Categories
DevOps

How to dynamically route HTTPS traffic to LXD instances

Dynamically route HTTPS traffic to LXD instances on a development server.

LXD uses bridged networking by default, so get lxdbr0 IP address as it is used by the dnsmasq service to serve DHCP and DNS requests.

$ lxc network get lxdbr0 ipv4.address
10.97.179.1/24

Install nginx HTTP and reverse proxy server as it will be used to route traffic dynamically.

$ sudo apt install nginx

Create a directory to store an SSL certificate.

$ sudo mkdir /etc/nginx/ssl

Create the SSL certificate or use an existing one.

$ sudo openssl req -subj "/commonName=*.example.org" -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Disable default site.

$ sudo unlink /etc/nginx/sites-enabled/default 

Define a new site to access LXD containers. Notice, that I am using example.org domain name and the above-mentioned resolver address.

$ cat <<EOF | sudo tee /etc/nginx/sites-available/lxd 
server {
  listen 80;
  listen 443 ssl;

  resolver 10.97.179.1;

  ssl_certificate_key /etc/nginx/ssl/nginx.key;
  ssl_certificate     /etc/nginx/ssl/nginx.crt;

  server_name ~^(?\w+)\.example\.org$;

  if ($scheme != "https") {
    rewrite ^ https://$host$request_uri permanent;
  }

  location / {
    proxy_pass http://$container.lxd:8080$request_uri;;
    proxy_set_header Host $container.fishsilentcruise.space;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

EOF

Enable this site.

$ sudo ln -s /etc/nginx/sites-available/lxd /etc/nginx/sites-enabled/lxd

Now, you can point DNS entry for nextcloud.example.org to this server to access nextcloud container on internal port 8080, et cetera.

This solution is beneficial on a development server where you play with different containers without updating the proxy configuration.

Proxy will return 502 HTTP code when container does not exist.