• Stars
    star
    1,181
  • Rank 39,604 (Top 0.8 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created almost 5 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network

Build Status Go Report Card OpenZiti Logo

OpenZiti

OpenZiti represents the next generation of secure, open-source networking for your applications. OpenZiti has several components.

Quick Reference


What is OpenZiti?

  • The OpenZiti fabric provides a scalable, plugable, networking mesh with built in smart routing
  • The OpenZiti edge components provide a secure, Zero Trust entry point into your network
  • The OpenZiti SDKs allow you to integrate OpenZiti directly into your applications
  • The OpenZiti tunnelers and proxies allow existing applications and networks to take advantage of a OpenZiti deployment

Security Features

  • Zero Trust and Application Segmentation
  • Dark Services and Routers
  • End to end encryption

Performance and Reliability

  • A scalable mesh fabric with smart routing
  • Support for load balancing services for both horizontal scale and failover setups

Developer Focus

Easy Management

Let's break some of these buzzwords down.

Zero Trust/Application Segmentation

Many networking security solutions act like a wall around an internal network. Once you are through the wall, you have access to everything inside. Zero trust solutions enforce not just access to a network, but access to individual applications within that network.

Every client in a OpenZiti system must have an identity with provisioned certificates. The certificates are used to establish secure communications channels as well as for authentication and authorization of the associated identity. Whenever the client attempts to access a network application, OpenZiti will first ensure that the identity has access to the application. If access is revoked, open network connections will be closed.

This model enables OpenZiti systems to provide access to multiple applications while ensuring that clients only get access to those applications to which they have been granted access.

In addition to requiring cert based authentication for clients, OpenZiti uses certificates to authorize communication between OpenZiti components.

Dark Services and Routers

There are various levels of accessibility a network application/service can have.

  1. Many network services are available to the world. The service then relies on authentication and authorization policies to prevent unwanted access.
  2. Firewalls can be used to limit access to specific IP or ranges. This increases security at the cost of flexibility. Adding users can be complicated and users may not be able to easily switch devices or access the service remotely.
  3. Services can be put behind a VPN or made only accessible to an internal network, but there are some downsides to this approach.
    1. If you can access the VPN or internal network for any reason, all services in that VPN become more vulnerable to you.
    2. VPNs are not usually appropriate for external customers or users.
    3. For end users, VPNs add an extra step that needs to be done each time they want to access the service.
  4. Services can be made dark, meaning they do not have any ports open for anyone to even try and connect to.

Making something dark can be done in a few ways, but the way it's generally handled in OpenZiti is that services reach out and establish one or more connections to the OpenZiti network fabric. Clients coming into the fabric can then reach the service through these connections after being authenticated and authorized.

OpenZiti routers, which make up the fabric, can also be dark. Routers located in private networks will usually be made dark. These routers will reach out of the private network to talk to the controller and to make connections to join the network fabric mesh. This allows the services and routers in your private networks to make only outbound connections, so no holes have to be opened for inbound traffic.

Services can be completely dark if they are implemented with a OpenZiti SDK. If this is not possible a OpenZiti tunneler or proxy can be colocated with the service. The service then only needs to allow connections from the local machine or network, depending on how close you colocate the proxy to the service.

End to End Encryption

If you take advantage of OpenZiti's developer SDKs and embed OpenZiti in your client and server applications, your traffic can be configured to be seamlessly encrypted from the client application to server application. If you prefer to use tunnelers or proxy applications, the traffic can be encrypted for you from machine to machine or private network to private network. Various combinations of the above are also supported.

End-to-end encryption means that even if systems between the client and server are compromised, your traffic cannot be decrypted or tampered with.


Getting started with OpenZiti

If you are looking to jump right in feet first you can follow along with one of our up-and-running quickstart guides. These guides are designed to get an overlay network quickly and allow you to run it all locally, use Docker or host it anywhere.

This environment is perfect for evaluators to get to know OpenZiti and the capabilities it offers. The environment was not designed for large scale deployment or for long-term usage. If you are looking for a managed service to help you run a truly global, scalable network browse over the NetFoundry web site to learn more.

Build from Source

Please refer to the local development tutorial for build instructions.


Adopters

Interested to see what companies are using OpenZiti? Check out the list of projects and companies using OpenZiti here. Interested in adding your project to the list? Add an issue to github or better yet feel free to add a pull request! Instructions for getting your project added are included on the adopters list


Support

We have a very active Discourse forum. Join the conversation! Help others if you can. If you want to ask a question or just check it out, cruise on over to the OpenZiti Discourse forum. We love getting questions, jump in!


Contributing

The OpenZiti project welcomes contributions including, but not limited to, code, documentation and bug reports.

OpenZiti was developed and open sourced by Netfoundry, Inc. NetFoundry continues to fund and contribute to OpenZiti.

More Repositories

1

zrok

Geo-scale, next-generation peer-to-peer sharing platform built on top of OpenZiti.
Go
2,499
star
2

goroutine-analyzer

Helps analyze goroutines. Inspired by TDA for Java and goroutine-inspect for golang.
Java
129
star
3

sdk-golang

Ziti SDK for Golang
Go
97
star
4

ziti-sdk-nodejs

An SDK for embedding zero trust into Node.JS applications and web servers to improve security.
C
69
star
5

edge

Application-embedded connectivity and zero-trust components
Go
69
star
6

fabric

Geo-scale overlay network and core network programming model
Go
49
star
7

ziti-sdk-jvm

Ziti SDK for JVM
Kotlin
42
star
8

ziti-sdk-c

A C-based sdk for delivering secure applications over a Ziti Network
C
34
star
9

runzmd

Runnable Markdown for Tutorials and Demos
Go
28
star
10

ziti-doc

Documentation describing the usage of the Ziti platform.
MDX
27
star
11

ziti-sdk-py

Ziti SDK for Python
Python
25
star
12

foundation

Foundation components for the Ziti golang ecosystem
Go
24
star
13

ziti-sdk-swift

An OpenZiti SDK for Swift (Objective-C compatible)
Swift
20
star
14

tlsuv

TLS and HTTP(s) client library for libuv
C
19
star
15

openziti.github.io

The root site for ziti documentation.
JavaScript
18
star
16

secretstream

Implementation of libsodium's secretstream in Go
Go
17
star
17

ziti-tunnel-sdk-c

C++
15
star
18

desktop-edge-win

Provides a Ziti client for Windows
C#
15
star
19

ziti-sdk-js

A JavaScript-based SDK for delivering secure browser-based web applications over a Ziti Network
JavaScript
14
star
20

ziti-sdk-csharp

An C#-based SDK to access Ziti
C#
14
star
21

ziti-tunnel-apple

Ziti mobile and desktop edge clients for Apple devices
Swift
13
star
22

ziti-browzer-bootstrapper

JavaScript
12
star
23

fablab

The Fabulous Laboratory
Go
11
star
24

ngx_ziti_module

An NGINX module that allows OpenZiti to front upstream servers
C
11
star
25

ziti-console

JavaScript
10
star
26

helm-charts

various helm charts for openziti-test-kitchen projects
Smarty
7
star
27

branding

Materials relevant to the branding of OpenZiti. Style guides, icons and other art etc
5
star
28

ziti-browzer-core

Core componentry for the Ziti browZer ecosystem (used internally by ziti-browzer-runtime and ziti-sdk-browzer)
JavaScript
5
star
29

transport

Go
5
star
30

ziti-browzer-sw

Service Worker used as part of the OpenZiti browZer stack
TypeScript
5
star
31

ngx_http_ziti_module

Non-blocking upstream module for Nginx to securely connect to a Ziti network
C
5
star
32

agent

IPC Agent client/server library for application debugging and local management
Go
5
star
33

channel

Binary messaging framework
Go
4
star
34

identity

Identity management library for the OpenZiti project
Go
3
star
35

metrics

Go
3
star
36

ziti-gitlab-webhook

JavaScript
3
star
37

storage

Library for building bbolt applications, including support for entities, queries and simple fks and indexes.
Go
3
star
38

ziti-browzer-sw-workbox-strategies

Custom Workbox Strategies used as part of the OpenZiti browZer stack
TypeScript
3
star
39

ziti-tunnel-android

Kotlin
3
star
40

ziti-mattermost-action-py

GitHub Action that posts to a Mattermost webhook endpoint over OpenZiti
Python
3
star
41

ziti-browzer-runtime

The Ziti JavaScript runtime that is auto-injected into the Page of a Zitify'd web app
JavaScript
3
star
42

zitify

C
2
star
43

zitilab

Ziti specific Fablab components for cloud deployment and testing
Go
2
star
44

edge-api

A repository for the OpenZiti Edge API Specifications
Go
2
star
45

ziti-electron-websocket

A module that intercepts WebSocket's in an Electron renderer process and routes all bi-directional traffic over a Ziti network
JavaScript
2
star
46

desktop-edge-ui

Open Ziti Desktop Edge UI Project
JavaScript
2
star
47

ziti-openwrt

Ziti package feed for OpenWRT
2
star
48

libcrypto.js

OpenSSL libcrypto compiled to Webassembly and pure JavaScript, with convenient wrappers.
C
2
star
49

ziti-sdk-android

Ziti SDK for Android
Kotlin
2
star
50

react-native-ziti

use Ziti networking in your React Native mobile app
Java
2
star
51

dilithium

Framework for high-performance streaming over message-passing systems. High-performance WAN protocols over UDP datagrams. Implemented in golang.
Go
2
star
52

ziti-sdk-browzer

A JavaScript-based SDK for delivering secure browser-based web applications over a Ziti Network
2
star
53

ziti-builder

Cross-compile builder container image for ziti-tunnel-sdk-c
Dockerfile
2
star
54

jwks

Lightweight support for interacting with JKWS endpoints
Go
1
star
55

xweb

Go powered compossible Web APIs over multiple interfaces
Go
1
star
56

desktop-edge-win-beta

A fork of https://github.com/openziti/desktop-edge-win used exclusively for "beta" releases
C#
1
star
57

ziti-browzer-edge-client

JavaScript
1
star
58

ziti-android-app

Kotlin
1
star
59

.github

1
star
60

ziti-ci

Shared infrastrure code for Ziti Golang projects
Go
1
star
61

ziti-ops

Utilities useful for people operating Ziti networks
Go
1
star
62

x509-claims

A go module that assists with retrieving claims from x509 Certificates
Go
1
star
63

ziti-webhook-action

Github Action to post a Webhook over a Ziti network
JavaScript
1
star
64

ziti-browzer-doc

The source for all Ziti browZer project documentation.
TypeScript
1
star