1
0
Fork 0
mirror of https://code.forgejo.org/infrastructure/documentation synced 2024-11-28 13:21:11 +00:00

ssh port forwarding via nginx stream for code.forgejo.org

Fixes: #6
This commit is contained in:
Earl Warren 2024-09-17 08:50:20 +02:00
parent f77193590b
commit 5b4570e204
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00

View file

@ -558,23 +558,38 @@ iface enp5s0 inet6 static
down ip -6 addr del 2a01:4f9:3081:51ec::102/64 dev enp5s0 down ip -6 addr del 2a01:4f9:3081:51ec::102/64 dev enp5s0
# END code.forgejo.org # END code.forgejo.org
``` ```
For port forwarding to work, the LXC host must not bind them. For instance the ssh server configuration at `/etc/ssh/sshd_config` should not bind all IP but only a specific one.
```
Port 22
AddressFamily inet
ListenAddress 65.21.67.73
#ListenAddress ::
```
#### Port forwarding #### Port forwarding
Forwarding a port to an LXC container can be done with `/home/debian/code.nftables` for Forwarding a port to an LXC container can be done with [nginx streeam](https://nginx.org/en/docs/stream/ngx_stream_core_module.html) for the public IP of code.forgejo.org (65.21.67.71 & 2a01:4f9:3081:51ec::102) to the private IP (10.6.83.195) of the `code` LXC container in `/etc/nginx/modules-enabled/ssh.conf`:
the public IP of code.forgejo.org (65.21.67.71) to the private IP of the `code` LXC container:
``` ```
add table ip code; stream {
flush table ip code;
add chain ip code prerouting {
type nat hook prerouting priority 0;
policy accept;
ip daddr 65.21.67.71 tcp dport { ssh } dnat to 10.6.83.195;
};
```
with `nft -f /root/code.nftables`. # code.forgejo.org ip's
upstream codessh {
least_conn;
server 10.6.83.195:22;
}
# code.forgejo.org definition
server {
listen 65.21.67.71:22; # the port to listen on this server
listen [2a01:4f9:3081:51ec::102]:22;
proxy_pass codessh; # forward traffic to this upstream group
proxy_timeout 3s;
proxy_connect_timeout 3s;
}
}
```
#### 302 redirects #### 302 redirects