-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Idea / feature request: Cloudflare as reverse proxy for Ziti Console, Controller and Routers #1257
Comments
Thank you for posting these issues - it's obvious you put a lot of effort into this, and we really appreciate it. Would you be open to having a meeting to discuss further? It's possible you misunderstood some features around how Ziti works as we have not documented it well enough. |
@philipleonardgriffiths what do you think @qdrddr misunderstood in this issue? Did you mean to post this on a different one? |
@smilindave26, I think its best to chat over a call on it. |
sure |
@qdrddr, cool. I don't know of a way to DM you on GH. Can you email me at philip.griffiths@netfoundry.io. We can agree a slot directly on mail. |
@qdrddr Thanks. I will loop in @mikegorman-nf too. |
update CODEOWNERS to sig-core and update MM notifications
Suppose Ziti is intended to be publically available on the internet. In that case, some services must be exposed to the public internet and add DNS public records. Therefore, sensitive and vital Ztiti components are discoverable to everyone and are open for DDoS and hacks.
To limit this malicious activity, please consider tuning Ziti Console, Controller, and Routers themselves to be hidden behind an asynchronous reverse proxy such as Cloudflare. Cloudflare provides a DNS server and a reverse proxy functionality alongside proper security functionality such as DDoS protection and IP Whitelisting using Cloudflare's Zone-level Web Application Firewall (WAF) and Configured IP Custom Lists.
These pieces of Cloudflare's functionality: CA Signed Certificate, DDoS protection & WAF IP Whitelisting, are free for everyone and can be highly efficient in protecting Ziti Console, Controller, and Routers from malicious activity.
PS. Ziti Console works behind Cloudflare reverse proxy perfectly well and is listed here as an example to illustrate the need better. Therefore only Controller and Routers must be fine-tuned to work over HTTPS behind an asynchronous proxy such as Cloudflare.
The text was updated successfully, but these errors were encountered: