0

at the moment I take care of a network for a company which has different subdomains pointing all at the same IP-address for different purposes. We have example.com for their website and gitlab.example.com for their Gitlab instance.
Currently we want to move the Gitlab instance to a different server on the same network. For the Web-UI of Gitlab we use nginx as a reverseproxy to the other server's IP and for manage the SSL-certificates and the host.
But now we have the problem, that we can't establish a ssh connection to this other server, because the WAN-port is forwarded to the webserver and not to the new gitlab-server and we need this port pointing to the webserver. But also because of the amount of projects we have, we can't to change the port. (We have no time to reconfigure all these projects in git)

Is there a posibility to let the webserver act like a relay for the gitlab-server? So that every connection to gitlab.example.com is forwarded to this specific server?

Thanks for your help!!

Microgamer
  • 1
  • 1

1 Answers1

2

A simple answer would be the following:

  1. Change the command and control SSH port for the non-gitlab server to be 2222 so there's no port collision
  2. Install HA Proxy and setup a L4 (TCP, not HTTP) listener at port 22
  3. Set the backend of the HA Proxy pool to be the gitlab server, port 22

This will redirect all SSH (port 22) traffic from the external server to the internal server.

This can also be accomplished with DNAT/SNATing via IPTables, but it's much more complex than the above solution. An untested example is here:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 22 -j DNAT --to <gitlabIP>:22 iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to <gitlabIP>:22 iptables -t nat -A POSTROUTING -p tcp -d <gitlabIP> --dport 22 -j MASQUERADE

Brennen Smith
  • 1,742
  • 8
  • 11