Hi there,
sooner or later it had to happen I need to connect a ziti host (yes, using containers) via a corporate proxy. I thought it could "just work" ootb so I added the following to my deployment created by the ziti-host helm chart manually:
- env:
- name: ZITI_IDENTITY_BASENAME
value: ziti-edge-ziti-host-identity
- name: http_proxy
value: http://my-awesome-proxy:3128
- name: https_proxy
value: http://my-awesome-proxy:3128
- name: no_proxy
value: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
Unfortunately, it doesn't ....
8)[ 236.342] ERROR ziti-sdk:ziti_ctrl.c:154 ctrl_resp_cb() ctrl[client.sdn.my.company] request failed: -113(host is unreachable)
I have of course also tried http_proxy und https_proxy with capital letters, but didn't work either.
Any tipps for me?
Thanks
Hi Christian! Would those proxies support CONNECT method? I know that's implemented in Ziti Router, and I don't believe it's implemented for ziti-edge-tunnel
, which you're using in that ziti-host
Helm chart.
I found this mention of CONNECT support in the changelog for the main Ziti project where the Router code lives: https://github.com/openziti/ziti/blob/release-next/CHANGELOG.md#http-connect-proxy-support
I'll check on egress proxy support for ziti-edge-tunnel too, but it may be necessary to host the service with a Ziti Router if that's the only component that can use a CONNECT proxy.
To accomplish that with the Router you would install the openziti/ziti-router
chart. Ensure you enable the router's built-in tunneler when you create the Router in the Ziti management API, CLI, or console.
The Router chart has a default tunnel mode of "host," which has the same behaviors as the hosting mode of ziti-edge-tunnel
that's used by the ziti-host
chart.
When you create the Router with tunneler enabled, you'll see a system-created Ziti Identity too with type "Router." This is the new Router's built-in tunneler. Assign bind privilege to that Ziti Identity in your Bind Service Policy.
Hi @qrkourier, long time no hear
Actually, I believe corporate proxy support would be very beneficial to be supported by the ziti-edge-tunnel for any kind of enterprise network setups.
And yes, of course, talking about CONNECT method and not supporting TLS intercept or anything like that, but just plain proxying.
Hi @ChristianAnton
ziti-edge-tunnel doesn't have the capability to use proxies but we've needed to to work around this issue for demos. We were able to use a third party software called proxychains to get this functional. This is not production recommended but it does work. We haven't tried this in a container but imagine it would also work.
In order to do this with a container, you'd need to build a custom version of the ziti-edge-tunnel container(or custom container in general) & add in something like proxychains along side ziti-edge-tunnel. If you did so, you could use it to capture the outbound traffic & forward it through the proxy.
Here's the steps we followed NOT using a container, this would need to be adapted to a container version:
Proxy Chains setup(install & basic setup):
sudo apt install proxychains4
vi /etc/proxychains4.conf
Add a proxy config like(protocol/proxy address/port):
http 172.18.102.231 3128
Add an exception for the local networks(or any other networks you need), example:
localnet 172.18.102.0/255.255.255.0
Uncomment:
localnet 127.0.0.0/255.0.0.0
ZET changes(startup needs to be altered to use proxychains):
Edit service file /opt/openziti/share/ziti-edge-tunnel.service
Add "proxychains " to the front of both ExecStartPre & ExecStart
Reload the daemon: systemctl sudo systemctl daemon-reload
Hope that helps until ziti-edge-tunnel has that functionality added.
Note to others following these instructions: I found it necessary to modify the systemd service unit to have an absolute filesystem path to the proxychains4
executable. I'd installed with Linuxbrew, so my paths were like this.
ExecStartPre=/home/linuxbrew/.linuxbrew/bin/proxychains4 /opt/openziti/bin/ziti-edge-tunnel.sh
ExecStart=/home/linuxbrew/.linuxbrew/bin/proxychains4 /opt/openziti/bin/ziti-edge-tunnel run --verbose=${ZITI_VERBOSE} --dns-ip-range=${ZITI_DNS_IP_RANGE} --identity-dir=${ZITI_IDENTITY_DIR}
Don't forget to load the changes!
sudo systemctl daemon-reload