ZAP 2.16 Docker on Kubernetes + Istio: Unable to access UI and remote scan fails with Connection refused

72 views
Skip to first unread message

Amulya Malla

unread,
Nov 14, 2025, 7:05:17 AMNov 14
to ZAP User Group

Description:
We are deploying ZAP 2.16 as a Docker container on Kubernetes behind Istio. While the pod is running, we are unable to access the ZAP UI via Istio Ingress, and remote scans fail with a Connection refused error.

Environment:

ZAP version: 2.16
Deployment: Docker container in Kubernetes
Ingress: Istio Gateway with TLS termination
ZAP mode: Daemon (zap.sh -daemon -host 0.0.0.0 -port 8080
-config hud.enabled=false
-config api.disablekey=true
-config api.addrs.addr.name=.*
-config api.addrs.addr.scheme=https
-config api.addrs.addr.port=443
-api.addrs.addr.regex=true
-config callhome.disable=true
-config api.cors.enabled=true
-config api.cors.allowOrigin=*

Target URL for API calls: https://zap-nonprod.mydomain.com/

Browser → Istio Ingress (TLS termination) → ZAP (receives HTTP traffic)

Observed Behavior / Logs:
92 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - ZAP is now listening on 0.0.0.0:8080 ... Connect to http://zap-nonprod.mydomain.com:80 [...] failed: Connection refused
ZAP is listening on 0.0.0.0:8080 inside the pod.
Internal ZAP client tries to connect to port 80 (not exposed).
UI access via Istio Ingress fails, likely due to port mismatch or missing Istio routing to port 8080.

Zap Log:
logs-from-dop-zap-service-in-dop-zap-service-57df76666c-nc64k.log

Vitor Rodrigues

unread,
Nov 14, 2025, 7:23:47 AMNov 14
to ZAP User Group
I faced a similar issue when deploying ZAP on K8s. As far as I remember, ZAP rejects requests that use an unknown ZAP hostname, meaning any hostname that the application isn’t explicitly configured to accept. I solved this by adding the following setting during ZAP startup:

` -config network.localServers.aliases.alias.name=your_pod_domain_name`

Hope this helps!

Amulya Malla

unread,
Nov 17, 2025, 1:11:12 AMNov 17
to ZAP User Group
Made changes but didn't work, What I observed that post TLS termination at upstream layer Zap identifying incoming request as HTTP and by default creating socket with HTTP  (socket://zap-nonprod.mydomain.com:80)  resulting connection refused since firewall blocked port 80 as outbound ( Organizational restriction)

PFS

33633 [ZAP-daemon] INFO org.zaproxy.addon.network.ExtensionNetwork - ZAP is now listening on 0.0.0.0:8080

# Success Request Internally from internal POD running over diffrent namespace (HTTP)
72607 [ZAP-IO-Server-1-1] DEBUG org.zaproxy.zap.extension.api.API - handleApiRequest http://dop-zap-service.dop-system:8080/JSON/core/view/version/

# From browser - via Ingress
81331 [ZAP-IO-Server-1-1] DEBUG org.zaproxy.addon.network.internal.client.BaseHttpSender - Sending GET http://zap-nonprod.mydomain.com/JSON/core/view/version/
81358 [ZAP-IO-Server-1-1] DEBUG org.zaproxy.zap.extension.httpsessions.HttpSessionsSite - No session tokens for: zap-nonprod.mydomain.com:80
81362 [ZAP-IO-Server-1-1] DEBUG org.zaproxy.addon.network.internal.client.BaseHttpSender - Sending message to: http://zap-nonprod.mydomain.com/JSON/core/view/version/
81373 [ZAP-IO-Server-1-1] DEBUG org.zaproxy.addon.network.internal.client.ZapProxySelector - Selected proxies for socket://zap-nonprod.mydomain.com:80 [DIRECT]
81375 [ZAP-IO-Server-1-1] DEBUG org.zaproxy.addon.network.internal.client.apachev5.HttpSenderApache - An I/O error occurred while sending the request:
org.apache.hc.client5.http.HttpHostConnectException: Connect to http://zap-nonprod.mydomain.com:80 [zap-nonprod.mydomain.com/10.236.170.7] failed: Connection refused

@psiinon - Please suggest , TIA 

thc202

unread,
Nov 21, 2025, 12:19:45 PMNov 21
to zaprox...@googlegroups.com
Hi,

On 14/11/2025 12:21, Vitor Rodrigues wrote:
> I faced a similar issue when deploying ZAP on K8s. As far as I remember,
> ZAP rejects requests that use an unknown ZAP hostname, meaning any hostname
> that the application isn’t explicitly configured to accept.

To be clear ZAP is forwarding the request not rejecting it, as it does
know that the address is itself.

Best regards.

thc202

unread,
Nov 21, 2025, 12:25:25 PMNov 21
to zaprox...@googlegroups.com
Hi,

If you need ZAP to handle more than one domain you should add them both,
e.g.:
-config
network.localServers.aliases(0).alias.name=dop-zap-service.dop-system
-config network.localServers.aliases(1).alias.name=zap-nonprod.mydomain.com

Best regards.
Reply all
Reply to author
Forward
0 new messages