Multiple jails one public ipaddress no nat

2019-08-10 19:49发布

问题:

My question is pretty simple. I have scoured the web and cannot discern from what i have read how to implement the following. My question is simple. Is the following possible and can someone point me to a thorough article discussing this? I am new to networking.

I run a FreeBSD 11.1-RELEASE dedicated server. I have built several jails two of which will run Apache 24 / php72. I have multiple domain names pointing to the same public ip address. I want to forward all port 80 and 443 traffic to www.mydomain.com to one jailed web server, and all port 80 and 443 traffic to dev.mydomain.com to another jailed web server. I do NOT want to have to specify a different port in my web query to be routed to the dev server. (Why bother with different domain names then??) so that rules out NAT port redirection.

Based on everything i have read it looks like i need to implement a reverse proxy. I did some research and haproxy looked like the best (of the big 4) based on my needs. However the documentation on how to configure haproxy for something other than load balancing sucks. Period.

Am i on the right track?

I plan to implement with ipfw on the host system because i will have separate jails handling database implementation and am trying to stay as in line with PCI/PII as possible. (Abstracting and separating services (www, dns, db) and environments (dev, qa, and prd).

Thank you in advance for saving measurable amounts of the time i have left on this planet.

回答1:

If you have a dedicated server, high are the changes that you have an IPv6/64 segment. That could simplify allot things since you could totally forget about NAT.

You could indeed use a CDN something like Cloudflare so that you could also be available to handle IPv4 requests, this makes a win-win scenario.

Now, In case you don't have IPv6 and just have an IPV4 on the main host, I would suggest PF, for example, taken from fabrik.red:

> cat /etc/pf.conf
ext_if = "em0"
set skip on lo
scrub in all
nat on $ext_if from lo1:network to any -> ($ext_if)
pass all

Later on the main host, you could use HAproxy and use your jails as backends, you can do the same with Nginx, but personally, for this case I prefer HAProxy.

You could indeed do this on cloud providers like AWS for examples check this flow:

The beauty of FreeBSD and the jails is the network stack and you can totally forget about NAT or port forwarding.

If in the attached picture the instance used is a t2.large, it can handle up to 36 IP's by using 3 interfaces, the IP's are assigned/requested via(DHCP) and once defined you just need to use them per jail. I used fabrik.red image for this since allow to have ZFS on root and therefore you can just have a very tiny instance (8gb disk) handling easily >30 jails. This depends on each use case but hope can give you some ideas.



回答2:

Yes you will need a reverse proxy. that forwards the requests to the jails on the host-internal LAN.

My suggestion is to use pf instead of ipfw (unless you are very familar with ipfw), as the learning curve is less steap.

Instead of haproxy, you can use e.g. nginx, see nginx reverse proxy multiple backends for details.