It’s important to keep your host clean. This is the base for all your containers and VMs.
I “attempted” (before you replied) to run nginx on the main host and with a proxy forward to the web containers, but I kept getting site errors. The nginx logs were showing some strange symbols.
That seems more NGINX / config related. That has nothing to do with LXD.
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s myip/32 -j DROP
In case it matters. I’m using proxy protocol as device config, not NAT.
For example, when someone connects to your host on port 80 (http), then this connection can be proxied to a container using a proxy device . In that way, you can isolate your Web server into a LXD container. By using a TCP proxy device, you do not need to use iptables instead.
But I understand your problem now. Enable NAT again for your container.
Go to your UFW before.rules config on your HOST: nano /etc/ufw/before.rules
Check your host network adapter name and add before *filter:
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i YOURADAPTER -p tcp --dport 443 -j DNAT --to CONTAINER-IP:443
-A PREROUTING -i YOURADAPTER -p tcp --dport 80 -j DNAT --to CONTAINER-IP:80
COMMIT
Leave the container config. It is still important to use the iptables for fail2ban etc.
nginx is stopped on my host, else I couldn’t add the NAT proxy device (it would say 80/443 was in use). port 80/443 already exists on my hosts ufw rules. As for the container:
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Not going to do any good if the nginx proxy container has no files at all. All domains have their own container. Hence I can’t believe that this cannot be simplified…
maybe LXD needs to add a “pass-firewall=true” rule? So you know… to avoid this kind of silly thing.
Which might be true… but those rules broke all my websites. I was forced to erase the rule from my hosts iptables in order to revert back to proxy protocol to make things work again. (no longer on NAT) Either there’s something terribly wrong… Or the nginx files on the container are just not compatible as it no longer has to follow the proxy protocol rules… .Seeing, there is no proxy anymore.
Have you ever tried these rules on a single nginx proxy container which is connected to web containers? If you have, care to share your nginx config? Because I seriously cannot get this to work.
But, if you are not sure about your nginx config. Use a clean container, install nginx and test it with webserver content. Proxy or not, it’s still serving webcontent from your virtualhost.
Are you saying the web containers also should contain NAT? Or its config includes the IP from the nginx proxy container? Because 80/443 can only be used on 1 device.