Hello, my setup is as follows, I’ll try to explain as best as I can the meaning of everything:
I have the classic setup ZitiEdgeController (with ZitiEdgeInitController) / ZitiEdgeRouter / ZitiConsole
My goal with this is to have a couple servers running Docker containers of various services and use OpenZiti as a way to easily and securely connect between them. Additionally, my plan is to use a Caddy instance on each server to handle HTTPS requests so I don’t get warnings about self signed certs and stuff like that.
In the above setup, the Holy Trinity of OpenZiti (Controller/Router/Console) is running in its own network, called ziti
. Then I have another network called caddy
where there is a simple whoami
container (which is basically a simple Nginx that returns a static HTML) and a Caddy Reverse Proxy container. This caddy container is also connected to the ziti
network. This is done this way so I can reverse proxy the ZitiConsole container too.
The Caddy container is setup in such a way that it gets certificates by doing DNS challenges (I hope I’m using the correct terminology) against Cloudflare. I have a domain my.domain.com
and I’ve given Caddy a special token to perform these dns acme challenges so it can get certificates.
The Caddy container is exposing to the localhost the ports 80 and 443.
I also have 2 containers: Ziti Host and Ziti Tun. Ziti Host is being used to, well, host services. Since I have Caddy on this machine I’ve created a config to host a service called caddy in ports 80 and 443 and intercepts urls with the *.mymachine.my.domain.com
. ZitiTun for now is not being used, but if I deploy a container that needs to contact another machine in my Ziti network I’ll need it
This is done so I can type https://ziti.mymachine.my.domain.com
on my desktop, then the requests is captured by Ziti Edge Desktop app on Windows, redirected through MyMachine, it arrives to the ZitiHost container, it is then redirected to port 443 on localhost of MyMachine, it is captured by Caddy, Caddy then does its magic with the certificates stuff, and makes the redirection to the Ziti Console container.
I can also type https://whoami.mymachine.my.domain.com
and the same will apply but Caddy will redirect it at the last step to the other container.
All of this is currently working nicely. I can access all services with HTTPS with no warnings whatsoever
However, when I reach, for example, https://ziti.mymachine.my.domain.com
, the answer is painfully slow. I’m talking about 60 seconds to load the login page. Once that’s done it’s all cached and it works well but anything new is really slow.
I’ve also deployed other services to test (Syncthing for example) and it’s equally slow to access the UI.
So my question is, how can I debug and/or troubleshoot what might be causing this issue here? Perhaps it’s not even OpenZiti’s fault, but I don’t know what else could be?
I’ll leave my docker-compose.yml
and .env
files here in case that helps, but they might be a bit complex, idk.
Click here to see docker compose and .env
docker-compose.yml
# Sections prefixed by x- are not parsed by Docker Compose. This section is used to reuse common sections related to Caddy container (see below)
x-common-caddy: &common-caddy
caddy.tls.protocols: "tls1.3" #### This is optional. Default it is tls1.2
caddy.tls.dns: "cloudflare ${CLOUDFLARE_API_TOKEN}"
services:
ziti-controller:
image: "${ZITI_IMAGE}:${ZITI_VERSION}"
ports:
- ${ZITI_EDGE_CONTROLLER_PORT:-1280}:${ZITI_EDGE_CONTROLLER_PORT:-1280}
- ${ZITI_CTRL_PORT:-6262}:${ZITI_CTRL_PORT:-6262}
environment:
- ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION=${ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION}
- ZITI_EDGE_ROUTER_ENROLLMENT_DURATION=${ZITI_EDGE_ROUTER_ENROLLMENT_DURATION}
env_file:
- $MAIN_DIR/.env
networks:
ziti:
aliases:
- ziti-edge-controller
volumes:
- ziti-fs:/persistent
entrypoint:
- "/var/openziti/scripts/run-controller.sh"
# Simple healthcheck to check open ports. This is just to make the startup a little bit more "step by step"
healthcheck:
test: ["CMD", "bash", "-c", "lsof -i -P -n | grep -q 'TCP.*:6262' && lsof -i -P -n | grep -q 'TCP.*:1280'"]
interval: 10s
timeout: 5s
retries: 10
ziti-controller-init-container:
image: "${ZITI_IMAGE}:${ZITI_VERSION}"
depends_on:
ziti-controller:
condition: service_healthy
environment:
- ZITI_CONTROLLER_RAWNAME="${ZITI_CONTROLLER_RAWNAME}"
- ZITI_EDGE_CONTROLLER_RAWNAME="${ZITI_EDGE_CONTROLLER_RAWNAME}"
env_file:
- $MAIN_DIR/.env
networks:
ziti:
aliases:
- ziti-edge-controller-init-container
volumes:
- ziti-fs:/persistent
entrypoint:
- "/var/openziti/scripts/run-with-ziti-cli.sh"
command:
- "/var/openziti/scripts/access-control.sh"
ziti-edge-router:
image: "${ZITI_IMAGE}:${ZITI_VERSION}"
depends_on:
ziti-controller:
condition: service_healthy
ziti-controller-init-container:
condition: service_completed_successfully
environment:
- ZITI_CONTROLLER_RAWNAME="${ZITI_CONTROLLER_RAWNAME}"
- ZITI_EDGE_CONTROLLER_RAWNAME="${ZITI_EDGE_CONTROLLER_RAWNAME}"
- ZITI_EDGE_ROUTER_RAWNAME=${ZITI_EDGE_ROUTER_RAWNAME:-ziti-edge-router}
- ZITI_EDGE_ROUTER_ROLES=public
env_file:
- $MAIN_DIR/.env
ports:
- ${ZITI_EDGE_ROUTER_PORT:-3022}:${ZITI_EDGE_ROUTER_PORT:-3022}
networks:
- ziti
volumes:
- ziti-fs:/persistent
entrypoint: /bin/bash
command: "/var/openziti/scripts/run-router.sh edge"
# Simple healthcheck to check open ports. This is just to make the startup a little bit more "step by step"
healthcheck:
test: ["CMD", "bash", "-c", "lsof -i -P -n | grep -q 'TCP.*:3022'"]
interval: 10s
timeout: 5s
retries: 10
ziti-console:
image: openziti/zac:2.6.9
depends_on:
ziti-controller:
condition: service_healthy
ziti-controller-init-container:
condition: service_completed_successfully
ziti-edge-router:
condition: service_healthy
working_dir: /usr/src/app
environment:
- ZAC_SERVER_CERT_CHAIN=/persistent/pki/${ZITI_EDGE_CONTROLLER_HOSTNAME:-ziti-controller}-intermediate/certs/${ZITI_EDGE_CONTROLLER_HOSTNAME:-ziti-controller}-server.cert
- ZAC_SERVER_KEY=/persistent/pki/${ZITI_EDGE_CONTROLLER_HOSTNAME:-ziti-controller}-intermediate/keys/${ZITI_EDGE_CONTROLLER_HOSTNAME:-ziti-controller}-server.key
- PORTTLS=8443
env_file:
- $MAIN_DIR/.env
# Labels are used by caddy container to know where are the upstreams and what url to use
labels:
<<: *common-caddy
caddy: "ziti.${MACHINE_HOSTNAME}"
caddy.reverse_proxy: "{{upstreams https 8443}}"
caddy.reverse_proxy.transport: http
# Tls insecure skip verify had to be used to prevent errors with https and caddy
caddy.reverse_proxy.transport.tls_insecure_skip_verify:
ports:
# Port 8443 is not exposed, only through Caddy
- 1408:1408
networks:
- ziti
volumes:
- ziti-fs:/persistent
# This container will fail on first 'docker compose up -d' because you can't get the ZITI_ENROLL_TOKEN until you generate it
# Once you have the enroll token, add it to .env then run again docker compose up -d
ziti-host:
image: openziti/ziti-host:0.21.0
depends_on:
ziti-controller:
condition: service_healthy
ziti-edge-router:
condition: service_healthy
restart: unless-stopped
network_mode: "host"
volumes:
- ziti-identity:/ziti-edge-tunnel
environment:
- ZITI_IDENTITY_BASENAME=${ZITI_IDENTITY_BASENAME}
- ZITI_ENROLL_TOKEN=${ZITI_ENROLL_TOKEN}
# This container will fail on first 'docker compose up -d' because you can't get the ZITI_ENROLL_TOKEN until you generate it
# Once you have the enroll token, add it to .env then run again docker compose up -d
ziti-tun:
image: openziti/ziti-edge-tunnel
depends_on:
ziti-controller:
condition: service_healthy
ziti-edge-router:
condition: service_healthy
ziti-host:
condition: service_started
restart: unless-stopped
devices:
- /dev/net/tun:/dev/net/tun
volumes:
- ziti-identity:/ziti-edge-tunnel
- /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket
environment:
- ZITI_IDENTITY_BASENAME=${ZITI_IDENTITY_BASENAME}
- PFXLOG_NO_JSON=true # suppress JSON logging
network_mode: "host"
privileged: true
caddy:
image: homeall/caddy-reverse-proxy-cloudflare:latest
depends_on:
ziti-host:
condition: service_started
restart: unless-stopped
environment:
TZ: 'Europe/Madrid'
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- caddy_data:/data
ports:
- 80:80
- 443:443
networks:
caddy:
ziti:
labels:
caddy.email: ${CLOUDFLARE_EMAIL}
whoami:
image: "nginxdemos/hello"
depends_on:
caddy:
condition: service_started
restart: unless-stopped
networks:
caddy:
labels:
<<: *common-caddy
caddy: "whoami.${MACHINE_HOSTNAME}"
caddy.reverse_proxy: "{{upstreams 80}}"
networks:
ziti:
caddy:
volumes:
ziti-fs:
caddy_data:
ziti-identity:
.env
# Generic
MAIN_DIR=/home/ubuntu/yourdirectorywherethesefilesare
MACHINE_HOSTNAME=mymachine.mydomain.com
MACHINE_IP=1.2.3.4
# Caddy SSL
CLOUDFLARE_EMAIL=youremail@email.com
CLOUDFLARE_API_TOKEN=YOURCLOUDFLARETOKEN
# OpenZiti Variables
ZITI_IMAGE=openziti/quickstart
ZITI_VERSION=0.27.9
# The duration of the enrollment period (in minutes), default if not set
# shown - 7days
ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION=10080
ZITI_EDGE_ROUTER_ENROLLMENT_DURATION=10080
# controller address/port information
ZITI_CONTROLLER_RAWNAME=ziti-controller
ZITI_CONTROLLER_HOSTNAME="${MACHINE_HOSTNAME}"
#ZITI_CTRL_PORT=8440
ZITI_EDGE_CONTROLLER_RAWNAME=ziti-edge-controller
ZITI_EDGE_CONTROLLER_HOSTNAME="${MACHINE_HOSTNAME}"
ZITI_EDGE_CONTROLLER_IP_OVERRIDE="${MACHINE_IP}"
#ZITI_EDGE_CONTROLLER_PORT=8441
# router address/port information
ZITI_EDGE_ROUTER_RAWNAME="${MACHINE_HOSTNAME}"
ZITI_EDGE_ROUTER_IP_OVERRIDE="${MACHINE_IP}"
#ZITI_EDGE_ROUTER_PORT=8442
# Ziti Host
ZITI_IDENTITY_BASENAME=mymachine
ZITI_ENROLL_TOKEN=
Thanks in advance!