Merge pull request 'ssh port forwarding via nginx stream for code.forgejo.org' (#7) from earl-warren/documentation:wip-forwarding into main

Reviewed-on: https://code.forgejo.org/infrastructure/documentation/pulls/7

README.md

@@ -558,23 +558,38 @@ iface enp5s0 inet6 static
   down ip -6 addr del 2a01:4f9:3081:51ec::102/64 dev enp5s0
   # END code.forgejo.org
 ```
+For port forwarding to work, the LXC host must not bind them. For instance the ssh server configuration at `/etc/ssh/sshd_config` should not bind all IP but only a specific one.
+
+```
+Port 22
+AddressFamily inet
+ListenAddress 65.21.67.73
+#ListenAddress ::
+```
 
 #### Port forwarding
 
-Forwarding a port to an LXC container can be done with `/home/debian/code.nftables` for
+Forwarding a port to an LXC container can be done with [nginx streeam](https://nginx.org/en/docs/stream/ngx_stream_core_module.html) for the public IP of code.forgejo.org (65.21.67.71 & 2a01:4f9:3081:51ec::102) to the private IP (10.6.83.195) of the `code` LXC container in `/etc/nginx/modules-enabled/ssh.conf`:
-the public IP of code.forgejo.org (65.21.67.71) to the private IP of the `code` LXC container:
 
 ```
-add table ip code;
+stream {
-flush table ip code;
-add chain ip code prerouting {
-  type nat hook prerouting priority 0;
-  policy accept;
-  ip daddr 65.21.67.71 tcp dport { ssh } dnat to 10.6.83.195;
-};
-```
 
-with `nft -f /root/code.nftables`.
+  # code.forgejo.org ip's
+  upstream codessh {
+    least_conn;
+    server 10.6.83.195:22;
+  }
+
+  # code.forgejo.org definition
+  server {
+    listen 65.21.67.71:22; # the port to listen on this server
+    listen [2a01:4f9:3081:51ec::102]:22;
+    proxy_pass codessh; # forward traffic to this upstream group
+    proxy_timeout 3s;
+    proxy_connect_timeout 3s;
+  }
+}
+```
 
 #### 302 redirects