PF redirect http traffic for own domain to a jail

torlik

torlik

Hi,

I can not use my public domain (pkg.mydomain.com) of my poudriere in a jail.

To simplify my configuration:

1. Jail 'A' http/https with the virtual host pkg.domain.com
IP: 192.168.0.2

2. Jail 'B' with IP 192.168.0.10. To use my poudriere I have setup this:

/usr/local/etc/pkg/repos/pkg.conf
Code: 
pkg: {
  url: "pkg+https://pkg.domain.com/packages",
  mirror_type: "srv",
  enabled: yes
}

3. PF configuration:
Code: 
#INTERFACES
ext_if="bce0"
int_if = "tap0"
jailnet = $int_if:network
WWW="192.168.0.2"

# NAT
nat on $ext_if from $jailnet to any -> ($ext_if)

# Redirect any packets requesting port (web) 80 or 443 to jail www
rdr pass on $ext_if inet proto tcp to port http -> $WWW port http
rdr pass on $ext_if inet proto tcp to port https -> $WWW port https

Everything woks except my poudriere. ext_if is my interface of IP public of course.

In Jail B:
Code: 
$ pkg upgrade                                                      
*Updating pkg repository catalogue...
pkg: https://pkg.domain.com/packages/meta.txz: Protocol not supported
repository pkg has no meta file, using default settings
pkg: https://pkg.domain.com/packages/packagesite.txz: Protocol not supported
Unable to update repository pkg

Code: 
$ telnet pkg.domain.com 80                                               
Trying IP_PUB...
telnet: connect to address IP_PUB: Connection refused

Of course, an other domain works, from my computer it works too.

If I set this in Jail B:
/etc/hosts
Code: 
192.168.0.2 pkg.domain.com

Code: 
$ pkg upgrade                                                     
Updating pkg repository catalogue...
[webtools] Fetching meta.txz: 100%    260 B   0.3kB/s    00:01   
[webtools] Fetching packagesite.txz: 100%   50 KiB  51.0kB/s    00:01   
Processing entries: 100%
pkg repository update completed. 185 packages processed.
o/

How can I resolved this issue with PF? I think I missed a rule or something? Without to use /etc/hosts. I am not specialy good in network so it is hard to create the right rule...

Thank you in advance all.
 
ComradeSlice said:
Does this also happen from the outside (i.e. WAN)? Without the /etc/hosts entry.
Click to expand...

From the outside (I think you said for example, from my local computer?), yes it works.
telnet pkg.domain.com 80
Trying IP_PUB...
Connected to domain.com.
Escape character is '^]'.
 
You cannot connect to your external address because that would mean the packet will have to go out ext_if and then come back in to hit the redirection rule. This is never going to work. The packet never leaves the machine so the redirection rule is never hit and therefor the redirection never happens.

The only way to solve it is to connect to the internal address instead of the external address. Which you're already doing by adding the internal address to the hosts file.
 
SirDice said:
You cannot connect to your external address because that would mean the packet will have to go out ext_if and then come back in to hit the redirection rule. This is never going to work. The packet never leaves the machine so the redirection rule is never hit and therefor the redirection never happens.

The only way to solve it is to connect to the internal address instead of the external address. Which you're already doing by adding the internal address to the hosts file.
Click to expand...

Ok that is I thought. Thank you to confirm.

:)
 
You must log in or register to reply here.
Back
Top