If I understand you correctly, yes, you can have some IPs on your host that you use for the binding side of the proxy device, which would then let you move the traffic to another container by removing that device from one container and adding it to another.
My post earlier about the IP addresses was not correct and I erased it.
So LXD 3.0.0 can auto-figure out both the IP address of the host and the IP address of the container.
Much simpler than using iptables for the forwarding TCP connections.
lxc config device remove haproxy http1 would do it. In fact what you ran likely removed the device despite the error. That’s because lxc config device remove can remove multiple devices at once so it tried to remove devices named:
http1
proxy
listen=tcp:0.0.0.0:80
connect=127.0.0.1:80
The first one likely succeeeded as it’s an actual device, all the others don’t exist, causing the error.
This is a really great feature, thanks!
I see a problem here where the source address is hidden.
In the example below I did forward the port 2222 from the LXD host (UN 18.04, LXC 3.01) to port 22 of a container and ssf from outside to the LXD host. Check the last entries from the SSH log -they originate from 127.0.0.1 instead of the real address.
Will be great to have a way to see the originating IP in order to make this feature better.
Jul 13 17:52:28 ub18test1 sshd[384]: error: Received disconnect from 127.0.0.1 port 42752:14: No supported authentication methods
Jul 13 17:52:28 ub18test1 sshd[384]: Disconnected from authenticating user root 127.0.0.1 port 42752 [preauth]
Specifically, the OpenSSH software does not support the PROXY protocol that normally solves the problem. That means that you would need mmproxy on top of the PROXY protocol.
What needs to be done, is for LXD to support the PROXY protocol in the proxy device, then specifically for SSHD (OpenSSH) to add the mmproxy TCP proxy that makes SSHD PROXY protocol-aware.
If the connection does go thru a proxy the source address of the packet will be the one of the proxy and a supplementary mechanism is necessary - this is how typically a http proxy is set up and you are absolutely right.
Our case is a simple one and I am looking for a simple port forward, not a proxy - so back to a simple solution, using iptables
Host interface ens5, port 2220 forward to
Dest (on bridgel xdbr0), 10.202.82.203:22
Jul 16 21:53:12 ub18test1 sshd[1824]: error: Received disconnect from 192.168.1.153 port 52760:14: No supported authentication me
Jul 16 21:53:12 ub18test1 sshd[1824]: Disconnected from authenticating user ubuntu 192.168.1.153 port 52760 [preauth]
Looking at the Container config keys: https://lxd.readthedocs.io/en/latest/containers/
is easy to configure a static IP for the container (ipv4.address)
I do not see a way to run a startup script in order to set the forwarding automatically when the container does start/remove when it does stop - if I remember well it use to be possible in LXC 2 to have startup/shutdown hooks but I do not see them in 3.0 doc above - any idea?
In practice, I did not notice LXD giving a different IP address when a container gets restarted.
However, it is good to use the feature to set a static IP address to a container.