Config Examples
Commented out options with #
tag are generated by the template but not used for the described deployment. The router ip address is used in the private router option, wheres the DNS name is used in the public router. This is only to illustrate how either type can be used as an option for any deployment type.
- Private Router w/ Edge
- Private Router w/ Edge & Tunneler
- Public Router w/ Edge
This is a network side dialing only router with edge. It does not listen for connections from other routers. Set environmental variables to match this type of deployment, and run the command shown.
ZITI_CTRL_EDGE_ADVERTISED_ADDRESS=controller01.zitinetwork.example.org
ZITI_CTRL_LISTENER_PORT=80
ZITI_ROUTER_ADVERTISED_HOST="192.168.10.11"
ZITI_EDGE_ROUTER_IP_OVERRIDE="192.168.10.11"
ZITI_EDGE_ROUTER_PORT=443
ROUTER_NAME=$ZITI_ROUTER_ADVERTISED_HOST
ZITI_ROUTER_IDENTITY_CERT="~/.ziti/config/certs/${ROUTER_NAME}.cert"
ZITI_ROUTER_IDENTITY_SERVER_CERT="~/.ziti/config/certs/${ROUTER_NAME}.server.chain.cert"
ZITI_ROUTER_IDENTITY_KEY="~/.ziti/config/certs/${ROUTER_NAME}.key"
ZITI_ROUTER_IDENTITY_CA="~/.ziti/config/certs/${ROUTER_NAME}.cas"
./ziti create config router edge --routerName $ROUTER_NAME \
--output $ROUTER_NAME.yaml \
--tunnelerMode none \
--private
Generated Configuration
v: 3
identity:
cert: "~/.ziti/config/certs/192.168.10.11.cert"
server_cert: "~/.ziti/config/certs/192.168.10.11.server.chain.cert"
key: "~/.ziti/config/certs/192.168.10.11.key"
ca: "~/.ziti/config/certs/192.168.10.11.cas"
ctrl:
endpoint: tls:controller01.zitinetwork.example.org:80
link:
dialers:
- binding: transport
# listeners:
# - binding: transport
# bind: tls:0.0.0.0:10080
# advertise: tls:192.168.10.11:10080
# options:
# outQueueSize: 4
listeners:
# bindings of edge and tunnel requires an "edge" section below
- binding: edge
address: tls:0.0.0.0:443
options:
advertise: 192.168.10.11:443
connectTimeoutMs: 1000
getSessionTimeout: 60
# - binding: tunnel
# options:
# mode: host #tproxy|host
edge:
csr:
country: US
province: NC
locality: Charlotte
organization: NetFoundry
organizationalUnit: Ziti
sans:
dns:
- Windows-Workstation
- localhost
ip:
- "127.0.0.1"
- "192.168.10.11"
#transport:
# ws:
# writeTimeout: 10
# readTimeout: 5
# idleTimeout: 5
# pongTimeout: 60
# pingInterval: 54
# handshakeTimeout: 10
# readBufferSize: 4096
# writeBufferSize: 4096
# enableCompression: true
# server_cert: ~/.ziti/config/certs/192.168.10.11.server.chain.cert
# key: ~/.ziti/config/certs/192.168.10.11.key
forwarder:
latencyProbeInterval: 10
xgressDialQueueLength: 1000
xgressDialWorkerCount: 128
linkDialQueueLength: 1000
linkDialWorkerCount: 32
This is a network side dialing only router with edge and tunneler( i.e. gateway mode). It does not listen for connections from other routers. Set environmental variables to match this type of deployment, and run the command shown.
ZITI_CTRL_EDGE_ADVERTISED_ADDRESS=controller01.zitinetwork.example.org
ZITI_CTRL_LISTENER_PORT=80
ZITI_ROUTER_ADVERTISED_HOST="192.168.10.11"
ZITI_EDGE_ROUTER_IP_OVERRIDE="192.168.10.11"
ZITI_EDGE_ROUTER_PORT=443
ROUTER_NAME=$ZITI_ROUTER_ADVERTISED_HOST
ZITI_ROUTER_IDENTITY_CERT="~/.ziti/config/certs/${ROUTER_NAME}.cert"
ZITI_ROUTER_IDENTITY_SERVER_CERT="~/.ziti/config/certs/${ROUTER_NAME}.server.chain.cert"
ZITI_ROUTER_IDENTITY_KEY="~/.ziti/config/certs/${ROUTER_NAME}.key"
ZITI_ROUTER_IDENTITY_CA="~/.ziti/config/certs/${ROUTER_NAME}.cas"
./ziti create config router edge --routerName $ROUTER_NAME \
--output $ROUTER_NAME.yaml \
--tunnelerMode tproxy \
--lanInterface eth0 \
--private
Generated Configuration
v: 3
identity:
cert: "~/.ziti/config/certs/192.168.10.11.cert"
server_cert: "~/.ziti/config/certs/192.168.10.11.server.chain.cert"
key: "~/.ziti/config/certs/192.168.10.11.key"
ca: "~/.ziti/config/certs/192.168.10.11.cas"
ctrl:
endpoint: tls:controller01.zitinetwork.example.org:80
link:
dialers:
- binding: transport
# listeners:
# - binding: transport
# bind: tls:0.0.0.0:10080
# advertise: tls:192.168.10.11:10080
# options:
# outQueueSize: 4
listeners:
# bindings of edge and tunnel requires an "edge" section below
- binding: edge
address: tls:0.0.0.0:443
options:
advertise: 192.168.10.11:443
connectTimeoutMs: 1000
getSessionTimeout: 60
- binding: tunnel
options:
mode: tproxy #tproxy|host
resolver: udp://192.168.10.11:53
lanIf: eth0
edge:
csr:
country: US
province: NC
locality: Charlotte
organization: NetFoundry
organizationalUnit: Ziti
sans:
dns:
- Windows-Workstation
- localhost
ip:
- "127.0.0.1"
- "192.168.10.11"
#transport:
# ws:
# writeTimeout: 10
# readTimeout: 5
# idleTimeout: 5
# pongTimeout: 60
# pingInterval: 54
# handshakeTimeout: 10
# readBufferSize: 4096
# writeBufferSize: 4096
# enableCompression: true
# server_cert: ~/.ziti/config/certs/192.168.10.11.server.chain.cert
# key: ~/.ziti/config/certs/192.168.10.11.key
forwarder:
latencyProbeInterval: 10
xgressDialQueueLength: 1000
xgressDialWorkerCount: 128
linkDialQueueLength: 1000
linkDialWorkerCount: 32
This is a network side dialing and listening router with edge. It listens for connections from other routers. The host firewall needs to be opened to allow connections through. In this example code, the listen ports are 80 and 443. Set environmental variables to match this type of deployment, and run the command shown.
ZITI_CTRL_EDGE_ADVERTISED_ADDRESS=controller01.zitinetwork.example.org
ZITI_CTRL_LISTENER_PORT=80
ZITI_EDGE_ROUTER_NAME=router01.zitinetwork.example.org
ZITI_EDGE_ROUTER_PORT=443
ROUTER_NAME=$ZITI_EDGE_ROUTER_NAME
ZITI_ROUTER_IDENTITY_CERT="~/.ziti/config/certs/${ROUTER_NAME}.cert"
ZITI_ROUTER_IDENTITY_SERVER_CERT="~/.ziti/config/certs/${ROUTER_NAME}.server.chain.cert"
ZITI_ROUTER_IDENTITY_KEY="~/.ziti/config/certs/${ROUTER_NAME}.key"
ZITI_ROUTER_IDENTITY_CA="~/.ziti/config/certs/${ROUTER_NAME}.cas"
./ziti create config router edge --routerName $ROUTER_NAME \
--output $ROUTER_NAME.yaml \
--tunnelerMode none
Generated Configuration
v: 3
identity:
cert: "~/.ziti/config/certs/router01.zitinetwork.example.org.cert"
server_cert: "~/.ziti/config/certs/router01.zitinetwork.example.org.server.chain.cert"
key: "~/.ziti/config/certs/router01.zitinetwork.example.org.key"
ca: "~/.ziti/config/certs/router01.zitinetwork.example.org.cas"
ctrl:
endpoint: tls:controller01.zitinetwork.example.org:80
link:
dialers:
- binding: transport
listeners:
- binding: transport
bind: tls:0.0.0.0:10080
advertise: tls:router01.zitinetwork.example.org:10080
options:
outQueueSize: 4
listeners:
# bindings of edge and tunnel requires an "edge" section below
- binding: edge
address: tls:0.0.0.0:443
options:
advertise: router01.zitinetwork.example.org:443
connectTimeoutMs: 1000
getSessionTimeout: 60
# - binding: tunnel
# options:
# mode: host #tproxy|host
edge:
csr:
country: US
province: NC
locality: Charlotte
organization: NetFoundry
organizationalUnit: Ziti
sans:
dns:
- router01.zitinetwork.example.org
- localhost
ip:
- "127.0.0.1"
#transport:
# ws:
# writeTimeout: 10
# readTimeout: 5
# idleTimeout: 5
# pongTimeout: 60
# pingInterval: 54
# handshakeTimeout: 10
# readBufferSize: 4096
# writeBufferSize: 4096
# enableCompression: true
# server_cert: ~/.ziti/config/certs/router01.zitinetwork.example.org.server.chain.cert
# key: ~/.ziti/config/certs/router01.zitinetwork.example.org.key
forwarder:
latencyProbeInterval: 10
xgressDialQueueLength: 1000
xgressDialWorkerCount: 128
linkDialQueueLength: 1000
linkDialWorkerCount: 32