[SOLVED] Route http/https to caddy container

S

Sesame3881

New Member
Apr 18, 2024
3
2
3
Hi,

I am stuck in configuring routing in proxmox. The 80 and 443 ports are closed on the host. I don't know how to route those ports to a container which is a caddy reverse proxy ? I have only one public IP adresse so i follow this section (masquerading) : https://pve.proxmox.com/wiki/Network_Configuration#sysadmin_network_masquerading


Here my /etc/network/interfaces
Bash: 
auto lo
iface lo inet loopback

auto enp1s0
#real IP address
iface enp1s0 inet static
        address  51.158.146.34/24
        gateway  51.158.146.1

auto vmbr0
#private sub network
iface vmbr0 inet static
        address  10.10.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   iptables -t nat -A PREROUTING -i enp1s0 -p tcp --dport 443 -j DNAT --to 10.10.10.100:443
        post-up   iptables -t nat -A PREROUTING -i enp1s0 -p tcp --dport 80 -j DNAT --to 10.10.10.100:80
        post-down iptables -t nat -D PREROUTING -i enp1s0 -p tcp --dport 443 -j DNAT --to 10.10.10.100:443
        post-down iptables -t nat -D PREROUTING -i enp1s0 -p tcp --dport 80 -j DNAT --to 10.10.10.100:80

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE

I have disabled pve-firewal, but syle have iptables

Here iptables rules :
Bash: 
:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:10.10.10.100:443
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:10.10.10.100:80

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  10.10.10.0/24        anywhere

nmap say its stil closed :

Bash: 
nmap localhost -p 443,80
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-18 09:39 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Other addresses for localhost (not scanned): ::1

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

I don't understand why thoses port are close even if iptables say its open ?

Thanks in advance for your help and explanation !
 
  • Like
Reactions: nghialele
if you do nmap on localhost than it's likely going over the loopback interface, and not enp1s0..
 
Hooooo you right ! I did other test from another server.

I realise that caddy wasn't running inside the container. Now it say the port is open.

But now the masquerading isn't working any more. From caddy container, i can't ping google.com for exemple. I have another container with no internet access any more.
 
My bad. There is mistak in iptables rule :

Code: 
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE

My interface isn't eno1, but enp1s0.

Now its works well.

Thank you very much for your help !
 
  • Like
Reactions: nghialele
You must log in or register to reply here.
Top Bottom