The EagleSafe ZTB Reverse Proxy lets you expose internal services running on peers or behind network resources to the public internet. TLS termination, optional authentication, and access restrictions are handled automatically — without opening ports or configuring firewalls on your internal machines.
Note: This feature is currently in beta. In EagleSafe's self-hosted deployment, the reverse proxy requires Traefik as the external reverse proxy in front of the management server — it is the only supported option because it provides TLS passthrough, which is required for this feature to function correctly.
How it works
When you create a reverse proxy service, a public domain with an automatic TLS certificate is provisioned. Incoming traffic to that domain is received at the proxy, then forwarded through the encrypted ZTB tunnel to the target peer or network resource. The target service only needs to be reachable within your ZTB network — no public IP address or open ports are required on the backend.
Service modes
| Mode | Layer | Description |
|---|---|---|
| HTTP | L7 | TLS terminated at the proxy, HTTP forwarding to the backend. Supports path-based routing, host header forwarding, redirect rewriting, and browser-based authentication (SSO, password, PIN). |
| TCP | L4 | Raw TCP relay on a dedicated port. No application-layer inspection. |
| UDP | L4 | UDP relay with session tracking. Sessions are reaped after an idle timeout. |
| TLS | L4 | SNI-based routing with TLS passthrough. The encrypted connection is forwarded to the backend without termination. |
L4 services (TCP, UDP, TLS) do not support browser-based authentication. Use access restrictions (IP CIDR, country) to protect them.
Targets
A target defines where proxied traffic is sent within your ZTB network. Supported types:
- Peer — a device running the ZTB agent directly.
- Host — a network resource identified by IP address.
- Domain — a network resource identified by domain name.
- Subnet — a network resource within a CIDR range; specify the exact IP within the range.
HTTP services support path-based routing across multiple targets. L4 services forward all traffic to the configured target port.
Authentication (HTTP services only)
| Method | Description |
|---|---|
| SSO | Authenticate via your Identity Provider (OIDC). Optionally restrict to specific user groups. |
| Password | Protect with a shared password. |
| PIN Code | Protect with a numeric PIN. |
| Header Authentication | Require a specific header value (API key, Bearer token, Basic auth). For machine-to-machine access. |
| Access Restrictions | Restrict by IP CIDR range or country. Applies to all service modes. Evaluated before authentication. |
Multiple authentication methods can be enabled simultaneously — users pick one. If no authentication is configured, the service is publicly accessible to anyone who knows the URL.
Service statuses
| Status | Meaning |
|---|---|
pending | Service is being provisioned. |
certificate_pending | TLS certificate is being issued. |
active | Service is live and routing traffic. |
tunnel_not_created | The proxy has not yet established a tunnel to the target. |
certificate_failed | TLS certificate issuance failed. Verify that port 443 is publicly reachable and the domain resolves correctly. |
error | Generic error. Check service configuration and target availability. |
Create a reverse proxy service
- Go to Reverse Proxy → Services and click Add Service.
- Select the service mode (HTTP, TCP, UDP, or TLS).
- Enter a subdomain and select the base domain.
- Click Add Target, select the target type and the peer or network resource.
- For HTTP services, set the protocol (HTTP/HTTPS) and port. Optionally set a path for path-based routing.
- Switch to the Authentication tab and configure the desired authentication method.
- Switch to the Access Control tab to restrict by IP or country if needed.
- Switch to the Settings tab for advanced options (Pass Host Header, Rewrite Redirects for HTTP; PROXY Protocol for TCP/TLS).
- Click Add Service. Monitor the status until it shows
active.
Path-based routing
HTTP services with multiple targets support path-based routing. Assign a unique path prefix to each target to route different URL paths to different backends:
| Path | Target |
|---|---|
/ | Main web application (port 3000) |
/api | API service (port 8080) |
/docs | Documentation server (port 80) |
Integration with Networks
If you have already configured Networks with resources and routing peers, you can expose a resource directly from the Networks page by clicking Expose Service on any resource. This opens the reverse proxy creation modal with that resource pre-populated as a target.
Managing services
- Edit: click on a service in the list to modify its configuration.
- Enable/Disable: use the toggle to pause a service without deleting it.
- Delete: permanently removes the service, its domain, and TLS certificate. Cannot be undone.
- Targets: add, remove, or individually enable/disable targets within a service.
