zrok

Request an invitation to use the public zrok service (run this first)

$ zrok invite

$ zrok enable [your_token]

$ zrok share public [http://localhost:8080]

$ zrok share private [http://localhost:3000]

$ zrok access private [share_token]

$ zrok share public --backend-mode web [path/to/directory]

$ zrok status

zrok [global-options] command [command-options] [arguments]

--zrok-url
    Specifies the URL of the zrok controller. Defaults to 'https://api.zrok.io'.

--api-key
    Provides the API key for authentication with the zrok controller.

--verbose
    Enables verbose logging output for detailed operation insights.

--output
    Sets the output format (e.g., 'json') for command results.

--insecure
    Allows insecure SSL connections when connecting to the zrok controller (use with caution).

(Subcommand-specific options)
    Many zrok commands (e.g., 'share', 'access', 'reserve') have their own specific options. For example, the 'share' command includes options like '--unique-name', '--backend-mode', and '--auth-scheme' to configure the sharing behavior.

zrok is an open-source command-line tool that enables secure, private, and programmable sharing of local services and resources, leveraging the underlying OpenZiti zero-trust network platform. It allows users to expose local web servers, SSH, databases, or any TCP service to the internet without requiring firewall modifications, port forwarding, or VPNs.

The tool supports various sharing modes, including public, private (password-protected), and reserved shares for persistent endpoints. It emphasizes security by establishing an outbound-only connection to the zrok service, making the exposed service invisible on the public internet until accessed via the designated zrok URL. This zero-trust approach ensures that only authorized users or services can access the shared resource, significantly enhancing security for development, demonstrations, or internal tool exposure.

zrok requires an active zrok controller and frontend service, either hosted by OpenZiti (zrok.io) or self-hosted. Network performance and reliability depend on the underlying OpenZiti network and the specific zrok service infrastructure. Security of shared services relies heavily on proper configuration, especially for public shares using authentication schemes. Users should be mindful of exposing sensitive services and properly configure access controls.

zrok offers several modes for sharing:
Public Shares: Accessible via a unique URL. Can be protected with basic authentication.
Private Shares: Require a zrok 'access' command to establish a secure client-side connection.
Reserved Shares: Provide a persistent, unchanging zrok URL, ideal for services that need a stable endpoint.
Backend Proxy Shares: Used for internal service mesh integration, providing a programmatic way for services to access other services securely.

At its core, zrok leverages the OpenZiti overlay network. When you share a service with zrok, it initiates an outbound-only connection to the zrok infrastructure, which is built on OpenZiti. This creates a secure, dark network path for your service, making it inaccessible from the public internet unless explicitly routed through the zrok and OpenZiti fabric, enforcing zero-trust principles.

zrok was developed by OpenZiti (a project by NetFoundry) and first introduced in late 2022 / early 2023. It was designed to provide a secure and flexible way to share services, building upon the foundational zero-trust networking principles of the OpenZiti platform. Its development aimed to offer a more secure and programmable alternative to traditional port-forwarding or basic tunnel services.

ngrok(1), localtunnel(1), ssh(1) -R, openziti(1)