search

openziti / ziti

The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti
https://openziti.io
Apache License 2.0
2.65k stars 152 forks source link

Idea / feature request: Cloudflare as reverse proxy for Ziti Console, Controller and Routers #1257

Open qdrddr opened 1 year ago

qdrddr commented 1 year ago

Suppose Ziti is intended to be publically available on the internet. In that case, some services must be exposed to the public internet and add DNS public records. Therefore, sensitive and vital Ztiti components are discoverable to everyone and are open for DDoS and hacks.

To limit this malicious activity, please consider tuning Ziti Console, Controller, and Routers themselves to be hidden behind an asynchronous reverse proxy such as Cloudflare. Cloudflare provides a DNS server and a reverse proxy functionality alongside proper security functionality such as DDoS protection and IP Whitelisting using Cloudflare's Zone-level Web Application Firewall (WAF) and Configured IP Custom Lists.

These pieces of Cloudflare's functionality: CA Signed Certificate, DDoS protection & WAF IP Whitelisting, are free for everyone and can be highly efficient in protecting Ziti Console, Controller, and Routers from malicious activity.

PS. Ziti Console works behind Cloudflare reverse proxy perfectly well and is listed here as an example to illustrate the need better. Therefore only Controller and Routers must be fine-tuned to work over HTTPS behind an asynchronous proxy such as Cloudflare.

philipleonardgriffiths commented 1 year ago

Thank you for posting these issues - it's obvious you put a lot of effort into this, and we really appreciate it. Would you be open to having a meeting to discuss further? It's possible you misunderstood some features around how Ziti works as we have not documented it well enough.

smilindave26 commented 1 year ago

@philipleonardgriffiths what do you think @qdrddr misunderstood in this issue? Did you mean to post this on a different one?

philipleonardgriffiths commented 1 year ago

@smilindave26, I think its best to chat over a call on it.

qdrddr commented 1 year ago

sure

philipleonardgriffiths commented 1 year ago

@qdrddr, cool. I don't know of a way to DM you on GH. Can you email me at philip.griffiths@netfoundry.io. We can agree a slot directly on mail.

qdrddr commented 1 year ago

@philipleonardgriffiths done

philipleonardgriffiths commented 1 year ago

@qdrddr Thanks. I will loop in @mikegorman-nf too.