Proxy real ips to containers

robertrud · December 9, 2024, 10:52am

Hello, I’m playing with incus for the last few days, now. I find it really great but I do have a problem. I’m using incus managed bridge network and I’d like to proxy ports 80, 443 TCP/UDP to a container running Caddy webserver. It works by using incus proxy but I don’t seem to be able to get a real wan ips to caddy container. Its log only shows requests from 127.0.0.1. I’m using directives like this:

incus config device add [instance] port-443-tcp proxy listen=tcp:[instance]:443 connect=tcp:127.0.0.1:443

I’ve read something about setting nat=true to be able to proxy real ips to container but I don’t know how to do this. Do I need to make container ips static? How? Could someone help me with steps needed? Examples would be great

cemzafer · December 9, 2024, 2:40pm

Hi @robertrud,
You make container’s ip address static like that.
incus config device add <container_name> eth0 nic network=incusbr0 ipv4.address=<IP_ADDR> name=eth0 then you can use nat=true option.
Regards.

robertrud · December 9, 2024, 4:36pm

Thanks, but no luck.
I did what you suggested, then I changed my incus config device... to incus config device add [instance] port-443-tcp proxy listen=tcp:[ipv4]:443 connect=tcp:[ipv4]:443 nat=true
I also put ipv4.dhcp.ranges: start-finish in my incusbr0 and assigned my ipv4 outside those ranges. On top of that I added ipv6.dhcp.stateful: "true" to config.
No matter what I do I can’t even get outside connectivity to instance anymore.
What am I doing wrong? Please be patient, I’m new to incus…

stgraber · December 9, 2024, 6:14pm

Sounds like there may be some interaction with the firewall on the host?

Note that your initial proxy device could probably have worked if you had used the proxy protocol option as I believe caddy supports it, effectively then being told by Incus what the real address is.

robertrud · December 9, 2024, 7:00pm

Yes, the initial setup works but caddy doesn’t get outside ips. Log only shows requests from 127.0.0.1 not real ip. Sure, website works, https and all but I’m unable to do other stuff that caddy supports, like ip filtering for one thing. I never had issues like this in proxmox.
I’ve disabled host’s fw even before writting this post, nothing changed.

stgraber · December 10, 2024, 1:42am

But your initial setup combined with the proxy_protocol option on that proxy device should have given caddy the real IPs of the clients.

robertrud · December 10, 2024, 7:58pm

Well, it took some research, a lot of brain gymnastics and trial and error but my Caddy logs now finally get real IPs to the instance.
I’m running a Debian bookworm host with incus version 6.7.
First I added ipv6.dhcp.stateful: "true" to my network config. Then I configured my instance with static IPv4 and IPv6 addresses:

incus config device override my-device eth0 ipv4.address=[instance's ipv4] ipv6.address=[instance's ipv6]

After that I started adding proxy devices to my-device to ports 80 and 443, tcp and udp, ipv4 and ipv6, respectively, 8 entries alltogether:

incus config device add my-device port-443-6tcp proxy nat=true listen=tcp:[host-wan-ipv6]:443 connect=tcp:[my-device-local-ipv6]:443
.
.
...and so on...

Caddy’s logs now get wan IPs:

request":{"remote_ip":"2a00:ee2:.........","remote_port":"53323","client_ip":"2a00:ee2.......","proto":"HTTP/3.0","method":"GET","host":....

Now, I’m not sure if that’s all correct and fine but it works. Please don’t hesitate to suggest alternative, possibly better or more simple solutions and thank you for your replies.

The more I play with incus the more I like it.