ZAC ports confusion

SpicyTann · February 13, 2025, 8:05pm

Hello !

I'm very new to OpenZiti, I did the Host OpenZiti Anywhere installation and everything worked, except the port of ZAC.

There is a point that mentions that ZAC will be accessible with the port 8443 :
8443/tcp: Ziti Admin Console (ZAC) [optional]

But mine is only accessible this way --> www.my.exemple.com:8441/zac/

Is there a reason why ZAC has the same port as the edge controller providing client sessions ?
Or is it a confusion of mine ? The port 8443 doesn't seem to be use in my case, is it normal ?

Also is there a environment variable for the port that is missing in the documentation of Host Anywhere ?

Thanks in advance !

TheLumberjack · February 13, 2025, 8:11pm

Hi @SpicyTann, welcome to the community and to OpenZiti!

Yes. Recently, the ZAC was converted from explicitly a node-based app to a SPA. This allowed us to support hosting the ZAC on the same port as the management API. If you update the controller's config file and provide the binding: zac stanzas, your controller will provide the ZAC.

That's just a doc artifact/issue. It needs a bit of changes. You can use the port you used for the controller's api.

From the current "host it anywhere" quickstart. That is documented just before "Run expressInstall":

export ZITI_CTRL_EDGE_ADVERTISED_PORT=8441

If you use that port, your ZAC will be at https://${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}:${ZITI_CTRL_EDGE_ADVERTISED_PORT}/zac

Hope that helps

SpicyTann · February 13, 2025, 8:15pm

Thank you very much for the information!

I was also wondering doesn't it cause some security problems as if someone type the https://${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}:${ZITI_CTRL_EDGE_ADVERTISED_PORT} without the /zac/ the api page comes up ?

TheLumberjack · February 13, 2025, 8:18pm

It's no security issue, no. There are two main APIs the controller supports. One is the "client" API and it provides an unauthenticated endpoint that provides "versions" (like you saw).

There is also the 'management' API which is what modifies the controller and always requires authentication. You can optionally decide to host the zac and management API on different ports if you wish, or as one recent discourse post shows, you can use OpenZiti to control access to the zac and the management API for a strong security posture

Have a look at Making ZAC and management API accessible only through service when you're ready to try that

SpicyTann · February 13, 2025, 8:23pm

That is very interesting I'll take a look a it, thank you very much for the fast support !

Topic		Replies	Views
Quick Start Console Port Confusion Ziti Administration Console	2	59	September 2, 2024
Community Update: Adding controller URL's for NodeJS hosted ZAC instances Ziti Administration Console	5	61	February 14, 2025
Issue with ZAC - “Edge Controller is not online” Ziti Administration Console	1	22	December 11, 2024
Specifying custom ports non docker install General Questions	3	27	August 7, 2024
ZAC and controler problem Ziti Administration Console	7	45	January 29, 2025

ZAC ports confusion

Related topics