Tunneler vs. Router+Tunneler as Reverse Proxy

If I wanted to configure a Ziti reverse proxy to front one or more applications, as far as I understand, I could either configure a straight-up tunneler (ziti-edge-tunnel) or configure a router with a tunneler. Could you please speak to:

  1. What factors should go into picking one or the other option?
  2. Are there any security or ops implications associated with these choices I should be aware of?

That's correct! Either would work for many scenarios.

Here's a comparison table for those two options: Tunnel Comparison · Issue #383 · openziti/ziti-doc · GitHub

It's more a matter of capabilities and resources than security, unless you're determined to use an HSM/TPM.

For example, orchestrating the router is slightly more complex, but affords a more robust connection to the Ziti overlay.

If you think of any more contrasts for that table then I'll add them. My goal with the issue was to keep track and possibly write a doc that assists with the same choice you're considering.

1 Like

Other options include:

  • Use the already zitified Caddy Server as your reverse proxy: Put some Ziti in your Caddy
  • Embed one of the OpenZiti SDKs directly to your existing apps if possible. If this is an option we can point you in the right direction based on the language your app is written in
1 Like

Thank you, that table is very useful! The router-based tunneler definitely seems more robust. I understand ziti-edge-tunnel allows loading multiple identities, which is useful when a single ziti-edge-tunnel is reverse-proxying multiple app (each app having its own identity).

Is it similarly possible to load multiple identities in a router-based tunneler, one for each app that's being poxied? How'd I go about configuring that?

I also have a related question: how does a reverse proxy know what type of bind connection it should make on behalf of an app? host.v1 config will tell the proxy which app it should deliver incoming payloads to, but if we're relying on the proxy to auto-create terminators as necessary, how does the proxy know, say, whether it should bind a udp connection vs. a tcp connection? Perhaps it uses the same protocol for the bind connection that's specified in host.v1 config??

I would not personally characterize ziti-router as "more robust". Although both ziti-router and ziti-edge-tunnels have significant overlaps, they also try to solve different problems. It's not a straight-forward question to answer. While that table @qrkourier cites is mostly accurate, I don't think it is a full and complete picture of the kinds of questions you end up wanting to answer. For me, I'll use a tunneler-router when i want a piece of the overlay AT that location. I'll use ziti-edge-tunnel when i don't want that sort of functionality. ziti-edge-tunnel is imo, akin to something that would run on one machine. All the Ziti Desktop Edge (for Windows/MacOS/Linux) rely on ziti-edge-tunnel... So really, it does kinda depend.

ziti-router only has a single identity - the 'router' identity, so no.

You actually control this. the host.v1 has an option to forwardProtocol. If you enable that, whatever protocol comes in, is what goes out. If you set it to 'tcp' -- well then only 'tcp' will go out. forwardProtocol and protocols are mutually exclusive. you can either specify the protocol, or allow whatever protocol was intercepted to be egressed. If you know you're intercepting tcp, then it's a tiny bit simpler to simply specify tcp offload. If you can receive either, well you'll need to 'forwardProtocol'. There is also "forwardAddress" and "forwardPort" as well.