On Tue, Nov 26, 2024 at 08:13:49AM +0100, prx wrote:
> * Mike Larkin <mlar...@nested.page> le [25-11-2024 08:44:05 -0800]:
> > On Mon, Nov 25, 2024 at 11:37:33AM +0100, prx wrote:
> > > Hi,
> > > I can't figure out how to assign a domain name to a client vm.
> > > What I need to do is to redirect traffic on the appropriate vm according
> > > to the domain name.
> > >
> > > i.e.
> > >
> > >
> > > +--MY SERVER VM'S--+
> > > | |
> > > -------> foo.tld -------> foo |
> > > INTERNET -------> bar.tld -------> bar |
> > > -------> els.tld -------> els |
> > > | |
> > > +------------------+
> > >
> > > So far, I have this not-working setup:
> > >
> > > ```/etc/vm.conf:
> > > # something like in FAQ
> > > switch "my_switch" {
> > > interface veb0
> > > }
> > >
> > > vm "foo" {
> > > memory 512M
> > > disable
> > > disk /var/vms/foo.qcow2
> > > owner me
> > > interface { switch "my_switch" }
> > > }
> > > ```
> > >
> > > As specified in FAQ, I added veb0 and vport0 interfaces:
> > > ```
> > > # cat << END > /etc/hostname.vport0
> > > inet 10.0.0.1 255.255.255.0
> > > up
> > > # cat << END > /etc/hostname.veb0
> > > add vport0
> > > up
> > > END
> > > # sh /etc/netstart vport0
> > > ```
> > >
> > > My vm has the address 10.0.0.2 and can ping its gateway 10.0.0.1.
> > >
> > > ip forwarding is enabled:
> > >
> > > ```/etc/sysctl.conf
> > > net.inet.ip.forwarding=1
> > > ```
> > >
> > > Now I'm trying to use a binat-to rule in pf.conf, but I must miss
> > > something here:
> > >
> > > ```
> > > int_if = "vport0"
> > > ext_if = "egress"
> > >
> > > match on $ext_if from 10.0.0.2 to any binat-to foo.tld
> > >
> > > match out on $int_if from any to 10.0.0.2 \
> > > received-on $ext_if nat-to $int_if
> > >
> > > pass on $int_if
> > > pass on $ext_if
> > > ```
> > >
> > > Do you have any advice to realize such task, maybe in a more clever way?
> > >
> > > Regards.
> > > prx
> > >
> >
> > I do something like this locally for 3 VMs that serve http/https. I use
> > relayd
> > on an ingress VM which terminates TLS (and has the certificates for the
> > hidden
> > domains), and forwards the traffic to the VMs behind the ingress.
> >
> > Is this what you want to do, or are you looking for something
> > non-http/non-https?
>
> Hi,
>
> Thank you for the answers.
>
> actually, I was aware of relayd and how to to this for http.
> I'm looking for something generic : redirect all request for a domain into a
> VM. SSH, SMTP, HTTP, whatever.
> My ISP give me only one IP, so I guess I'm stuck here.
>
> Regards.
>
>
For HTTP you have relayd, as you already know.
For SSH I'd setup a SSH bastion and use ProxyJump [1]. You can also use
HAProxy and SNI, using SSH's ProxyCommand [2].
For SMTP you can do something similar with an MTA that collects mail
from your public address, and then forwards it internally to the MTA of
each domain, and does the reverse for outgoing mail. In fact, this is
the only setup I think that will work for outgoing mail, because your
"domain-specific" MTAs will each have their hostname, it almost
certainly won't match the reverse DNS entry for your public IP, and
the destination MTAs might not like that.
IMAP/POP3 can also work, using e.g. Dovecot a proxy.
But if you want this for generic services, all I can think of would be
something like the HAProxy SSH/SNI example above but for a SOCKS proxy,
but in all honesty I don't even know if its feasible. And even if it
is, it surely isn't practical.
[1] https://goteleport.com/blog/ssh-bastion-host/
[2] https://www.haproxy.com/blog/route-ssh-connections-with-haproxy
Disclaimer: haven't tested any of the stuff in these links, take them as
examples/proofs of concept
--
