多个监狱一个公共ipaddress没有nat [英] Multiple jails one public ipaddress no nat
问题描述
我的问题很简单.我在网上搜索过,无法从我阅读的内容中分辨出如何实现以下内容.我的问题很简单.是否有可能做到以下几点,有人可以指出我的详细论述吗?我是刚接触网络的人.
My question is pretty simple. I have scoured the web and cannot discern from what i have read how to implement the following. My question is simple. Is the following possible and can someone point me to a thorough article discussing this? I am new to networking.
我运行FreeBSD 11.1-RELEASE专用服务器.我建立了几个监狱,其中两个将运行Apache 24/php72.我有多个域名指向同一个公共IP地址.我想将到www.mydomain.com的所有端口80和443流量转发到一个监禁的Web服务器,并将到dev.mydomain.com的所有端口80和443流量转发到另一监禁的Web服务器.我不想在网络查询中指定其他端口以路由到开发服务器. (为什么要麻烦使用不同的域名??),以便排除NAT端口重定向.
I run a FreeBSD 11.1-RELEASE dedicated server. I have built several jails two of which will run Apache 24 / php72. I have multiple domain names pointing to the same public ip address. I want to forward all port 80 and 443 traffic to www.mydomain.com to one jailed web server, and all port 80 and 443 traffic to dev.mydomain.com to another jailed web server. I do NOT want to have to specify a different port in my web query to be routed to the dev server. (Why bother with different domain names then??) so that rules out NAT port redirection.
基于我已阅读的所有内容,看来我需要实现反向代理.我进行了一些研究,根据我的需要,haproxy看起来是(四大类中最好的).但是,有关如何为负载平衡以外的其他功能配置haproxy的文档很烂.期间.
Based on everything i have read it looks like i need to implement a reverse proxy. I did some research and haproxy looked like the best (of the big 4) based on my needs. However the documentation on how to configure haproxy for something other than load balancing sucks. Period.
我走对了吗?
我计划在主机系统上使用ipfw来实现,因为我将有单独的监狱来处理数据库的实现,并试图尽可能与PCI/PII保持一致. (抽象和分离服务(www,dns,db)和环境(dev,qa和prd).
I plan to implement with ipfw on the host system because i will have separate jails handling database implementation and am trying to stay as in line with PCI/PII as possible. (Abstracting and separating services (www, dns, db) and environments (dev, qa, and prd).
在此感谢您为我节省了可观的时间.
Thank you in advance for saving measurable amounts of the time i have left on this planet.
推荐答案
如果拥有专用服务器,则拥有IPv6/64段的更改就很大.这样可以简化分配工作,因为您完全可以完全忘记NAT.
If you have a dedicated server, high are the changes that you have an IPv6/64 segment. That could simplify allot things since you could totally forget about NAT.
您确实可以使用类似 Cloudflare 的CDN,以便也可以处理IPv4请求,这将带来双赢的局面.
You could indeed use a CDN something like Cloudflare so that you could also be available to handle IPv4 requests, this makes a win-win scenario.
现在,如果您没有IPv6,而在主主机上只有IPV4,我建议使用PF,例如,取自
Now, In case you don't have IPv6 and just have an IPV4 on the main host, I would suggest PF, for example, taken from fabrik.red:
> cat /etc/pf.conf
ext_if = "em0"
set skip on lo
scrub in all
nat on $ext_if from lo1:network to any -> ($ext_if)
pass all
稍后在主主机上,您可以使用 HAproxy 并将监狱作为后端,您可以与Nginx相同,但就我个人而言,在这种情况下,我更喜欢HAProxy.
Later on the main host, you could use HAproxy and use your jails as backends, you can do the same with Nginx, but personally, for this case I prefer HAProxy.
您确实可以在AWS之类的云提供商上进行此操作,例如检查以下流程的示例:
You could indeed do this on cloud providers like AWS for examples check this flow:
FreeBSD和监狱的美丽之处在于网络堆栈,您完全可以忘记NAT或端口转发.
The beauty of FreeBSD and the jails is the network stack and you can totally forget about NAT or port forwarding.
如果在附图中使用的实例是 t2.large t2.large ,它可以通过使用3个接口处理多达36个IP,这些IP是通过(DHCP)分配/请求的,一旦定义,您只需要在每个监狱使用它们即可.我为此使用了 fabrik.red图像,因为允许具有
If in the attached picture the instance used is a t2.large, it can handle up to 36 IP's by using 3 interfaces, the IP's are assigned/requested via(DHCP) and once defined you just need to use them per jail. I used fabrik.red image for this since allow to have ZFS on root and therefore you can just have a very tiny instance (8gb disk) handling easily >30 jails. This depends on each use case but hope can give you some ideas.
这篇关于多个监狱一个公共ipaddress没有nat的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
