version: "3.9" x-base-service: &base-service image: netfoundry/ziti-tunnel:latest # https://hub.docker.com/r/netfoundry/ziti-tunnel/tags?page=1&ordering=last_updated volumes: - .:/netfoundry # mount current dir (relative to Compose file) with identity config file environment: - NF_REG_NAME # NF_REG_NAME=AcmeIdentity docker-compose up ziti-host - NF_REG_TOKEN # NF_REG_NAME=AcmeIdentity NF_REG_TOKEN=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbSI6Im90dCIsImV4cCI6MTY1MzE2NzcwOCwiaXNzIjoiaHR0cHM6Ly81MGEyMDc4Zi01MGQyLTRhZTAtYWI4Ny0wYTdjMjM1OWVjOTYucHJvZHVjdGlvbi5uZXRmb3VuZHJ5LmlvOjQ0MyIsImp0aSI6IjFiMjJkMzc2LTMzMWItNDMxNS1iZTFiLWJkOTUzYThiYWM4ZiIsInN1YiI6InRGLnZnLjdwM1kifQ.TWbk3-kjBRKwQCXMoD93sXtyQhZOMZ1iJzV73Sqft-cEOkV2kjbA4TBRwl0nuLPCdJqkhPl9Yc1WG7YaYWYXV4ghE1Hk0Gta_HlpWdNjNlB1cVrzMyxaoCXhaX5xqGnwDuqfOK7q6DItuNsKouM2G6KKZvhGOacax6TvP-sunsxFz6AdYQJizNBoL5fJ14r1_O6yczGd5GSd8x9-eP5rNMQuRdUtiu69b-rEu1gO2SXVTrADTD5p8sP9khbT_eQzIDD9jgagXoJJvOKTVdsUAWS7YKfk1On0BpxNvv30bQ6eAkliwU7GTXDR2IPW-blZYt1Wtf3sgeuTDCCtVO_7gjSn7WM7YJqpsB72V-43Xz8I7LCDa0u48baSmmpPDUSphIBDa_nksPZk8jfwx4pHoHYbSbD4r47Af_9P-JUQRT8hzNuvktG56kmcqVCfEZHT-4xgK0Lvxxp4mzqdcNyCB0VwC6kdk7OlxwqmftDWrJhNuxKMy2MtyTjG0mwHxt4P0y_fZo1ZYJZU5AzvxrE9OLTjsQ4nV5NliJ3Qxaw_taCaIWxn98BeiHfAiIc3EL7bWGjAfXz-XWvWG8-AcCmK-cxIj7Pvj0U7lIWH7bVcRmVVc0fQnXdACkeQe7ixWr4IopV5YJ607zm6Qk_am_MrERla6xyXblvroWIITN2aEUk docker-compose up ziti-host - PFXLOG_NO_JSON=true # suppress JSON logging network_mode: host # use the Docker host's network, not the Docker bridge x-iptables-capabilities: &iptables-capabilities cap_add: - NET_ADMIN # iptables filter - NET_RAW # iptables mangle services: ziti-tproxy: # iptables transparent interceptor with DNS <<: *base-service <<: *iptables-capabilities dns: # optionally, override DNS inherited from Docker host - 127.0.0.1 # this first NS must match the built-in nameserver's bind address, - 1.1.1.1 # and a recursive NS is also needed e.g. 8.8.8.8 command: - tproxy #- --resolver=udp://127.1.2.3:53 # override nameserver bind address (always 53/udp); default is 127.0.0.1 #- --dnsSvcIpRange=100.64.64.0/18 # override the IP range used for DNS intercepts; default is 100.64/10 ziti-tproxy-ip: # iptables transparent interceptor without DNS <<: *base-service <<: *iptables-capabilities command: - tproxy - --resolver none #- --dnsSvcIpRange=100.64.64.0/18 # override the IP range used for DNS intercepts; default is 100.64/10 ziti-test: # docker-compose exec ziti-test bash <<: *base-service <<: *iptables-capabilities entrypoint: ["sh", "-c", "while true; do sleep infinity; done"] ziti-host: # terminate a service for a server that's reachable by the host network <<: *base-service command: host ziti-bridge: # terminate a service for a server that's reachable by this Docker network (default mode is "bridge") <<: *base-service network_mode: bridge command: host ziti-proxy: # bind a named service to a container TCP port, optionally forward host TCP port to container <<: *base-service ports: - "8888:8888" # optionally forward host ports to container ports listening as TCP proxy network_mode: bridge command: - proxy - '"my example service":8888' # example named service and container port to bind as TCP proxy