Docker Private Share
Goal
Privately share a Docker Compose service with a separate zrok environment and a permanent zrok share token.
Overview
With zrok, you can privately share a service that's running in Docker. You need a zrok private share running somewhere that it can reach the service you're sharing, and a zrok private access running somewhere else where you want to use the private share. Together, the private share and private access form a private point-to-point tunnel.
Here's a short article with an overview of private sharing with zrok.
Walkthrough Video
How it Works
The Docker Compose project uses your zrok account token to reserve a private share token and keep sharing the backend target.
When the project runs it will:
- enable a zrok environment unless
/mnt/.zrok/environment.json
exists in thezrok_env
volume - reserve a private share token for the service unless
/mnt/.zrok/reserved.json
exists - start sharing the target specified in the
ZROK_TARGET
environment variable
Before You Begin
To follow this guide you will need Docker.
If you have installed Docker Desktop on macOS or Windows then you are all set.
Begin Sharing Privately with zrok in Docker
First, let's create the private share.
-
Make a folder on your computer to use as a Docker Compose project for your zrok private share.
-
In your terminal, change directory to your newly-created project folder.
-
Download the zrok-private-share Docker Compose project file into your new project folder and make sure it's named
compose.yml
. -
Copy your zrok environment token from the zrok web console to your clipboard and paste it in a file named
.env
in the same folder like this:# file name ".env"
ZROK_ENABLE_TOKEN="8UL9-48rN0ua" -
If you are self-hosting zrok then it's important to set your API endpoint URL too. If you're using the hosted zrok service then you can skip this step.
# file name ".env"
ZROK_API_ENDPOINT="https://zrok.example.com" -
Run your Compose project to start sharing the built-in demo web server:
docker compose up
-
Read the private share token from the output. One of the last lines is like this:
zrok-private-share-1 | zrok access private wr3hpf2z5fiy
Keep track of this token so you can use it in your zrok private access project.
Access the Private Share
Now that we have a private share we can access it with the zrok command or by running a separate Docker Compose project.
-
Make a folder on your computer to use as a Docker Compose project for your zrok private access.
-
In your terminal, change directory to your newly-created project folder.
-
Download the zrok-private-access Docker Compose project file into your new project folder and make sure it's named
compose.yml
. -
Copy your zrok environment token from the zrok web console to your clipboard and paste it in a file named
.env
in the same folder like this:# file name ".env"
ZROK_ENABLE_TOKEN="8UL9-48rN0ua" -
Now copy the zrok private access token from the zrok private share project's output to your clipboard and paste it in the same file named
.env
here in your private share project folder like this:# file name ".env"
ZROK_ENABLE_TOKEN="8UL9-48rN0ua"
ZROK_ACCESS_TOKEN="wr3hpf2z5fiy" -
Run your Compose project to start accessing the private share:
docker compose up zrok-private-access
-
Now your zrok private access proxy is ready on http://127.0.0.1:9191. You can visit the demo web server in your browser.
Closed Permission Mode
Normally, you need only the share token to access a private share. You can further restrict access with "closed" permission mode.
You must set the permission mode before you reserve the share.
Only your own account can access the private share.
ZROK_PERMISSION_MODE="closed"
Grant access to additional zrok accounts.
ZROK_ACCESS_GRANTS="bob@example.com alice@example.org"
You can adjust the access grants by running the CLI inside the zrok-share
container.
docker compose exec zrok-share zrok modify ${ZROK_UNIQUE_NAME} --remove-access-grant bob@example.com
Going Further with Private Access
-
Try changing the demo web server used in the private share project. One alternative demo server is provided:
httpbin
. -
Try accessing the private share from inside a container running in the private access project. One demo client is provided:
demo-client
. You can run it like this.docker compose up demo-client
-
You'll see in the terminal output that the demo-client container is getting a response from the private share indicating the source IP of the request from the perspective of the demo server:
httpbin
that's running in the private share project.
Cleaning Up
Run the "down" command in both Compose projects to destroy them when you're all done. This will stop the running containers and delete zrok environments' storage volumes. Then delete the selected zrok environment by clicking "Actions" in the web console.
docker compose down --remove-orphans --volumes