mirror of
https://code.forgejo.org/infrastructure/documentation
synced 2024-12-22 12:53:53 +00:00
Merge pull request 'ssh port forwarding via nginx stream for code.forgejo.org' (#7) from earl-warren/documentation:wip-forwarding into main
Reviewed-on: https://code.forgejo.org/infrastructure/documentation/pulls/7
This commit is contained in:
commit
891af11fd5
37
README.md
37
README.md
|
@ -558,23 +558,38 @@ iface enp5s0 inet6 static
|
|||
down ip -6 addr del 2a01:4f9:3081:51ec::102/64 dev enp5s0
|
||||
# END code.forgejo.org
|
||||
```
|
||||
For port forwarding to work, the LXC host must not bind them. For instance the ssh server configuration at `/etc/ssh/sshd_config` should not bind all IP but only a specific one.
|
||||
|
||||
```
|
||||
Port 22
|
||||
AddressFamily inet
|
||||
ListenAddress 65.21.67.73
|
||||
#ListenAddress ::
|
||||
```
|
||||
|
||||
#### Port forwarding
|
||||
|
||||
Forwarding a port to an LXC container can be done with `/home/debian/code.nftables` for
|
||||
the public IP of code.forgejo.org (65.21.67.71) to the private IP of the `code` LXC container:
|
||||
Forwarding a port to an LXC container can be done with [nginx streeam](https://nginx.org/en/docs/stream/ngx_stream_core_module.html) for the public IP of code.forgejo.org (65.21.67.71 & 2a01:4f9:3081:51ec::102) to the private IP (10.6.83.195) of the `code` LXC container in `/etc/nginx/modules-enabled/ssh.conf`:
|
||||
|
||||
```
|
||||
add table ip code;
|
||||
flush table ip code;
|
||||
add chain ip code prerouting {
|
||||
type nat hook prerouting priority 0;
|
||||
policy accept;
|
||||
ip daddr 65.21.67.71 tcp dport { ssh } dnat to 10.6.83.195;
|
||||
};
|
||||
```
|
||||
stream {
|
||||
|
||||
with `nft -f /root/code.nftables`.
|
||||
# code.forgejo.org ip's
|
||||
upstream codessh {
|
||||
least_conn;
|
||||
server 10.6.83.195:22;
|
||||
}
|
||||
|
||||
# code.forgejo.org definition
|
||||
server {
|
||||
listen 65.21.67.71:22; # the port to listen on this server
|
||||
listen [2a01:4f9:3081:51ec::102]:22;
|
||||
proxy_pass codessh; # forward traffic to this upstream group
|
||||
proxy_timeout 3s;
|
||||
proxy_connect_timeout 3s;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
#### 302 redirects
|
||||
|
||||
|
|
Loading…
Reference in a new issue