Solved Jail traffic question

fred974

fred974

Hello,

I have the following /etc/pf.conf at the moment to work with sysutils/ezjail
Code: 
ext_if="xn0"
jail_if="lo1"

IP_PUB="238.96.3.4"
IP_JAIL_WWW="10.8.20.10"

NET_JAIL="10.8.20.0/24"

PORT_WWW="{80,443}"

scrub in all

# nat all jail traffic
nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB

# WWW
rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_WWW -> $IP_JAIL_WWW

# demo only, passing all traffic
pass out
pass in
My question is when I create my second jail, do I need to add it to my etc/pf.conf file? as IP_JAIL_WWW2="10.8.20.11"?
Do I even need IP_JAIL_WWW="10.8.20.10" ?

Thank you
 
Do you actually want to be able to serve websites from both jails?

At the moment you have NAT set up, with JAIL_WWW on a private IP address. All web traffic to your real IP address is forwarded to that jail. So any packets destined for your real address on port 80 or 443 go straight to the first jail.

If you set up a second jail, you can't forward port 80 or 443 to both. You'll either need to use different port numbers, which is fairly ugly for web hosting, or get a second public IP address.

Edit: If you only have one public IP, and really need to have multiple websites run by separate private jails, you could look at running something like haproxy on the main host.
 
Hi usdmatt
I will have about 6 web domains. each domain will reside inside their own sysutils/ezjail jail.
The plan is to use JAIL_WWW to act as my reverse-proxy to redirect traffic to wwwjail1, wwwjail2 etc

Hope this is more clear
 
Unless pf() can do something clever then I suspect you'll need to run a proper reverse proxy in the main host. The proxy will need to look at the website being requested and route the request to the relevant jail.

This page seems to show a method of configuring haproxy to pass requests to different back end servers (jails in your case) depending on the hostname.
http://seanmcgary.com/posts/haproxy---route-by-domain-name

SSL may be an issue, although looking at this code from serverfault, it could be pretty straight foward:
Code: 
frontend ft_test
    mode http
    bind 0.0.0.0:443 ssl crt /certs/haproxy1.pem crt /certs/haproxy2.pem
    use_backend bk_cert1 if { ssl_fc_sni my.example.com } # content switching based on SNI
    use_backend bk_cert2 if { ssl_fc_sni my.example.org } # content switching based on SNI
You pass all the certificates for the websites on the bind line (or even just a directory containing them all), and it will use the correct cert based on the name requested by the user. It's then passing the request to the correct backend using the certificate name requested.
 
Thank you for your advices.
I am using www/hiawatha web server so my proxy will also be done using www/hiawatha.
It is true that I didn't realise that the reverse-proxy cannot be hosted in a jail..
So to go back to my firewall setup, if the reverse-proxy is on the host, how do I redirect the HTTP/HTTPS to the reverse-proxy?
 
You should be able to host the proxy in a jail if you want to. I just suggested the simplest set up of the proxy listening on the real IP on the host, and the websites all in jails.

For a jailed proxy, you could just run pf() as you have it, with 80/443 forwarded to JAIL_WWW. That would need to be the jail running the proxy. You shouldn't need to add entries to your PF config for any of the other jails.

I've no idea on configuring www/hiawatha. You'll have to look for documentation/examples, or see if someone else responds.
 
usdmatt said:
For a jailed proxy, you could just run pf() as you have it, with 80/443 forwarded to JAIL_WWW. That would need to be the jail running the proxy. You shouldn't need to add entries to your PF config for any of the other jails.
Click to expand...

I've got all my website up and running now behind my jailed proxy.

Thank you.
 
You must log in or register to reply here.
Back
Top