Merge pull request 'ssh port forwarding via nginx stream for code.forgejo.org' (#7) from earl-warren/documentation:wip-forwarding into main

Reviewed-on: https://code.forgejo.org/infrastructure/documentation/pulls/7
2024-11-22 03:21:10 +00:00 · 2024-09-17 09:41:35 +00:00 · 2024-09-17 09:41:35 +00:00 · 891af11fd5
parent f77193590b 5b4570e204
commit 891af11fd5
1 changed files with 26 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -558,23 +558,38 @@ iface enp5s0 inet6 static
  down ip -6 addr del 2a01:4f9:3081:51ec::102/64 dev enp5s0
  # END code.forgejo.org
 ```
+For port forwarding to work, the LXC host must not bind them. For instance the ssh server configuration at `/etc/ssh/sshd_config` should not bind all IP but only a specific one.
+
+```
+Port 22
+AddressFamily inet
+ListenAddress 65.21.67.73
+#ListenAddress ::
+```

 #### Port forwarding

-Forwarding a port to an LXC container can be done with `/home/debian/code.nftables` for
-the public IP of code.forgejo.org (65.21.67.71) to the private IP of the `code` LXC container:
+Forwarding a port to an LXC container can be done with [nginx streeam](https://nginx.org/en/docs/stream/ngx_stream_core_module.html) for the public IP of code.forgejo.org (65.21.67.71 & 2a01:4f9:3081:51ec::102) to the private IP (10.6.83.195) of the `code` LXC container in `/etc/nginx/modules-enabled/ssh.conf`:

 ```
-add table ip code;
-flush table ip code;
-add chain ip code prerouting {
-  type nat hook prerouting priority 0;
-  policy accept;
-  ip daddr 65.21.67.71 tcp dport { ssh } dnat to 10.6.83.195;
-};
-```
+stream {

-with `nft -f /root/code.nftables`.
+  # code.forgejo.org ip's
+  upstream codessh {
+    least_conn;
+    server 10.6.83.195:22;
+  }
+
+  # code.forgejo.org definition
+  server {
+    listen 65.21.67.71:22; # the port to listen on this server
+    listen [2a01:4f9:3081:51ec::102]:22;
+    proxy_pass codessh; # forward traffic to this upstream group
+    proxy_timeout 3s;
+    proxy_connect_timeout 3s;
+  }
+}
+```

 #### 302 redirects