From owner-freebsd-questions@freebsd.org  Fri Aug 14 15:17:36 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2CF5C3C2316
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Fri, 14 Aug 2020 15:17:36 +0000 (UTC) (envelope-from
 4250.82.1d4c20008766488.c6a15d5713ebb3299694d0509a3d0cd6@email-od.com)
Received: from s1-b0c6.socketlabs.email-od.com
 (s1-b0c6.socketlabs.email-od.com [142.0.176.198])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BSn9q1mL1z3ZCH
 for <freebsd-questions@freebsd.org>; Fri, 14 Aug 2020 15:17:34 +0000 (UTC)
 (envelope-from
 4250.82.1d4c20008766488.c6a15d5713ebb3299694d0509a3d0cd6@email-od.com)
DKIM-Signature: v=1; a=rsa-sha256; d=email-od.com;i=@email-od.com;s=dkim;
 c=relaxed/relaxed; q=dns/txt; t=1597418255; x=1600010255;
 h=content-transfer-encoding:content-type:mime-version:references:in-reply-to:message-id:subject:cc:to:from:date:x-thread-info;
 bh=v+Pwp94kn5eqCNLWeW0zJo6rKSqcfFfYfe7aQRb7YvE=;
 b=Vy5R7c70/k+Ya2mRKrzE6zx0qrDuTjJBU13kR50Eq/gq0s+ksvvsPMxT1Xo3Gk8fQSi7BaoP1+wZN1CbVrDEb5k/UiDl3FCjbPxqMASz8N+1OA6OReBkrRNmuXjND7JFkycMHpV2R4TW6Xmg4pz0nd+TYBPEToQ0lWEtS/axkVQ=
X-Thread-Info: NDI1MC45Mi4xZDRjMjAwMDg3NjY0ODguZnJlZWJzZC1xdWVzdGlvbnM9ZnJlZWJzZC5vcmc=
Received: from r2.us-east-1.aws.in.socketlabs.com
 (r2.us-east-1.aws.in.socketlabs.com [142.0.191.2]) by mxsg2.email-od.com
 with ESMTP(version=Tls12 cipher=Aes256 bits=256);
 Fri, 14 Aug 2020 11:17:29 -0400
Received: from smtp.lan.sohara.org (EMTPY [185.202.17.215]) by
 r2.us-east-1.aws.in.socketlabs.com
 with ESMTP(version=Tls12 cipher=Aes256 bits=256);
 Fri, 14 Aug 2020 11:17:27 -0400
Received: from [192.168.63.1] (helo=steve.lan.sohara.org)
 by smtp.lan.sohara.org with smtp (Exim 4.94 (FreeBSD))
 (envelope-from <steve@sohara.org>)
 id 1k6bSQ-0009kB-Ao; Fri, 14 Aug 2020 16:17:26 +0100
Date: Fri, 14 Aug 2020 16:17:26 +0100
From: Steve O'Hara-Smith <steve@sohara.org>
To: Ernie Luzar <luzar722@gmail.com>
Cc: Carsten =?UTF-8?B?QsOkY2tlcg==?= <carbaecker@gmx.de>,
 "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>,
 "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>
Subject: Re: How to steer public traffic to a jail
Message-Id: <20200814161726.972dcb71499c7129fe672836@sohara.org>
In-Reply-To: <5F36A67B.1040408@gmail.com>
References: <5F367EA9.20809@gmail.com>
 <8984b35b-7c48-32ee-5bd0-e29c9439c890@gmx.de>
 <5F36A67B.1040408@gmail.com>
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.32; amd64-portbld-freebsd12.0)
X-Clacks-Overhead: "GNU Terry Pratchett"
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 4BSn9q1mL1z3ZCH
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=email-od.com header.s=dkim header.b=Vy5R7c70;
 dmarc=none; spf=pass (mx1.freebsd.org: domain of
 4250.82.1d4c20008766488.c6a15d5713ebb3299694d0509a3d0cd6@email-od.com
 designates 142.0.176.198 as permitted sender)
 smtp.mailfrom=4250.82.1d4c20008766488.c6a15d5713ebb3299694d0509a3d0cd6@email-od.com
X-Spamd-Result: default: False [-2.47 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[];
 TO_DN_SOME(0.00)[]; MV_CASE(0.50)[];
 R_SPF_ALLOW(-0.20)[+ip4:142.0.176.0/20];
 RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[email-od.com:+];
 NEURAL_HAM_SHORT(-0.72)[-0.718]; FREEMAIL_TO(0.00)[gmail.com];
 FORGED_SENDER(0.30)[steve@sohara.org,4250.82.1d4c20008766488.c6a15d5713ebb3299694d0509a3d0cd6@email-od.com];
 MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[];
 ASN(0.00)[asn:7381, ipnet:142.0.176.0/22, country:US];
 FROM_NEQ_ENVFROM(0.00)[steve@sohara.org,4250.82.1d4c20008766488.c6a15d5713ebb3299694d0509a3d0cd6@email-od.com];
 MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.06)[-1.065];
 R_DKIM_ALLOW(-0.20)[email-od.com:s=dkim]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-0.99)[-0.989];
 MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[sohara.org];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 RCVD_IN_DNSWL_NONE(0.00)[142.0.176.198:from];
 RWL_MAILSPIKE_VERYGOOD(0.00)[142.0.176.198:from];
 FREEMAIL_CC(0.00)[gmx.de,freebsd.org]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2020 15:17:36 -0000

On Fri, 14 Aug 2020 10:58:03 -0400
Ernie Luzar <luzar722@gmail.com> wrote:

> Carsten Bäcker wrote:
> > Hi,
> > 
> > you may want to have a look into reverse proxying, e.g. using nginx on
> > your jail-host.
> > Really basic example:
> > 
> > |http { server { listen 80; server_name your.1st.domain.com; location /
> > { proxy_pass http://127.0.1.2; } } server { listen 80; server_name
> > your.2nd.domain.com; location / { proxy_pass http://127.0.1.3; } } }|
> > 
> 
> This looks interesting.

	Think again - this is HTTP proxying only. It's great for that but
useless for anything else. I use a similar mechanism to serve multiple
domains from one http server.

> Employing this concept each unique domain name is the element used to 
> target the jails private ip address.

	Yes but it only works because there is an HTTP header with the
hostname in it and nginx knows how to read HTTP.

> Would need a server clause for each port number/domain name targeting 
> each jail.
> 
> This would work for port 21, 22, 23, 25

	No only 80 and then only if the protocol is HTTP and if the clients
send the necessary HTTP header (I haven't seen one that didn't in decades).

-- 
Steve O'Hara-Smith <steve@sohara.org>