I went through all the steps from start to finish enabling zrok in a letsencrypt-enabled openziti. As usual here's a walkthrough video along with all the commands I ran
YouTube Video:
Commands
Prerequisites
-
purchase/provision wildcard DNS entry and verify it resolves
-
obtain a keypair from letsencrypt. example:
sudo certbot certonly -d '*.clint.demo.openziti.org' --manual --preferred-challenges dns
-
follow the openziti alt server guide
- controller config, address fields
- controller config, web.identity section key/server_cert
- router config, and add alt_server_certs
- sudo systemctl restart ziti-controller
- sudo systemctl restart ziti-router
Run as root
currently zrok will end up wanting to find $HOME/.zrok
if you don't want to run as root, keep this in mind
sudo -i
establish a bunch of variables.
I put this into root's .bashrc
export ZROK_ROOT=$HOME/.zrok
export PATH=$PATH:$ZROK_ROOT/bin
export ZROK_CTRL_PORT=18444
export ZROK_FRONTEND_PORT=8080
export ZROK_NGINX_PORT=8445
export ZROK_ZITI_CTRL_WILDCARD=clint.demo.openziti.org
export ZROK_API_ADDRESS="api.${ZROK_ZITI_CTRL_WILDCARD}"
export ZROK_API_ENDPOINT=http://localhost:${ZROK_CTRL_PORT}
export ZROK_ADMIN_TOKEN=my_zrok_admin_token
Nginx
install nginx
sudo apt install nginx -y
backup config file if you want
sudo mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig
create a new "zrok-only" config file for nginx
sudo tee /etc/nginx/nginx.conf > /dev/null << HERE
events {
}
http {
server {
listen ${ZROK_NGINX_PORT} ssl;
server_name ${ZROK_API_ADDRESS};
ssl_certificate /etc/letsencrypt/live/${ZROK_ZITI_CTRL_WILDCARD}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${ZROK_ZITI_CTRL_WILDCARD}/privkey.pem;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:${ZROK_CTRL_PORT};
error_log /var/log/nginx/zrok-controller.log;
}
}
server {
listen ${ZROK_NGINX_PORT} ssl;
server_name *.${ZROK_ZITI_CTRL_WILDCARD};
ssl_certificate /etc/letsencrypt/live/${ZROK_ZITI_CTRL_WILDCARD}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${ZROK_ZITI_CTRL_WILDCARD}/privkey.pem;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:${ZROK_FRONTEND_PORT};
proxy_set_header Host \$host;
error_log /var/log/nginx/zrok-frontend.log;
proxy_busy_buffers_size 512k;
proxy_buffers 4 512k;
proxy_buffer_size 256k;
}
}
}
HERE
sudo nginx -t
sudo systemctl restart nginx
LetsEncrypt work
add the letsencrypt certificate chain to the ca bundle
cat /etc/letsencrypt/live/${ZROK_ZITI_CTRL_WILDCARD}/fullchain.pem >> $HOME/.ziti/quickstart/ip-172-31-11-231/pki/cas.pem
sudo systemctl restart ziti-controller
echo "verify the controller works properly using the browser and navigating to"
echo ""
echo " https://ctrl.${ZROK_ZITI_CTRL_WILDCARD}:${ZITI_EDGE_CONTROLLER_PORT}"
echo ""
Logging into ziti
use this command to login to ziti:
export ZITI_EDGE_CTRL_ADVERTISED_HOST_PORT=ctrl.${ZROK_ZITI_CTRL_WILDCARD}:${ZITI_EDGE_CONTROLLER_PORT}
ziti edge login ${ZITI_EDGE_CTRL_ADVERTISED_HOST_PORT} -u $ZITI_USER -p $ZITI_PWD -y
Prep for zrok
mkdir -p $ZROK_ROOT/bin
cd $ZROK_ROOT/bin
wget https://github.com/openziti/zrok/releases/download/v0.3.1/zrok_0.3.1_linux_amd64.tar.gz
tar zxvf zrok_0.3.1_linux_amd64.tar.gz
output the ctrl.yml using the variables:
cat > $ZROK_ROOT/ctrl.yml << HERE
v: 2
admin:
secrets:
- $ZROK_ADMIN_TOKEN
endpoint:
host: 0.0.0.0
port: $ZROK_CTRL_PORT
store:
path: zrok.db
type: sqlite3
ziti:
api_endpoint: "https://${ZITI_EDGE_CTRL_ADVERTISED_HOST_PORT}"
username: "${ZITI_USER}"
password: "${ZITI_PWD}"
HERE
boostrap zrok
zrok admin bootstrap $ZROK_ROOT/ctrl.yml
ZROK_FRONTEND_TOKEN
look at the logs, find and then set the token
ZROK_FRONTEND_TOKEN="j.mUrwBGrp"
zrok controller service
sudo tee /etc/systemd/system/zrok-controller.service > /dev/null << HERE
[Unit]
Description=zrok-controller
After=network.target
[Service]
User=root
WorkingDirectory=$ZROK_ROOT
ExecStart="$ZROK_ROOT/bin/zrok" controller "$ZROK_ROOT/ctrl.yml"
Restart=always
RestartSec=2
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
HERE
sudo systemctl daemon-reload
sudo systemctl enable --now zrok-controller
create the frontend
zrok admin create frontend ${ZROK_FRONTEND_TOKEN} public https://{token}.${ZROK_ZITI_CTRL_WILDCARD}:${ZROK_NGINX_PORT}
frontend config file
cat > $ZROK_ROOT/http-frontend.yml << HERE
host_match: ${ZROK_ZITI_CTRL_WILDCARD}
address: 0.0.0.0:${ZROK_FRONTEND_PORT}
HERE
sudo tee /etc/systemd/system/zrok-frontend.service > /dev/null << HERE
[Unit]
Description=zrok-frontend
After=network.target
[Service]
User=root
WorkingDirectory=$ZROK_ROOT
ExecStart="$ZROK_ROOT/bin/zrok" access public "$ZROK_ROOT/http-frontend.yml"
Restart=always
RestartSec=2
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
HERE
sudo systemctl daemon-reload
sudo systemctl enable --now zrok-frontend
Do an invite
zrok invite
(enter your email and submit)
use journalctl to get the registration token:
journalctl -fu zrok-controller
use echo to output some instructions:
export ZROK_REGISTRATION_TOKEN="UrxepUAxiEyk"
echo "To finish the invitation, direct your browser to:"
echo ""
echo " https://${ZROK_API_ADDRESS}:${ZROK_NGINX_PORT}/register/${ZROK_REGISTRATION_TOKEN}"
echo ""
'enable' zrok
get your enable token from the UI and use it to enable a shell somewhere
ZROK_ENABLE_TOKEN="UIFZ3NeMvFiU"
echo "in a target environment:"
echo " - disable zrok if needed:"
echo " zrok disable"
echo ""
echo " - set the zrok apiEndpoint using the following:"
echo " zrok config set apiEndpoint https://${ZROK_API_ADDRESS}:${ZROK_NGINX_PORT}"
echo ""
echo " - enable the zrok env:"
echo " zrok enable ${ZROK_ENABLE_TOKEN}"
I hope that shows you all the steps, and is clear/easy to follow