ZAP 2.16 Docker on Kubernetes + Istio: Unable to access UI and remote scan fails with Connection refused

30 views
Skip to first unread message

Amulya Malla

unread,
Nov 14, 2025, 7:05:17 AM (4 days ago) Nov 14
to ZAP User Group

Description:
We are deploying ZAP 2.16 as a Docker container on Kubernetes behind Istio. While the pod is running, we are unable to access the ZAP UI via Istio Ingress, and remote scans fail with a Connection refused error.

Environment:

ZAP version: 2.16
Deployment: Docker container in Kubernetes
Ingress: Istio Gateway with TLS termination
ZAP mode: Daemon (zap.sh -daemon -host 0.0.0.0 -port 8080
-config hud.enabled=false
-config api.disablekey=true
-config api.addrs.addr.name=.*
-config api.addrs.addr.scheme=https
-config api.addrs.addr.port=443
-api.addrs.addr.regex=true
-config callhome.disable=true
-config api.cors.enabled=true
-config api.cors.allowOrigin=*

Target URL for API calls: https://zap-nonprod.mydomain.com/

Browser → Istio Ingress (TLS termination) → ZAP (receives HTTP traffic)

Observed Behavior / Logs:
92 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - ZAP is now listening on 0.0.0.0:8080 ... Connect to http://zap-nonprod.mydomain.com:80 [...] failed: Connection refused
ZAP is listening on 0.0.0.0:8080 inside the pod.
Internal ZAP client tries to connect to port 80 (not exposed).
UI access via Istio Ingress fails, likely due to port mismatch or missing Istio routing to port 8080.

Zap Log:
logs-from-dop-zap-service-in-dop-zap-service-57df76666c-nc64k.log

Vitor Rodrigues

unread,
Nov 14, 2025, 7:23:47 AM (4 days ago) Nov 14
to ZAP User Group
I faced a similar issue when deploying ZAP on K8s. As far as I remember, ZAP rejects requests that use an unknown ZAP hostname, meaning any hostname that the application isn’t explicitly configured to accept. I solved this by adding the following setting during ZAP startup:

` -config network.localServers.aliases.alias.name=your_pod_domain_name`

Hope this helps!

Amulya Malla

unread,
Nov 17, 2025, 1:11:12 AM (yesterday) Nov 17
to ZAP User Group
Made changes but didn't work, What I observed that post TLS termination at upstream layer Zap identifying incoming request as HTTP and by default creating socket with HTTP  (socket://zap-nonprod.mydomain.com:80)  resulting connection refused since firewall blocked port 80 as outbound ( Organizational restriction)

PFS

33633 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - ZAP is now listening on 0.0.0.0:8080

# Success Request Internally from internal POD running over diffrent namespace (HTTP)
72607 [ZAP-IO-Server-1-1] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://dop-zap-service.dop-system:8080/JSON/core/view/version/

# From browser - via Ingress
81331 [ZAP-IO-Server-1-1] DEBUG org.zaproxy.addon.network.internal.client.BaseHttpSender - Sending GET http://zap-nonprod.mydomain.com/JSON/core/view/version/
81358 [ZAP-IO-Server-1-1] DEBUG org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - No session tokens for: zap-nonprod.mydomain.com:80
81362 [ZAP-IO-Server-1-1] DEBUG org.zaproxy.addon.network.internal.client.BaseHttpSender - Sending message to: http://zap-nonprod.mydomain.com/JSON/core/view/version/
81373 [ZAP-IO-Server-1-1] DEBUG org.zaproxy.addon.network.internal.client.ZapProxySelector - Selected proxies for socket://zap-nonprod.mydomain.com:80 [DIRECT]
81375 [ZAP-IO-Server-1-1] DEBUG org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache - An I/O error occurred while sending the request:
org.apache.hc.client5.http.HttpHostConnectException: Connect to http://zap-nonprod.mydomain.com:80 [zap-nonprod.mydomain.com/10.236.170.7] failed: Connection refused

@psiinon - Please suggest , TIA 
Reply all
Reply to author
Forward
0 new messages