PF Two nginx instances running; eliminate one with PF?

[kalleboy]

I've a FreeBSD box, nginx running as a proxy, forwarding HTTP/HTTPS requests to the nginx instance in the Jail, running on 10.0.0.3 within the OS.

So, that practically means two nginx instances running on the server.

I wonder if I could forward the 80/443 port requests DIRECTLY to the nginx in Jail (from external public IP to the local IP of the Jail), by using PF..

Any clue?

Thanks.

 

[jbo@]

Yes you could. However, having a dedicated proxy is usually desired in order to keep things easy to extend, scale & maintain. Personally, I like to use net/haproxy for this job. Jails are cheap and so is a running a proxy.

A while ago I wrote a small guide on how to "properly" host stuff with/on FreeBSD. Maybe you'll find this helpful: https://blog.insane.engineer/post/freebsd_simple_hosting/

Edit: Seems like you should already be aware of the guide - sorry https://forums.freebsd.org/threads/about-nginx-https-ssl-certs-in-jails.83830/

 

[kalleboy]

That was an old topic/post of mine, I was aware of the answers, thank you.

I'd still wish to learn the PF way..

 

[zirias@]

For pf, you just add appropriate rdr rules, e.g. I have these:

rdr on $ext_if inet proto tcp from any to ($ext_if) port www -> $wwwhost
rdr on $ext_if inet proto tcp from any to ($ext_if) port https -> $wwwhost

That's because my reverse proxy lives in a jail itself I agree with jbo that a public-facing reverse proxy that aggregates whatever you want to offer to the outside often makes sense. I'm in the camp using nginx for that as well, but that probably depends on your exact requirements, or might also be a matter of taste