I’ve got a container on my host running a service exposed to the Internet, currently via a lxc proxy (config device add foo proxy etc), and the log it generates is via a mounted file from the host so that I can use fail2ban on the host.
You may have spotted my problem already - all the IPs on the log for external access are the proxy’s 127.0.0.1 address, so fail2ban cannot work.
Can anyone suggest a way to set up my networking so that the original IPs appear in the log? (Hi @tomp !) I guess ideally I’d have a shared IP between host and container(s) with certain ports routed in to specific containers. Or perhaps I should just share the network? Or can proxying handle this natively? I see there’s a proxy_protocol setting, but the docs do not explain how to make this work.
For some background, I am migrating some services off a very old Linode server (created 11 years ago) which is on 18.04 but 32-bit, which is preventing further dist-upgrades and crucially I cannot upgrade LXD any more either, so I have no migration options. I’ve rebuilt a few things but I just did a filthy hack by copying /var/lib/lxd into a new 18.04 64 bit instance and doing an lxd.migrate there. Phew.
