1
0
Fork 0
mirror of https://code.forgejo.org/infrastructure/documentation synced 2024-12-22 12:53:53 +00:00

Merge pull request 'ssh port forwarding via nginx stream for code.forgejo.org' (#7) from earl-warren/documentation:wip-forwarding into main

Reviewed-on: https://code.forgejo.org/infrastructure/documentation/pulls/7
This commit is contained in:
earl-warren 2024-09-17 09:41:35 +00:00
commit 891af11fd5

View file

@ -558,23 +558,38 @@ iface enp5s0 inet6 static
down ip -6 addr del 2a01:4f9:3081:51ec::102/64 dev enp5s0
# END code.forgejo.org
```
For port forwarding to work, the LXC host must not bind them. For instance the ssh server configuration at `/etc/ssh/sshd_config` should not bind all IP but only a specific one.
```
Port 22
AddressFamily inet
ListenAddress 65.21.67.73
#ListenAddress ::
```
#### Port forwarding
Forwarding a port to an LXC container can be done with `/home/debian/code.nftables` for
the public IP of code.forgejo.org (65.21.67.71) to the private IP of the `code` LXC container:
Forwarding a port to an LXC container can be done with [nginx streeam](https://nginx.org/en/docs/stream/ngx_stream_core_module.html) for the public IP of code.forgejo.org (65.21.67.71 & 2a01:4f9:3081:51ec::102) to the private IP (10.6.83.195) of the `code` LXC container in `/etc/nginx/modules-enabled/ssh.conf`:
```
add table ip code;
flush table ip code;
add chain ip code prerouting {
type nat hook prerouting priority 0;
policy accept;
ip daddr 65.21.67.71 tcp dport { ssh } dnat to 10.6.83.195;
};
```
stream {
with `nft -f /root/code.nftables`.
# code.forgejo.org ip's
upstream codessh {
least_conn;
server 10.6.83.195:22;
}
# code.forgejo.org definition
server {
listen 65.21.67.71:22; # the port to listen on this server
listen [2a01:4f9:3081:51ec::102]:22;
proxy_pass codessh; # forward traffic to this upstream group
proxy_timeout 3s;
proxy_connect_timeout 3s;
}
}
```
#### 302 redirects