Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Idea / feature request: Cloudflare as reverse proxy for Ziti Console, Controller and Routers #1257

Open
qdrddr opened this issue Aug 22, 2023 · 7 comments
Open

Idea / feature request: Cloudflare as reverse proxy for Ziti Console, Controller and Routers #1257

qdrddr opened this issue Aug 22, 2023 · 7 comments

Comments

@qdrddr
Copy link

qdrddr commented Aug 22, 2023
edited
Loading

Suppose Ziti is intended to be publically available on the internet. In that case, some services must be exposed to the public internet and add DNS public records. Therefore, sensitive and vital Ztiti components are discoverable to everyone and are open for DDoS and hacks.

To limit this malicious activity, please consider tuning Ziti Console, Controller, and Routers themselves to be hidden behind an asynchronous reverse proxy such as Cloudflare. Cloudflare provides a DNS server and a reverse proxy functionality alongside proper security functionality such as DDoS protection and IP Whitelisting using Cloudflare's Zone-level Web Application Firewall (WAF) and Configured IP Custom Lists.

These pieces of Cloudflare's functionality: CA Signed Certificate, DDoS protection & WAF IP Whitelisting, are free for everyone and can be highly efficient in protecting Ziti Console, Controller, and Routers from malicious activity.

PS. Ziti Console works behind Cloudflare reverse proxy perfectly well and is listed here as an example to illustrate the need better. Therefore only Controller and Routers must be fine-tuned to work over HTTPS behind an asynchronous proxy such as Cloudflare.
@philipleonardgriffiths
Copy link

philipleonardgriffiths commented Aug 24, 2023
edited
Loading

Thank you for posting these issues - it's obvious you put a lot of effort into this, and we really appreciate it. Would you be open to having a meeting to discuss further? It's possible you misunderstood some features around how Ziti works as we have not documented it well enough.

@smilindave26
Copy link
Member

@philipleonardgriffiths what do you think @qdrddr misunderstood in this issue? Did you mean to post this on a different one?

@philipleonardgriffiths
Copy link

philipleonardgriffiths commented Aug 24, 2023
edited
Loading

@smilindave26, I think its best to chat over a call on it.

@qdrddr
Copy link
Author

qdrddr commented Aug 24, 2023

sure

@philipleonardgriffiths
Copy link

@qdrddr, cool. I don't know of a way to DM you on GH. Can you email me at philip.griffiths@netfoundry.io. We can agree a slot directly on mail.

@qdrddr
Copy link
Author

qdrddr commented Aug 25, 2023

@philipleonardgriffiths done

@philipleonardgriffiths
Copy link

philipleonardgriffiths commented Aug 25, 2023
edited
Loading

@qdrddr Thanks. I will loop in @mikegorman-nf too.

plorenz added a commit that referenced this issue Sep 28, 2023
@plorenz
Merge pull request #1257 from openziti/wf-updates
746589f 
update CODEOWNERS to sig-core and update MM notifications
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@qdrddr @smilindave26 @philipleonardgriffiths