Skip to main content
Version: 2.0

Private Shares

zrok was built to share and access digital resources. A private share allows a resource to be accessed on another user's system as if it were local to them. Privately shared resources can only be accessed by another zrok user who has the details of your unique share. You are in control of who can access your private shares by sharing the share token.

Peer-to-peer private resource sharing is one of the things that makes zrok unique.

zrok also provides public sharing of resources with non-zrok users. Public resource sharing is limited to only resources that can be accessed over HTTP or HTTPS. private sharing works with all of the resources types that zrok supports.

Here's how private sharing works:

Peer to Peer

zrok_public_share

private shares are accessed using the zrok access command, and require the accessing user to have a zrok enable-d account on the same service instance where the share was created.

The private share is identified by a share token. The accessing user will use the share token, along with the zrok access command to create a local endpoint on their system, which lets them use the shared resource as if it were local to their system.

zrok does not require you to open any firewall ports or otherwise compromise the security of your local system; there is never an attack surface open to the public internet. As soon as you terminate the zrok share process, you immediately terminate any possible access to your shared resource.

The shared resource can be a development web server to share with friends and colleagues, a webhook from a server running in the cloud which has zrok running and has been instructed to access the private resource. zrok can also share files, websites, and low-level TCP and UDP network connections using the tunnel backend. What matters is that the access to the shared resource is not done in a public way, and can only be accessed by other zrok users that have access to your share token.

The peer-to-peer capabilities of zrok are an important property of the underlying OpenZiti network that zrok uses to provide connectivity between users and resources.

Creating private shares is easy and is accomplished using the zrok share private command. Run zrok share private to see the usage output and to further learn how to use the command.

v2.0 persistent private shares

In zrok v2.0, you can create persistent private shares using the --share-token flag:

zrok share private localhost:8080 --share-token my-api

This creates a private share with a custom vanity token that persists across share restarts. When using the zrok agent, shares with --share-token automatically restart after abnormal exit or agent restart. See reserved names and namespaces for more details.

Private Backend Modes

The default backend mode is proxy which targets an HTTP URL that must be reachable by the backend.

proxy example
zrok share private 80
  • proxy mode forwards requests received by the frontend to the target server (more)
  • web mode serves a target folder as a file index web page (more)
  • drive mode serves a target folder with WebDAV (guide)
  • caddy mode runs the built-in Caddy server with the targeted Caddyfile (example)
  • tcpTunnel, udpTunnel modes forward the data payload to the target server (more)
  • socks mode provides a SOCKS5 dynamic proxy on the private access bind port that tunnels TCP payloads to the share backend where they are forwarded to their destinations (blog)
  • vpn mode provides a network layer tunnel between the private access and the share backend (guide)