0

I'm running a single NGINX proxy container (with proxy_protocol=true) alongside with multiple web containers, which is working beautifully. The only problem however, is that using proxy protocol the firewall inside the proxy container doesn't work because it's not getting the real users IP with the exception of nginx because of reversed proxy.

Now, I wish to change the proxy protocol to NAT to get the firewall to work. But that breaks nginx instantly, which I assume is because I have to write a iptables rule to properly forward stuff. Is there anyone who can help me with this?

And, I'm using UFW for those who are curious. I only have 1 IP address, and currently running the default profile:

description: Default LXD profile
devices:
  eth0:
    name: eth0
    network: lxdbr0
    type: nic

The nginx proxy container already has a static IP address.

If you need any additional information feel free to ask.

Skyrider
  • 1

1 Answers1

1

Why don't you set up the firewall in the host instead of in the container?

I guess you set up a proxy device to forward the HTTP and HTTPS ports to the container with something like this:

lxc config device add nginx myport80 proxy listen=tcp:yourpublicip:80 proxy_protocol=true connect=tcp:127.0.0.1:80

If you want to do the same using iptables you could use this command:

iptables -t nat -A PREROUTING -d yourpublicip -p tcp --dport 80 -j DNAT --to-destination nginxcontainerip

Remember to delete the proxy device. You can save that sentence in a script which is root at boot or make it permanent using iptables-save (https://www.thomas-krenn.com/en/wiki/Saving_Iptables_Firewall_Rules_Permanently). You can also use some firewall script like arno-iptables-firewall.

Stuggi
  • 3,506
  • 4
  • 19
  • 36
Jesús Ángel
  • 518
  • 2
  • 6