Date: Fri, 14 Aug 2020 19:47:30 +0200 From: =?UTF-8?Q?Carsten_B=c3=a4cker?= <carbaecker@gmx.de> To: Steve O'Hara-Smith <steve@sohara.org>, Ernie Luzar <luzar722@gmail.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>, "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org> Subject: Re: How to steer public traffic to a jail Message-ID: <c8b05103-49cb-c3ab-9178-0530cff4b35b@gmx.de> In-Reply-To: <20200814161726.972dcb71499c7129fe672836@sohara.org> References: <5F367EA9.20809@gmail.com> <8984b35b-7c48-32ee-5bd0-e29c9439c890@gmx.de> <5F36A67B.1040408@gmail.com> <20200814161726.972dcb71499c7129fe672836@sohara.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
nginx will only see packets that passed the firewall, so you need to
allow incoming traffic to port(s) 80, 443 to whereever your
reverse-proxy is running.
Domain-Names are HTTP-specific. No ssh, nor telnet or ftp know anything
about that.
Personally i wouln't even thing about using telnet or ftp. :-)
If you need ssh-access to the jails you may use (public) ports other
than 22 and forward them to the corresponding jail. This will -
additionally - allow sftp.
Regards
Carsten
Am 14.08.2020 um 17:17 schrieb Steve O'Hara-Smith:
> On Fri, 14 Aug 2020 10:58:03 -0400
> Ernie Luzar <luzar722@gmail.com> wrote:
>
>> Carsten B=C3=A4cker wrote:
>>> Hi,
>>>
>>> you may want to have a look into reverse proxying, e.g. using nginx on
>>> your jail-host.
>>> Really basic example:
>>>
>>> |http { server { listen 80; server_name your.1st.domain.com; location =
/
>>> { proxy_pass http://127.0.1.2; } } server { listen 80; server_name
>>> your.2nd.domain.com; location / { proxy_pass http://127.0.1.3; } } }|
>>>
>> This looks interesting.
> Think again - this is HTTP proxying only. It's great for that but
> useless for anything else. I use a similar mechanism to serve multiple
> domains from one http server.
>
>> Employing this concept each unique domain name is the element used to
>> target the jails private ip address.
> Yes but it only works because there is an HTTP header with the
> hostname in it and nginx knows how to read HTTP.
>
>> Would need a server clause for each port number/domain name targeting
>> each jail.
>>
>> This would work for port 21, 22, 23, 25
> No only 80 and then only if the protocol is HTTP and if the clients
> send the necessary HTTP header (I haven't seen one that didn't in decade=
s).
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c8b05103-49cb-c3ab-9178-0530cff4b35b>