From 5b4570e20414d7f6bf16dbe30bdb65151ac0021e Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Tue, 17 Sep 2024 08:50:20 +0200 Subject: [PATCH] ssh port forwarding via nginx stream for code.forgejo.org Fixes: #6 --- README.md | 37 ++++++++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 0b99cb6..533b570 100644 --- a/README.md +++ b/README.md @@ -558,23 +558,38 @@ iface enp5s0 inet6 static down ip -6 addr del 2a01:4f9:3081:51ec::102/64 dev enp5s0 # END code.forgejo.org ``` +For port forwarding to work, the LXC host must not bind them. For instance the ssh server configuration at `/etc/ssh/sshd_config` should not bind all IP but only a specific one. + +``` +Port 22 +AddressFamily inet +ListenAddress 65.21.67.73 +#ListenAddress :: +``` #### Port forwarding -Forwarding a port to an LXC container can be done with `/home/debian/code.nftables` for -the public IP of code.forgejo.org (65.21.67.71) to the private IP of the `code` LXC container: +Forwarding a port to an LXC container can be done with [nginx streeam](https://nginx.org/en/docs/stream/ngx_stream_core_module.html) for the public IP of code.forgejo.org (65.21.67.71 & 2a01:4f9:3081:51ec::102) to the private IP (10.6.83.195) of the `code` LXC container in `/etc/nginx/modules-enabled/ssh.conf`: ``` -add table ip code; -flush table ip code; -add chain ip code prerouting { - type nat hook prerouting priority 0; - policy accept; - ip daddr 65.21.67.71 tcp dport { ssh } dnat to 10.6.83.195; -}; -``` +stream { -with `nft -f /root/code.nftables`. + # code.forgejo.org ip's + upstream codessh { + least_conn; + server 10.6.83.195:22; + } + + # code.forgejo.org definition + server { + listen 65.21.67.71:22; # the port to listen on this server + listen [2a01:4f9:3081:51ec::102]:22; + proxy_pass codessh; # forward traffic to this upstream group + proxy_timeout 3s; + proxy_connect_timeout 3s; + } +} +``` #### 302 redirects