I am trying to deploy OpenZiti in a production environment. The idea is to use an OpenZiti Tunneler (as a reverse proxy) so I can access private apps that only the tunneler can access.
Currently, I have 80 users using it, but the App is not closing sessions how it should, and I have to reboot the tunnelers constantly. Right now I am load-balancing traffic between 4 tunnelers and I am rebooting them almost every day.
More information can be found here: Tunneler stop working
In order to fix this I am trying to deploy the tunneler in Windows instead of Linux, however, I can not make it work.
I have 2 identities:
ziti edge create identity device Tunneler_6 -a server_test -o Tunneler_6.jwt
ziti edge create identity device Laptop -a networks -o Laptop.jwt
Then I configured the following on the controller:
ziti edge create config vault.host host.v1 '{"protocol":"tcp", "address":"myapp.com", "port":'443'}'
ziti edge create config vault.intercept intercept.v1 '{"protocols":["tcp"],"addresses":["myapp.com"], "portRanges":[{"low":'443', "high":'443'}, {"low":'80', "high":'80'}]}'
ziti edge create service vault.service --configs "vault.host,vault.intercept"
ziti edge delete service-policy vault.bind
ziti edge create service-policy vault.bind Bind --service-roles '@vault.service' --identity-roles '#server_test'
ziti edge create service-policy vault.dial Dial --service-roles '@vault.service' --identity-roles '#networks'
I then created a Windows VM on AWS, installed Windows Ziti Edge, and added the “Tunneler_6” identity.
And on my laptop (MacOS), I added the “Laptop” identity.
I can see both services on both devices but I cannot access “myapp.com” from my laptop.
I thought it could be a Firewall issue so I disabled the Windows firewall and I am allowing all traffic in the AWS security group. However, it is still failing.
As part of my troubleshooting, I tried using the IP of “myapp.com” instead of the URL.
Let’s assume that the DNS record for myapp.com is 9.9.9.9 so I configured this service instead:
ziti edge create config vault2.host host.v1 '{"protocol":"tcp", "address":"9.9.9.9","port":'443'}'
ziti edge create config vault2.intercept intercept.v1 '{"protocols":["tcp"],"addresses":["9.9.9.9"], "portRanges":[{"low":'443', "high":'443'}]}'
ziti edge create service vault2.service --configs "vault2.host,vault2.intercept"
ziti edge create service-policy vault2.bind Bind --service-roles '@vault2.service' --identity-roles '#server_test'
ziti edge create service-policy vault2.dial Dial --service-roles '@vault2.service' --identity-roles '#networks'
And then I deleted the old “vault” service.
Now, when I open a browser on my laptop and go to https://9.9.9.9 it works. That means that the issue has to be DNS since when I use the IP instead of the URL it works fine.
Any idea what could it be?