Hi Ken, could you please upload the experimental version again? My ISP allowed me to open those ports.

curl -sSf https://get.openziti.io/zrok-instance/fetch.bash | ZROK_REPO_ZIP=https://github.com/openziti/zrok/archive/refs/heads/docker-instance-set-caddy-port.zip bash

Congrats! No need for the experimental version I referenced. Now, the official version of zrok supports setting the Caddy port to something other than 443. It'll use 443 if you don't set it.

Hi everyone!

Service ports

ZROK_CTRL_PORT=18080
ZROK_FRONTEND_PORT=8080
ZROK_OAUTH_PORT=8081
ZITI_CTRL_ADVERTISED_PORT=80
ZITI_ROUTER_PORT=3022

Do these ports have to be open on the router? or only the:

ZITI_CTRL_ADVERTISED_PORT
CADDY_HTTPS_PORT
ZITI_ROUTER_PORT

Thanks for answering

I assume you're following the zrok self-hosting guide for Docker: Self-hosting guide for Docker | zrok

You must publish these secure ports mentioned in the guide. These are "secure ports" because they terminate TLS, and so they must be "open" a.k.a. "published" to the web.

• ZITI_CTRL_ADVERTISED_PORT - Ziti controller's TLS server
• ZITI_ROUTER_PORT - Ziti router's TLS server
• CADDY_HTTPS_PORT or TRAEFIK_HTTPS_PORT - a proxy for the insecure ports (default 443)

You should not publish these insecure ports. zrok controller and zrok frontend listen on these ports locally, and they must be published with a TLS proxy like Caddy or Traefik for security.

• ZROK_CTRL_PORT
• ZROK_FRONTEND_PORT
• ZROK_OAUTH_PORT