Just make sure it's not the build that steals all my bank account info 
j/k of course!
1 Like
Woohoo! This build worked like a charm! 
Hoping the new iOS build will come out soon as well!
Good night, and thanks again for all the help!
1 Like
I changed the controller ports 8441 and 8440 to use only 8441, and it restarts without any issues. However, when I changed the router ports (8442, 8447) and the endpoint port (8440) all to 8441, the system fails to start.
Does single-port mode mean only needing to open a single port on the firewall, or did I misunderstand the configuration requirements?
It referred to one port per component. The controller needs one port, the router needs one port.
Also when you update the router, make sure you change the controller address port to 8441 (or whichever put you choose)
So on a host running both components, you'll need two open ports. If the host runs one component, only one port would be necessary to open in the firewall
Do you mean to consolidate all controller ports into one, such as merging ports 8441 and 8440 into port 443, while merging the router ports 8442, 8447, and 10800 into another port, like 8443? I noticed that HAProxy seems to allow combining both controller and router into a single port, but this requires knowing the TPKT header information for each protocol.
Yes. Often it makes sense to have the controller APIs (control plane/api plane) on port 443 (or 8441 from the quickstart), whereas the router (link plane and the edge plane) can run on port 80. 80 and 443 are "more generally allowed" through firewalls.
And of course, if you prefer to keep with the quickstart-style ports, that's fine too. Or any port you choose.
Could you please provide the TPKT information or protocol identifiers for each component (such as Controller ports 8440 and 8441, and Router ports 8442, 8447, and 10800) so that I can correctly configure ACL matching rules in HAProxy? Or should I capture this data through packet inspection? In HAProxy, I need to use a rule like acl is_edge req.payload(0,3) -m bin <tpkt_identifier>. Thank you for your assistance!
For example, SSH port multiplexing may require identifying the TPKT header, with SSH being recognized by 535348 and RDP by 030000.
I don't know if we'll ever add it to be honest. But this is a feature request, and is veering away from the topic at hand. I'd ask you to start a new thread for that.
I'd recommend you go a different route and use SNI instead. This is similar to how our kubernetes installs work as well. You could assign two different hostnames: ctrl.your.domain and router.your.domain, but with port 443 listening and then use SNI to determine where to redirect the traffic. This actually sounds like fun and might make for a good Ziti TV. If you get HA Proxy working with passthrough TLS, maybe put up some instructions on a github/gist for me to follow ? 
see ssl_fc_sni from HAProxy version 1.8.30 - Configuration Manual also Route SSH Connections with HAProxy (In-Depth Configuration)