I have gotten into a very specific situation and although there are other ways to do this, I've kinda gotten obsessed with this and would like to find out a way to do it exactly like this:
Background
Say I have a server running several services tucked away in isolated docker containers. Since most of those services are http, I'm using an nginx proxy to expose specific subdomains to each service. For example, a node server is running on a docker container with its port 80 bound to 127.0.0.1:8000 on the host. I'll create a vhost in nginx that proxies all requests to myapp.mydomain.com to http://127.0.0.1:8000. That way, the docker container cannot be accessed from outside, except through myapp.mydomain.com.
Now I want to start a gogs docker container in such a way that gogs.mydomain.com points to the gogs container. So I start this gogs container with port 8000 bound to 127.0.0.1:8001 on the host. And an nginx site proxying requests to gogs.mydomain.com to http://127.0.0.1:8001 and it works well...
However, gogs being a git container, I would also like to access the repos like through git@gogs.mydomain.com:org/repo but that doesn't work with the current setup. One way to make that work would be to bind the port 22 of the container to the port 0.0.0.0:8022 on the host, and then the git ssh url can be something like git@gogs.mydomain.com:8022/repo.
(That doesn't seem to work; when I push to an origin with uri like that, git demands the password for user git on gogs.mydomain.com - instead of gogs.mydomain.com:8022 - but that's probably something I'm doing wrong and out of scope for this question, however, I would appreciate any diagnosis for that too)
Problem
My main concern is, that I want the ssh port gogs.mydomain.com get passed on to the container's port 22. Now I can't bind the container's ssh port to the host's ssh port because there is already an sshd running on the host. Also, that would mean that any connections to *.mydomain.com get passed to the container's sshd.
I want any ssh connections to:
mydomain.comhost.mydomain.comor mydomain's IP address to be accepted and forwarded to the sshd on the hostgogs.mydomain.comorgit.mydomain.comto be accepted an passed on to the sshd on the gogs container*.mydomain.com(where*is anything other than the possibilities above) to be rejected
If it were http, I could easily make that work through nginx. Is there a way to do that for ssh?
(Also would like to go out on a limb and ask: is there a way to accomplish that with any tcp service in general?)
Any insights into the way I'm trying to do it here, are also welcome. I don't mind being told when what I'm trying to do is utterly stupid.
What I've already got in my mind:
Maybe I could share the sshd socket on host with the container as a ro volume? That would mean the sshd inside the container could pick up all connections to *.mydomain.com. Could there be a way to make the sshd inside the container reject all connections other than gogs.mydomain.com or git.mydomain.com? However, the sshd on the host will pick up all the connections to *.mydomain.com anyway including gogs.mydomain.com; so there would be a conflict. I dunno, I haven't actually tried it. Should I try it?
No comments:
Post a Comment