Let there be this setup:
So there's a physical server (running FreeBSD 13.0-RELEASE) with a jail hosting www/gitea. The gitea web UI can be accessed "from the internet". Cloning git repositories via HTTP(S) works.
Now I would like to setup repository access via SSH. However, I'm not exactly sure how to achieve that.
The physical server hosts multiple different jails each hosting another instance of www/gitea. From the physical host, the gitea jails are listening for incoming SSH connections on
I would like to be able to access my repositories via the default SSH port (22):
Therefore, my gateway (also running FreeBSD 13.0-RELEASE with pf and net/haproxy would need to forward incoming connections on port 22 to the correct jail IP (and redirect the port from 22 to 2222).
How would I go about achieving this?
Some of my thoughts:
Code:
┌──────────────┐ ┌─────────────────┐ ┌───────┐
│ Gateway │ │ Physical Server │ │ Jail │
"Internet" ──────────┤ ├───────┤ ├──────┤ │
│ HAproxy & pf │ │ FreeBSD 13.0 │ │ Gitea │
└──────────────┘ └─────────────────┘ └───────┘
So there's a physical server (running FreeBSD 13.0-RELEASE) with a jail hosting www/gitea. The gitea web UI can be accessed "from the internet". Cloning git repositories via HTTP(S) works.
Now I would like to setup repository access via SSH. However, I'm not exactly sure how to achieve that.
The physical server hosts multiple different jails each hosting another instance of www/gitea. From the physical host, the gitea jails are listening for incoming SSH connections on
<jail_ip>:2222
.I would like to be able to access my repositories via the default SSH port (22):
Code:
git clone ssh://git@git.my.domain/user/repo.git
Therefore, my gateway (also running FreeBSD 13.0-RELEASE with pf and net/haproxy would need to forward incoming connections on port 22 to the correct jail IP (and redirect the port from 22 to 2222).
How would I go about achieving this?
Some of my thoughts:
- Redirect SSH via pf on the gateway. However, I would need to do this by inspecting the host information (i.e. requests on port 22 to git.my.domain need to be redirect to 192.168.1.50:2222 while requests on port 22 to git.another.domain need to be redirected to 192.168.1.51:2222). Does pf have any mechanism to allow this?
- Create a TCP frontend binding to port 22 in HAproxy and hopefully being able to create ACLs based on the header information (is that even possible?)
- I have to make sure that I can still SSH into the gateway itself. I assume that I would achieve by changing the default port from 22 to something else.
- Drop this forwarding from 22 non-sense and just have each gitea jail listen on an individual port (2222, 2223, 2224, ...) and live with the fact that git clone URLs have a non-default port.