Comment

Comment on Many Network Interfaces per VM/CT - Good Practice?

I use using docker networks but that’s me. They are created for every service and it’s easy to target the gateway. Just make sure DNS is correct for your hostnames.

Lately I’ve been optimizing remote services for reverse proxy passthru. Did you know that it can break streams momentarily and make your proxy work a little harder if your host names don’t match outside and in?

So in other words if you want full passthru of a tcp or udp stream to your server without the proxy breaking it then opening a new stream you would have to make sure the internal network and external network are using the same fqdn for the service you are targeting.

It actually can break passthru via sni if they don’t use the same hostname and cause a slight delay. Kinda matters for things like streaming videos. Especially if you are using a reverse proxy and the service supports quic or http2.

So a reverse proxy entry that simply passes without breaking the stream and resending it might ook like…

Obviously you would need to get the http port working on jellyfin and have ipv6 working with internal DNS in this example.

server {
    listen 443 ssl;
    listen [::]:443 ssl;  # Listen on IPv6 address

    server_name jellyfin.example.net;

    ssl_certificate /path/to/ssl_certificate.crt;
    ssl_certificate_key /path/to/ssl_certificate.key;

    location / {
        proxy_pass https://jellyfin.example.net:8920;  # Use FQDN
        ...
    }
}

source

Sort:hotnew top

raldone01@lemmy.world ⁨3⁩ ⁨months⁩ ago
Full pass through has no advantage when my reverse proxy terminates ssl and internal services are http only right?

Regardless of fqdn nginx has to decrypt and restream anyways.

source
- pyrosis@lemmy.world ⁨3⁩ ⁨months⁩ ago
  This would be correct if you are terminating ssl at the proxy and it’s just passing it to http. However, if you can enable SSL on the service it’s possible to take advantage of full passthru if you care about such things.
  
  source
  - raldone01@lemmy.world ⁨3⁩ ⁨months⁩ ago
    Ahh nice good to know. For my use case I’d rather not distribute the certificates to all my services.
    
    source
    pyrosis@lemmy.world ⁨3⁩ ⁨months⁩ ago
    When I was experimenting with this it didn’t seem like you had to distribute the cert to the service itself. As long as the internal service was an https port. The certificate management was still happening on the proxy.
    
    The trick was more getting the host names right and targeting the proxy for the hostname resolution.
    
    Either way IP addresses are much easier but it is nice to observe a stream being completely passed through. I’m sure it takes a load off the proxy and stabilizes connections.
    
    source