caddy-frontend: Improve README for exposing the node

Based on current experiences, update the documentation regarding iptables and network capability documentation.

caddy-frontend: Improve README for exposing the node
Based on current experiences, update the documentation regarding iptables and network capability documentation.
2bf01f82 · Łukasz Nowak · 46485789 · 2bf01f82
Commit 2bf01f82 authored Oct 01, 2019 by Łukasz Nowak
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 6 deletions

software/caddy-frontend/README.caddy_frontend.rst software/caddy-frontend/README.caddy_frontend.rst +19 -6

No files found.
--- a/software/caddy-frontend/README.caddy_frontend.rst
+++ b/software/caddy-frontend/README.caddy_frontend.rst
@@ -560,22 +560,35 @@ Notes
 It is not possible with slapos to listen to port <= 1024, because process are
 not run as root.

-Solution 1 (IPv4 only)
----------------------
+Solution 1 (iptables)
+---------------------

 It is a good idea then to go on the node where the instance is
 and set some ``iptables`` rules like (if using default ports)::

  iptables -t nat -A PREROUTING -p tcp -d {public_ipv4} --dport 443 -j DNAT --to-destination {listening_ipv4}:4443
  iptables -t nat -A PREROUTING -p tcp -d {public_ipv4} --dport 80 -j DNAT --to-destination {listening_ipv4}:8080
+  ip6tables -t nat -A PREROUTING -p tcp -d {public_ipv6} --dport 443 -j DNAT --to-destination {listening_ipv6}:4443
+  ip6tables -t nat -A PREROUTING -p tcp -d {public_ipv6} --dport 80 -j DNAT --to-destination {listening_ipv6}:8080

-Where ``{public ip}`` is the public IP of your server, or at least the LAN IP to where your NAT will forward to, and ``{listening ip}`` is the private ipv4 (like 10.0.34.123) that the instance is using and sending as connection parameter.
+Where ``{public_ipv[46]}`` is the public IP of your server, or at least the LAN IP to where your NAT will forward to, and ``{listening_ipv[46]}`` is the private ipv4 (like 10.0.34.123) that the instance is using and sending as connection parameter.

-Solution 2 (IPv6 only)
----------------------
+Additionally in order to access the server by itself such entries are needed in ``OUTPUT`` chain (as the internal packets won't appear in the ``PREROUTING`` chain)::
+
+  iptables -t nat -A OUTPUT -p tcp -d {public_ipv4} --dport 443 -j DNAT --to {listening_ipv4}:4443
+  iptables -t nat -A OUTPUT -p tcp -d {public_ipv4} --dport 80 -j DNAT --to {listening_ipv4}:8080
+  ip6tables -t nat -A OUTPUT -p tcp -d {public_ipv6} --dport 443 -j DNAT --to {listening_ipv6}:4443
+  ip6tables -t nat -A OUTPUT -p tcp -d {public_ipv6} --dport 80 -j DNAT --to {listening_ipv6}:8080
+
+Solution 2 (network capability)
+-------------------------------

 It is also possible to directly allow the service to listen on 80 and 443 ports using the following command::

  setcap 'cap_net_bind_service=+ep' /opt/slapgrid/$CADDY_FRONTEND_SOFTWARE_RELEASE_MD5/go.work/bin/caddy
+  setcap 'cap_net_bind_service=+ep' /opt/slapgrid/$CADDY_FRONTEND_SOFTWARE_RELEASE_MD5/parts/6tunnel/bin/6tunnel
+
+Then specify in the master instance parameters:

-Then specify in the instance parameters ``port`` and ``plain_http_port`` to be ``443`` and ``80``, respectively.
+ * set ``port`` to ``443``
+ * set ``plain_http_port`` to ``80``