I would encourage you to walk through the SDK in more detail as its all open source. If you do… you will find links to TLS and other data layer methods.
There are also other things I am finding that happens between the controller and the browser… still not 100% sure yet… but with the demo I did… there is something going on for the interceptor to work… its just that you don’t see it when you call the method.
I personally wouldn’t consider OpenZiti on layer 2 of the OSI model. Realistically, OpenZiti probably operates somewhere after layer 4 (TCP/IP) and before layer 7 (application). OpenZiti is an ‘overlay’ network. It’s a different way of thinking for sure.
Tunneling apps though - they do interact with layer 3/4 (TCP, IP, Ports etc). Tunneling apps are a step along the OpenZiti journey. Most people start here because it usually just easier to get going for new learners for that reason.
Once you start ‘getting’ OpenZiti and want to start making your own apps - then you get the SDKs and stop thinking IP:port and start “listening on the overlay” instead.
@bottles - I’m travelling today but I want to make you successful. When I get home, I’m happy to make some sort of demonstration video taking it from start to finish if that’d be useful? You’re using AWS right? I’ll make an “eth0.ziti” demo showing exactly the steps.
I uploaded a demo video for you with two services. one is the eth0.me demo, another is a private http server example.
Here’s the video:
Here are the exact commands I copied and pasted - you’ll need to change the IP referenced. I had my totally private VPC ssh/http server running at 172.31.50.50.
# On AWS machine - make the `aws.private.id` identity and enroll it
ziti edge create identity device aws.private.id -o aws.private.id.jwt
ziti edge enroll aws.private.id.jwt
# start the tunneler on the aws/private linux machine
sudo ./ziti-edge-tunnel run -i ./aws.private.id.json
# On 'local/linux' machine - make the `private.client.id`
ziti edge create identity device private.client.id -o private.client.id.jwt
ziti edge enroll private.client.id.jwt
# start the tunneler on the local linux machine
sudo ./ziti-edge-tunnel run -i private.client.id.json
# ssh to aws machine and make the overlay objects for eth0
zitiLogin
ziti edge create config 'eth0.host.v1' host.v1 '{"protocol":"tcp", "address":"eth0.me","port":80}'
ziti edge create config 'eth0.intercept.v1' intercept.v1 '{"protocols":["tcp"],"addresses":["eth0.discourse.ziti"], "portRanges":[{"low":80, "high":80}]}'
ziti edge create service 'eth0' --configs 'eth0.intercept.v1','eth0.host.v1'
ziti edge create service-policy 'eth0.binding' Bind --service-roles '@eth0' --identity-roles '@aws.private.id'
ziti edge create service-policy 'eth0.dialing' Dial --service-roles '@eth0' --identity-roles '@private.client.id'
# now define private access to the http server
ziti edge create config 'private.http.host.v1' host.v1 '{"protocol":"tcp", "address":"172.31.50.50","port":80}'
ziti edge create config 'private.http.intercept.v1' intercept.v1 '{"protocols":["tcp"],"addresses":["private.http.discourse.ziti"], "portRanges":[{"low":80, "high":80}]}'
ziti edge create service 'private.http' --configs 'private.http.intercept.v1','private.http.host.v1'
ziti edge create service-policy 'private.http.binding' Bind --service-roles '@private.http' --identity-roles '@aws.private.id'
ziti edge create service-policy 'private.http.dialing' Dial --service-roles '@private.http' --identity-roles '@private.client.id'
# ssh to the aws machine, then ssh to the private http server and start python
ssh 172.31.50.50
# this will start python's SimpleHTTPServer and allow you to exit the ssh session
sudo nohup python -m SimpleHTTPServer 80 > ~/http.log &
# back on local local issue curl and get some results...
curl eth0.discourse.ziti
18.188.201.183
# now curl to the private http server and make sure it works...
curl private.http.discourse.ziti
# now try chrome....
http://private.http.discourse.ziti/
# cleanup after yourself when done (if you like)
ziti edge delete config eth0.host.v1
ziti edge delete config eth0.intercept.v1
ziti edge delete service eth0
ziti edge delete service-policy eth0.binding
ziti edge delete service-policy eth0.dialing
ziti edge delete config private.http.host.v1
ziti edge delete config private.http.intercept.v1
ziti edge delete service private.http
ziti edge delete service-policy private.http.binding
ziti edge delete service-policy private.http.dialing
ziti edge delete identity aws.private.id
ziti edge delete identity private.client.id
That’s great. Thanks so much for letting me know that ziti can work on aws too. I think what I was doing wrong is I started a tunnel on the internal http server machine and you seems to install it on the server that is running ziti-router & ziti-controller. I have currently destoryed environment but I will certainly try again this once I have time.
You absolutely CAN do this. You just need to make sure the private machine can reach the edge router's 'advertised' address so it can connect to the OpenZiti overlay. Technically, if you put the edge router into the same VPC - well you don't need to run ziti-edge-tunnel in your VPC. ziti-edge-tunnel is similar to a router - but not 'exactly' the same. Read up on the doc site the differences between "tunnelers" and "routers".
