I am trying to run couple of freebsd jails for my web server and application server, which is running node.js
I have one network card (igb0) with a custom loopback interface (lo666) for which i have created 3 aliases, here is part of my /etc/rc.conf
dumpdev="AUTO"
zfs_enable="YES"
sshd_enable="YES"
local_unbound_enable=yes
ifconfig_igb0="inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255"
# Custom loopback interface
cloned_interfaces="lo666"
ifconfig_lo666_alias0="inet 10.6.6.6 netmask 255.255.255.255"
ifconfig_lo666_alias1="inet 10.6.6.7 netmask 255.255.255.255"
ifconfig_lo666_alias2="inet 10.6.6.8 netmask 255.255.255.255"
# Default router
defaultrouter="192.168.1.254"
on my /etc/pf.conf i have this
### Interfaces ###
ExtIf ="igb0"
IntIf ="lo666"
### Hosts ###
IP_PUB ="192.168.1.1"
IP_JAIL = "{10.6.6.6, 10.6.6.7, 10.6.6.8}"
IP_JAIL_WWW = "10.6.6.6"
IP_JAIL_DBS = "10.6.6.7"
IP_JAIL_APP = "10.6.6.8"
NET_JAIL="10.6.6.0/24"
### Ports ###
PORT_WWW="{80,443}"
PORT_NODE="{1337,8080}"
scrub in all
# nat all jail traffic
nat pass on $ExtIf from $NET_JAIL to any -> $IP_PUB
# WWW
rdr pass on $ExtIf proto tcp from any to $IP_PUB port $PORT_WWW -> $IP_JAIL_WWW
rdr pass on $IntIf proto tcp from any to $IP_JAIL_WWW port $PORT_NODE -> $IP_JAIL_APP
so running
# pfctl -sn
nat pass on igb0 inet from 10.6.6.0/24 to any -> 192.168.1.1
rdr pass on igb0 inet proto tcp from any to 192.168.1.1 port = http -> 10.6.6.6
rdr pass on igb0 inet proto tcp from any to 192.168.1.1 port = https -> 10.6.6.6
rdr pass on lo666 inet proto tcp from any to 10.6.6.6 port = 1337 -> 10.6.6.8
rdr pass on lo666 inet proto tcp from any to 10.6.6.6 port = 8080 -> 10.6.6.8
so from the the WWW jail i can
root@www:/ # curl http://10.6.6.8:1337
Hello World
and also from the APP jail i can see the nginx home page
root@app:/# curl http://10.6.6.6
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
...
</html>
so, why do i get a 502 Bad Gateway, error when i try to access this through the browser? here is my nginx.conf
server {
server_name web.domain.tld;
location / {
# For Read Requests
proxy_pass http://10.6.6.8:1370;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
this is what i get in my nginx error log
2014/05/23 13:14:44 [error] 92876#0: *1 kevent() reported that connect() failed (61: Connection refused) while connecting to upstream, client: 192.168.1.10, server: web.domain.tld, request: "GET /favicon.ico HTTP/1.1", upstream: "http://10.6.6.8:1370/favicon.ico", host: "web.domain.tld"
maybe i am overcomplicating it and what i wanted to achieve is to block port 1337 to external users.
any advice much appreciated.
