How to steer public traffic to a jail

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

How to steer public traffic to a jail

Ernie Luzar
I have 4 registered domain names, one for each jail. How do I get [ALL]
public traffic to a domain name directed to the desired jail?
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to steer public traffic to a jail

Carsten Bäcker-2
Hi,

you may want to have a look into reverse proxying, e.g. using nginx on
your jail-host.
Really basic example:

|http { server { listen 80; server_name your.1st.domain.com; location /
{ proxy_pass http://127.0.1.2; } } server { listen 80; server_name
your.2nd.domain.com; location / { proxy_pass http://127.0.1.3; } } }|

||

||Good look!
Carsten


Am 14.08.2020 um 14:08 schrieb Ernie Luzar:
> I have 4 registered domain names, one for each jail. How do I get
> [ALL] public traffic to a domain name directed to the desired jail?
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "[hidden email]"

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to steer public traffic to a jail

Ernie Luzar
Carsten Bäcker wrote:

> Hi,
>
> you may want to have a look into reverse proxying, e.g. using nginx on
> your jail-host.
> Really basic example:
>
> |http { server { listen 80; server_name your.1st.domain.com; location /
> { proxy_pass http://127.0.1.2; } } server { listen 80; server_name
> your.2nd.domain.com; location / { proxy_pass http://127.0.1.3; } } }|
>

This looks interesting.

When does nginx see the packet, before the firewall or after the
firewall passes it through?

Employing this concept each unique domain name is the element used to
target the jails private ip address.

Would need a server clause for each port number/domain name targeting
each jail.

This would work for port 21, 22, 23, 25
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to steer public traffic to a jail

Steve O'Hara-Smith
On Fri, 14 Aug 2020 10:58:03 -0400
Ernie Luzar <[hidden email]> wrote:

> Carsten Bäcker wrote:
> > Hi,
> >
> > you may want to have a look into reverse proxying, e.g. using nginx on
> > your jail-host.
> > Really basic example:
> >
> > |http { server { listen 80; server_name your.1st.domain.com; location /
> > { proxy_pass http://127.0.1.2; } } server { listen 80; server_name
> > your.2nd.domain.com; location / { proxy_pass http://127.0.1.3; } } }|
> >
>
> This looks interesting.

        Think again - this is HTTP proxying only. It's great for that but
useless for anything else. I use a similar mechanism to serve multiple
domains from one http server.

> Employing this concept each unique domain name is the element used to
> target the jails private ip address.

        Yes but it only works because there is an HTTP header with the
hostname in it and nginx knows how to read HTTP.

> Would need a server clause for each port number/domain name targeting
> each jail.
>
> This would work for port 21, 22, 23, 25

        No only 80 and then only if the protocol is HTTP and if the clients
send the necessary HTTP header (I haven't seen one that didn't in decades).

--
Steve O'Hara-Smith <[hidden email]>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to steer public traffic to a jail

Carsten Bäcker-2
Hi,

nginx will only see packets that passed the firewall, so you need to
allow incoming traffic to port(s) 80, 443 to whereever your
reverse-proxy is running.
Domain-Names are HTTP-specific. No ssh, nor telnet or ftp know anything
about that.
Personally i wouln't even thing about using telnet or ftp. :-)

If you need ssh-access to the jails you may use (public) ports other
than 22 and forward them to the corresponding jail. This will -
additionally - allow sftp.

Regards
Carsten




Am 14.08.2020 um 17:17 schrieb Steve O'Hara-Smith:

> On Fri, 14 Aug 2020 10:58:03 -0400
> Ernie Luzar <[hidden email]> wrote:
>
>> Carsten Bäcker wrote:
>>> Hi,
>>>
>>> you may want to have a look into reverse proxying, e.g. using nginx on
>>> your jail-host.
>>> Really basic example:
>>>
>>> |http { server { listen 80; server_name your.1st.domain.com; location /
>>> { proxy_pass http://127.0.1.2; } } server { listen 80; server_name
>>> your.2nd.domain.com; location / { proxy_pass http://127.0.1.3; } } }|
>>>
>> This looks interesting.
> Think again - this is HTTP proxying only. It's great for that but
> useless for anything else. I use a similar mechanism to serve multiple
> domains from one http server.
>
>> Employing this concept each unique domain name is the element used to
>> target the jails private ip address.
> Yes but it only works because there is an HTTP header with the
> hostname in it and nginx knows how to read HTTP.
>
>> Would need a server clause for each port number/domain name targeting
>> each jail.
>>
>> This would work for port 21, 22, 23, 25
> No only 80 and then only if the protocol is HTTP and if the clients
> send the necessary HTTP header (I haven't seen one that didn't in decades).
>

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to steer public traffic to a jail

Carsten Bäcker-2
Am 14.08.2020 um 19:47 schrieb Carsten Bäcker:
> Domain-Names are HTTP-specific. No ssh, nor telnet or ftp know anything
> about that.
Hmm. Forget about that...
It's basically an issue related to firewall / port-forwarding.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"