Ziti overlay network and reverse proxy public DNS redirection

Ziti Overlay
6

Not the end of the road, no but you'd "probably" want to use zrok for that since this is exactly what zrok accomplishes. It allows you to make public url that takes you to a private resource. Quick demo I did for a different discourse post that shows it in action. It's built on top of OpenZiti but not quite "integrated" fully with OpenZiti just yet. There are backlog items to allow zrok to play more tightly with OpenZiti but it gives you the idea... It's basically pretty close to the same thing as the reverse proxy you already have setup, kinda mostly.... I dunno if that will add confusion to your learning, it might! But maybe it'll just click with you... The big difference is you could keep your proxy in the dmz and STILL keep inbound firewall rules closed. You don't have to have an inbound 'hole' in the firewall to allow the proxy to send data to the target service... Maybe a couple of diagrams help

...

Classic approach (inbound hole from DMZ to private service)

"DMZ" established, hole in firewall forwarding traffic to proxy. Hole in "private network" firewall allowing traffic in from DMZ to specified apps

image
image1848×695 94.4 KB

zrok 'proxy' (no inbound firewall holes)

"DMZ" established, hole in firewall forwarding traffic to zrok front end. NO Hole in "private network" firewall allowing traffic in from DMZ to specified apps. zrok attaches outbound to edge router

image
image1848×672 148 KB

You should be able to accomplish this with zrok v0.4 (not 0.3). You'll also have to have one instance of zrok running per service (right now, another backlog item to do 'n' services per zrok instance exists)

BrowZer

BrowZer definitely changes the equation, but I'm not sure if it'd run on a Roku... Here you have no proxy, no zrok frontend but instead BrowZer is able to communitcate to the 'public' edge router (I'm intentionally leaving out some BrowZer bits for simplicity's sake) Here though, anything running a simple web browser should be able to access web content without the need to install client-side software.

image
image1848×672 158 KB

I think I answered this by now? I hope? If not, lemme know... So "yes and no"...

Yes you can do this too! @NicFragale does exactly this on his home network if you have the right kind of router... :slight_smile: Nic, did you write that up somewhere? This is also exactly what that video I showed before can do. We'd refer to that as "zero trust network access" meaning, you still trust the local netowork to a decent extent.

Hopefully this helps