor (or what frontdoor even is) as opposed to other things. I think I started to understand how browZer can, once integrated into a client app, provide powerful abilities interfacing with very complex enterprise systems in a more modern secure way but there are for example no FAQ writeups that help us to explain whether browZer is relevant or not when it comes to me wanting to share a web app running on my dev machine.
Hi @unphased, welcome to the community and to zrok (and OpenZiti and BrowZer)!
I don't think our T&C's prevent people from making ancillary accounts. They probably should, but it's pretty hard to enforce... So you could do that. Self-hosting is certainly the best workaround if you aren't interested in paying NetFoundry for zrok.io. Hopefully we'll make that price attractive enough to most people where they'll want to sign up not just to support the project, but also because it's "just worth it"!
Our most precious resource is time. We try our best to prioritize the things that will help the most people and we are constantly trying to balance all the asks from everywhere, while still providing as great of an overall experience as we can. Recently, there's been a renewed focus and attention put on making those sorts of use cases -- or as I (we?) like to call them "recipes" (staying with the whole food/pasta motif). I expect that I'll be cranking out many of those recipes in the coming months but there are always competing needs and priorities.
But - your voice (and the community's voice) helps us prioritize! If there are specific guides you found lacking that would have been really helpful, let us know! It takes a fair bit of time to make quality documentation so it might start here as a discourse post but knowing what people are looking for, really helps us make the most out of our most precious commodity.
Thanks for joining, it IS too good to be true! Help us spread the word. When enough people have found the project, we're sure to get other helpful people writing blogs and just generally helping overall. Until then, hit us up here in discourse and we'll get you sorted as fast as we can.
1 Like
An example of an issue I have now is I can see the instructions for sharing http servers is simple, just run zrok share public with the local server endpoint.
But since I like docker, I'm looking then at the Docker public share page: Docker Compose Public Share | Zrok
It starts out with
Goal
Publicly share a Docker Compose service with a separate zrok environment and a permanent zrok share URL.
I don't get what this means. It's a starting point for me to build an app in a docker compose setup to help me control network access with docker networking? I don't want to think about those kind of specifics right now.
I know enough about docker to know that if I want a container to be able to access network services on the rest of the host I have to give the container access. So I guess that's what this is mostly about, to let me control those details. That's cool, but the language of "a separate zrok environment" doesn't mean anything to me yet. What is meant by "separate"?
So far from what I'm gleaning (my current need is to share a web app I'm building, from my personal linux machine, with my colleagues, in a secure enough way but without waiting on an entire outdated/convoluted IT/devops process to get me a new environment) I should basically just go grab the zrok executable and get up and running without worrying about docker.
This simplified Docker example might be closer to what you're after: Getting Started with Docker | Zrok
By "separate environment," I was trying to express that zrok running in Docker can either mount the user's ~/.zrok
or create one in a Docker volume.
Oh, and there's a Linux systemd service zrok-share.service
that can help with keeping either a public or private share "backend" always running, described here: zrok frontdoor | Zrok
Short version:
curl -sSLf https://get.openziti.io/install.bash \
| sudo bash -s zrok-share
Then, configure /opt/openziti/etc/zrok/zrok-share.env
Then start the service and monitor logs or zrok console.
Thanks so much.
Getting a zrok account set up and logged in with the zrok executable on linux has been a breeze. But now i have HTTPS related troubles. I'm using a simple nginx config on my machine in order to deliver the application to the browser with HTTP/2, which requires the use of HTTPS and I am using a simple self signed key cert for that configured with nginx. I furthermore also have a websocket as part of my app.
Maybe I can expect difficulties with these details and will see if I can just get things running off HTTP1.1.
Maybe you need to say zrok share ... --insecure
. You can switch out of the TUI with --headless --verbose
to see what the share backend is saying.
it definitely works out of the box when i bypass nginx and point zrok at my express webserver. I will try those things, thank you.
It seems I get The plain HTTP request was sent to HTTPS port
from nginx. That would be when i target localhost:443. If I target port 80 instead a browser will not even connect since nginx simply redirects from port 80 to "localhost:443" which will leave a blank browser page.
Are these the right pieces of your system? Which direction do the arrows connect in which order?
link to live collaborative drawing: Excalidraw | Hand-drawn look & feel • Collaborative • Secure
I have updated the diagram.
I enable HTTP/2 for the application as it unlocks the user's browser from limiting concurrent requests to 6 per domain.
Meanwhile I am unblocked as the above only serves to degrade achievable app performance but it'd be interesting to know how my off the beaten path app might interface with zrok.
To clarify:
seems the breakdown is somewhere in the arrow going from zrok to nginx. nginx is clearly reporting it has received a request from zrok in HTTP format when it needs to see HTTPS protocol happening over port 443.
I'll mention in passing I looked into HTTP/3 as its adoption is also rapidly growing across the net (and some of my cross domain requests in my app already use it) but nginx didn't make it easy for me to test HTTP/3. So that is a backburner item.
I made progress. Things may be working perfectly now, I just had to change my zrok launch command to use a https://localhost:443 url. Silly me. Network tab confirms HTTP/2 functionality.
Nice. Good to know we can do HTTP/2 end-to-end. Is it a public or private zrok share?
Heres what http package - net/http - Go Packages says about HTTP/2.
HTTP/2 support is only enabled if the Listener returns [*tls.Conn] connections and they were configured with "h2" in the TLS Config.NextProtos.
final diagram:
diagram source: Excalidraw | Hand-drawn look & feel • Collaborative • Secure
It's a public zrok share.
So far working like a charm.
I do not know why the metrics seems not to be capturing the data volume. I have probably fired off over a thousand 100kB+ fetches already.
In the console you'll find a metrics tab at each level: account, environment, share.
Are they all showing zero activity, or does that narrow it down to where the gap seems to be?
They are reporting around 6MB which is a lot less than what i've sent through the system so far.