Open qdrddr opened 1 year ago
Thank you for posting these issues - it's obvious you put a lot of effort into this, and we really appreciate it. Would you be open to having a meeting to discuss further? It's possible you misunderstood some features around how Ziti works as we have not documented it well enough.
@philipleonardgriffiths what do you think @qdrddr misunderstood in this issue? Did you mean to post this on a different one?
@smilindave26, I think its best to chat over a call on it.
sure
@qdrddr, cool. I don't know of a way to DM you on GH. Can you email me at philip.griffiths@netfoundry.io. We can agree a slot directly on mail.
@philipleonardgriffiths done
@qdrddr Thanks. I will loop in @mikegorman-nf too.
Suppose Ziti is intended to be publically available on the internet. In that case, some services must be exposed to the public internet and add DNS public records. Therefore, sensitive and vital Ztiti components are discoverable to everyone and are open for DDoS and hacks.
To limit this malicious activity, please consider tuning Ziti Console, Controller, and Routers themselves to be hidden behind an asynchronous reverse proxy such as Cloudflare. Cloudflare provides a DNS server and a reverse proxy functionality alongside proper security functionality such as DDoS protection and IP Whitelisting using Cloudflare's Zone-level Web Application Firewall (WAF) and Configured IP Custom Lists.
These pieces of Cloudflare's functionality: CA Signed Certificate, DDoS protection & WAF IP Whitelisting, are free for everyone and can be highly efficient in protecting Ziti Console, Controller, and Routers from malicious activity.
PS. Ziti Console works behind Cloudflare reverse proxy perfectly well and is listed here as an example to illustrate the need better. Therefore only Controller and Routers must be fine-tuned to work over HTTPS behind an asynchronous proxy such as Cloudflare.