infrastructure-ovh.md 3.6 KB
% Infrastructure du réseau sur serveur Kimsufi OVH
Plan
- installer un reverse-proxy nginx
Aide: Architecture de services avec Proxmox sur un serveur kimsufi - Vincent Dillenschneider
Adressage
| Machine | Id | Adresse |
|---|---|---|
| ecaz | NA | 10.1.0.1 |
| reverse-proxy | 100 | 10.1.0.10 |
| web-formation | 101 | 10.1.0.101 |
| 10.1.0. | ||
| yunohost nu | 103 | 10.1.0.14 |
| 10.1.0. | ||
| web-gestion | 104 | 10.1.0.22 |
| bastion | 105 | 10.1.0.11 |
| tranmissionmat | 110 | 10.1.0.110 |
| development-vm | 801 | 10.1.0.81 |
Reverse Proxy NGINX
Certificats
client
|
nginx
(https://example1.com) <-- certificats
(https://example1.com) <-- certificats
(https://example1.com) <-- certificats
|
+---------------------+------------------------------+
| | |
| | |
https://srv1.reseau.priv https://example2.reseau.priv https://example3.reseau.priv
a.b.c.d e.f.g.h i.j.k.l
Which ssl certificates go where on an reverse proxy? - nginx - Server Fault
Installation antiX
Configurer le réseau en 10.1.0.aaa/16
À étudier
Utiliser les noms pour forwarder TCP sur certains hôtes (pour les connexions SSH ? ou alors bastion ?)
Nginx TCP forwarding based on hostname - Stack Overflow
VM reverse-proxy
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.1.0.10:80
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.1.0.10:443
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.1.0.10:80
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.1.0.10:443
sudo iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.1.0.10:80
sudo iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 10.1.0.10:443
Exemple
+---------------------+ +---------------------+ +---------------------+
| reverse proxy | | VM 10.1.0.22 | | Docker-Compose |
| only redirects any | | | | |
| request to the VM |--->| no nginx installed |--->| original nginx |
| (see nginx conf | | | | from AppFlowy-Cloud |
| above ) | | | | repos |
+---------------------+ +---------------------+ +---------------------+
Ports (NAT)
Transmission MAT
Port 52222
Redirigé dans ecaz vers son adresse IP
Contenu de /etc/lfirewall/post-up-down.d/300-port-nat-to-transmissionmat :
$do_action -t nat $IPTABLES_ADD $IT_PREROUTING -i eth0 -p tcp -m tcp --dport 52222 -j DNAT --to-destination 10.1.0.110:52222
$do_action -t nat $IPTABLES_ADD $IT_PREROUTING -i eth0 -p udp -m udp --dport 52222 -j DNAT --to-destination 10.1.0.110:52222