Introduction
Enterprise network/security ops are becoming increasingly resistant to making changes in network or security gateways such as firewalls due to various reasons such as being aversive to risk, impact on regulatory compliance, lack of resources, complexity, etc. This introduces delays in the deployment of a NetFoundry Cloud edge such as a Ziti Edge Tunneler in the LAN network behind the firewall. At times, the deployment itself is not feasible due to strict policies that do not allow changing outbound policies ( though NetFoundry Cloud does not require the opening of any inbound ports / IPs). However, the alternate approach taken by enterprises is to deploy Ziti Edge Tunneler behind the proxy. Proxies are typically configured with an allow-all outbound policy or it is relatively easier for policy changes on the proxy to allow the DNS / IP of the NetFoundry Cloud controller and public fabric routers. NetFoundry has introduced support for Ziti Edge Tunnelers to work behind proxies. Only HTTP proxies with basic authentication are currently supported. Should you have any questions or feedback on this article, reach us at customer.success@netfoundry.io.
Architecture diagram of a Ziti Edge Tunneler deployed behind a proxy
The diagram above represents a Ziti Edge Tunneler deployed behind a network proxy. The Ziti Edge Tunneler can communicate with another router or endpoint in the network to initiate or receive traffic.
In this article, our goal would be to
1. Understand how to deploy and register a ZET behind a proxy
2. Accessing a demo app - "hello world" over a NetFoundry network from a ZET deployed behind a proxy
3. Verifying that the control and data plane data moves via the proxy server
Configure Proxy on the Ziti Edge Tunneler VM
Set up the environment variables to route traffic through the proxy
echo 'export HTTP_PROXY="http://192.168.0.142:3128"' | sudo tee -a /etc/environment
echo 'export NO_PROXY="127.0.0.1,localhost"' | sudo tee -a /etc/environment
source /etc/environment
Verify the proxy settings
echo $HTTP_PROXY
echo $NO_PROXY
Expected Output
http://192.168.0.142:3128
127.0.0.1,localhost
Configure Ziti Edge Tunneler to Use the Proxy
Modify the systemd service file to ensure Ziti Edge Tunneler always uses the proxy
Edit the Ziti Edge Tunnel service file:
sudo nano /usr/lib/systemd/system/ziti-edge-tunnel.service
Modify the ExecStart line to include the -x option for the proxy:
[Unit]
Description=Ziti Edge Tunnel
After=network-online.target
[Service]
Type=simple
# default values
Environment="ZITI_IDENTITY_DIR=/opt/openziti/etc/identities" "ZITI_DNS_IP_RANGE=100.64.0.1/10" "ZITI_VERBOSE=2"
# optional override values
EnvironmentFile=-/opt/openziti/etc/ziti-edge-tunnel.env
User=ziti
UMask=0007
AmbientCapabilities=CAP_NET_ADMIN
ExecStartPre=/opt/openziti/bin/ziti-edge-tunnel.sh
ExecStart=/opt/openziti/bin/ziti-edge-tunnel run --verbose=${ZITI_VERBOSE} --dns-ip-range=${ZITI_DNS_IP_RANGE} --identity-dir=${ZITI_IDENTITY_DIR} -x http://192.168.0.142:3128
Restart=always
RestartSec=3
[Install]
WantedBy=multi-user.target
Save and restart the Ziti Edge Tunneler service
sudo systemctl daemon-reload
sudo systemctl restart ziti-edge-tunnel
Verify Traffic Flow via Proxy
1. Controll/ Data Plane Traffic
| Type | IP | Domain Name |
| Controller | 43.204.159.212 | 62a2d8fa-6ed4-4ca9-a939-db058b6696c3.production.netfoundry.io |
| Hosted Edge Router1 | 13.201.219.135 | 30619224-1f9a-4505-baa2-8df083f3696b.production.netfoundry.io |
| Hosted Edge Router2 | 52.187.40.189 | 863cccc4-92fc-4889-bcab-926fd40ce0c7.production.netfoundry.io |
sudo tcpdump -i eth0 src 192.168.0.142 and port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:17:30.293738 IP ip-192-168-0-142.56246 > ec2-43-204-159-212.ap-south-1.compute.amazonaws.com.https: Flags [P.], seq 6249:6647, ack 22230, win 443, options [nop,nop,TS val 3187037390 ecr 1162323513], length 398
10:17:30.329223 IP ip-192-168-0-142.40622 > ec2-13-201-219-135.ap-south-1.compute.amazonaws.com.https: Flags [.], ack 5190, win 452, options [nop,nop,TS val 3595200897 ecr 3121852100], length 0
10:17:30.359651 IP ip-192-168-0-142.48980 > 52.187.40.189.https: Flags [P.], seq 3160:3351, ack 5190, win 452, options [nop,nop,TS val 941782227 ecr 1720843997], length 191
10:17:30.359676 IP ip-192-168-0-142.40622 > ec2-13-201-219-135.ap-south-1.compute.amazonaws.com.https: Flags [P.], seq 3161:3352, ack 5190, win 452, options [nop,nop,TS val 3595200927 ecr 3121852100], length 191
10:17:30.359784 IP ip-192-168-0-142.56246 > ec2-43-204-159-212.ap-south-1.compute.amazonaws.com.https: Flags [F.], seq 6647, ack 23240, win 443, options [nop,nop,TS val 3187037456 ecr 1162323579], length 0
10:17:30.361509 IP ip-192-168-0-142.48980 > 52.187.40.189.https: Flags [.], ack 5268, win 452, options [nop,nop,TS val 941782229 ecr 1720844256], length 0
10:17:30.421064 IP ip-192-168-0-142.56246 > ec2-43-204-159-212.ap-south-1.compute.amazonaws.com.https: Flags [R], seq 1232631380, win 0, length 0
10:17:30.421096 IP ip-192-168-0-142.56246 > ec2-43-204-159-212.ap-south-1.compute.amazonaws.com.https: Flags [R], seq 1232631380, win 0, length 0
10:17:30.421816 IP ip-192-168-0-142.40622 > ec2-13-201-219-135.ap-south-1.compute.amazonaws.com.https: Flags [.], ack 5268, win 452, options [nop,nop,TS val 3595200989 ecr 3121852237], length 0
sudo tail -f /var/log/squid/access.log | grep -E '43.204.159.212|13.201.219.135|52.187.40.189'
1741340907.783 345 192.168.0.67 TCP_TUNNEL/200 10634 CONNECT 62a2d8fa-6ed4-4ca9-a939-db058b6696c3.production.netfoundry.io:443 - HIER_DIRECT/43.204.159.212 -
1741340908.501 1056003 192.168.0.67 TCP_TUNNEL/200 6703 CONNECT 30619224-1f9a-4505-baa2-8df083f3696b.production.netfoundry.io:443 - HIER_DIRECT/13.201.219.135 -
1741340908.501 1056003 192.168.0.67 TCP_TUNNEL/200 100051 CONNECT 863cccc4-92fc-4889-bcab-926fd40ce0c7.production.netfoundry.io:443 - HIER_DIRECT/52.187.40.189 -
1741340909.546 945 192.168.0.67 TCP_TUNNEL/200 23275 CONNECT 62a2d8fa-6ed4-4ca9-a939-db058b6696c3.production.netfoundry.io:443 - HIER_DIRECT/43.204.159.212 -
2. ziti service Traffic
sudo tcpdump -i eth0 src 192.168.0.67 and port 3128
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:54:20.905844 IP 192.168.0.67.38770 > ip-192-168-0-142.3128: Flags [S], seq 3377088859, win 62727, options [mss 8961,sackOK,TS val 69322415 ecr 0,nop,wscale 7], length 0
09:54:20.906532 IP 192.168.0.67.38770 > ip-192-168-0-142.3128: Flags [.], ack 2651128910, win 491, options [nop,nop,TS val 69322416 ecr 3477389367], length 0
09:54:20.906532 IP 192.168.0.67.38770 > ip-192-168-0-142.3128: Flags [P.], seq 0:189, ack 1, win 491, options [nop,nop,TS val 69322416 ecr 3477389367], length 189
09:54:20.970154 IP 192.168.0.67.38770 > ip-192-168-0-142.3128: Flags [.], ack 40, win 491, options [nop,nop,TS val 69322480 ecr 3477389431], length 0
09:54:20.970375 IP 192.168.0.67.38770 > ip-192-168-0-142.3128: Flags [P.], seq 189:573, ack 40, win 491, options [nop,nop,TS val 69322480 ecr 3477389431], length 384
09:54:21.044948 IP 192.168.0.67.38770 > ip-192-168-0-142.3128: Flags [P.], seq 573:3224, ack 5684, win 582, options [nop,nop,TS val 69322554 ecr 3477389505], length 2651
09:54:21.045461 IP 192.168.0.67.38770 > ip-192-168-0-142.3128: Flags [P.], seq 3224:3500, ack 5684, win 582, options [nop,nop,TS val 69322554 ecr 3477389505], length 276
09:54:21.109237 IP 192.168.0.67.38770 > ip-192-168-0-142.3128: Flags [.], ack 9282, win 608, options [nop,nop,TS val 69322619 ecr 3477389570], length 0
09:54:21.109471 IP 192.168.0.67.38770 > ip-192-168-0-142.3128: Flags [P.], seq 3500:3807, ack 9282, win 608, options [nop,nop,TS val 69322619 ecr 3477389570], length 307
09:54:21.175331 IP 192.168.0.67.38770 > ip-192-168-0-142.3128: Flags [P.], seq 3807:4102, ack 10240, win 608, options [nop,nop,TS val 69322684 ecr 3477389636], length 295
09:54:21.240595 IP 192.168.0.67.38770 > ip-192-168-0-142.3128: Flags [F.], seq 4102, ack 10634, win 608, options [nop,nop,TS val 69322749 ecr 3477389701], length 0
09:54:21.241320 IP 192.168.0.67.38770 > ip-192-168-0-142.3128: Flags [.], ack 10635, win 608, options [nop,nop,TS val 69322751 ecr 3477389702], length 0
Hello World Service is accessible with ziti through the proxy
ubuntu@ip-192-168-0-67:~$ curl http://hello.kube
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Congratulations!</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="Hello World">
<link rel="shortcut icon" href="/icons/favicon.ico">
<link rel="apple-touch-icon" sizes="57x57" href="/icons/apple-icon-57x57.png"/>
<link rel="apple-touch-icon" sizes="60x60" href="/icons/apple-icon-60x60.png"/>
<link rel="apple-touch-icon" sizes="72x72" href="/icons/apple-icon-72x72.png"/>
<link rel="apple-touch-icon" sizes="76x76" href="/icons/apple-icon-76x76.png"/>
<link rel="apple-touch-icon" sizes="114x114" href="/icons/assets/icons/apple-icon-114x114.png"/>
<link rel="apple-touch-icon" sizes="120x120" href="/icons/apple-icon-120x120.png"/>
<link rel="apple-touch-icon" sizes="144x144" href="/icons/icons/apple-icon-144x144.png"/>
<link rel="apple-touch-icon" sizes="152x152" href="/icons/apple-icon-152x152.png"/>
<link rel="apple-touch-icon" sizes="180x180" href="/icons/apple-icon-180x180.png"/>
<link rel="icon" type="image/png" sizes="192x192" href="icons/android-icon-192x192.png"/>
<link rel="icon" type="image/png" sizes="32x32" href="</icons/favicon-32x32.png"/>
<link rel="icon" type="image/png" sizes="96x96" href="</icons/favicon-96x96.png"/>
<link rel="icon" type="image/png" sizes="16x16" href="</icons/favicon-16x16.png"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="msapplication-TileImage" content="</assets/icons/ms-icon-144x144.png"/>
<link href="css/bootstrap.css" rel="stylesheet" type="text/css" media="all" />
<link href="css/theme.css" rel="stylesheet" type="text/css" media="all" />
<link href="https://fonts.googleapis.com/css?family=Open+Sans:200,300,400,400i,500,600,700%7CMerriweather:300,300i" rel="stylesheet">
</head>
<body class=" ">
<a id="start"></a>
<div class="nav-container ">
<nav class="bar bar-4 bar--transparent bar--absolute" data-fixed-at="200">
<div class="container">
<div class="row">
<div class="col-md-1 col-md-offset-0 col-sm-2 col-sm-offset-0 col-xs-4 col-xs-offset-4">
<div class="bar__module">
<a href="http://www.netfoundry.io">
<img class="logo logo-dark" alt="logo" src="img/logo-dark.png" />
<img class="logo logo-light" alt="logo" src="img/logo-light.png" />
</a>
</div>
<!--end module-->
</div>
</div>
<!--end of row-->
</div>
<!--end of container-->
</nav>
<!--end bar-->
</div>
<div class="main-container">
<section class="imagebg height-100 text-center" data-gradient-bg="#9beb04,#27bffc,#27bffc,#fa1e4d,#ed58be">
<div class="background-image-holder">
<img alt="background" src="img/city.jpg" />
</div>
<div class="container pos-vertical-center">
<div class="row">
<div class="col-sm-9">
<img alt="Image" src="img/headline.png" />
<div class="col-sm-12">
<div class="typed-headline" style="margin-bottom: 30px;">
<span class="h2 inline-block">Congratulations, You just reached a secure app!</span><br>
<span class="h1 inline-block typed-text typed-text--cursor color--white" data-typed-strings="That Was Easy, This is only the Beginning, Awesome Sauce, Way Cool, Let's Roll, Blast Off"></span>
</div>
<p class="lead">
Your digital transformation is just around the corner. We can help you unleash your networks potential while gaining productivity and internet fluidity.
</p>
<a class="btn btn--primary type--uppercase" href="http://www.netfoundry.io">
<span class="btn__text">
LEARN MORE
</span>
</a>
</div>
</div>
<!--end of row-->
</div>
<!--end of container-->
</div>
</section>
</div>
<!--<div class="loader"></div>-->
<script src="js/jquery-3.1.1.min.js"></script>
<script src="js/typed.min.js"></script>
<script src="js/granim.min.js"></script>
<script src="js/smooth-scroll.min.js"></script>
<script src="js/scripts.js"></script>
</body>
</html>ubuntu@ip-192-168-0-67:~$