[SOLVED] Route http/https to caddy container

[Sesame3881]

Hi,

I am stuck in configuring routing in proxmox. The 80 and 443 ports are closed on the host. I don't know how to route those ports to a container which is a caddy reverse proxy ? I have only one public IP adresse so i follow this section (masquerading) : https://pve.proxmox.com/wiki/Network_Configuration#sysadmin_network_masquerading


Here my /etc/network/interfaces

auto lo
iface lo inet loopback

auto enp1s0
#real IP address
iface enp1s0 inet static
        address  51.158.146.34/24
        gateway  51.158.146.1

auto vmbr0
#private sub network
iface vmbr0 inet static
        address  10.10.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   iptables -t nat -A PREROUTING -i enp1s0 -p tcp --dport 443 -j DNAT --to 10.10.10.100:443
        post-up   iptables -t nat -A PREROUTING -i enp1s0 -p tcp --dport 80 -j DNAT --to 10.10.10.100:80
        post-down iptables -t nat -D PREROUTING -i enp1s0 -p tcp --dport 443 -j DNAT --to 10.10.10.100:443
        post-down iptables -t nat -D PREROUTING -i enp1s0 -p tcp --dport 80 -j DNAT --to 10.10.10.100:80

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE

I have disabled pve-firewal, but syle have iptables

Here iptables rules :

:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:10.10.10.100:443
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:10.10.10.100:80

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  10.10.10.0/24        anywhere

nmap say its stil closed :

nmap localhost -p 443,80
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-18 09:39 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Other addresses for localhost (not scanned): ::1

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

I don't understand why thoses port are close even if iptables say its open ?

Thanks in advance for your help and explanation !

 

[fabian]

if you do nmap on localhost than it's likely going over the loopback interface, and not enp1s0..

 

[Sesame3881]

Hooooo you right ! I did other test from another server.

I realise that caddy wasn't running inside the container. Now it say the port is open.

But now the masquerading isn't working any more. From caddy container, i can't ping google.com for exemple. I have another container with no internet access any more.

 

[Sesame3881]

My bad. There is mistak in iptables rule :

        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE

My interface isn't eno1, but enp1s0.

Now its works well.

Thank you very much for your help !