Comment on Multiple Kubernetes Services Using Same Port Without SNI
Findmysec@infosec.pub 2 months agoIn short, you need a reverse-proxy + traffic segregation with domain names (SNI).
I don’t remember much about ingresses, but this can be super easy to set up with Gateway API (I’m looking at it right now).
Basically, you can set up sftp.my.domain/ssh
to 192.168.1.40:22
, sftp.my.domain/sftp
to 192.168.1.40:121
(for example). Same with Forgejo, forgejo.my.domain/ssh
will point to 192.168.1.50:22
and forgejo.my.domain/gui
will point to 192.168.1.50:443
.
The Gateway API will simply send it over to the right k8s service.
About your home network: I think you could in theory open up a DMZ and everything should work. I would personally use a cheap VPS as a VPN server and NAT all traffic through it. About traffic from your router maintaining the SNI, that’s a different problem depending on your network setup.
wireless_purposely832@lemmy.world 2 months ago
I am comfortable routing traffic via domain name through a reverse proxy. I am doing that via Traefik and can setup rules so that different sub-domains, domains, and/or path is routed to the appropriate end point (IP address and port). The issue is that k3s does not receive that information for SSH traffic since SNI (ie: the sub-domain, domain, etc.) is not included in SSH traffic. If SSH traffic provided SNI information, this issue would be much less complicated as I would only need to make sure that the port 22 traffic intended for k3s did not get processed by SSH or any other service on the node.
If I were to setup a DMZ, I think I would need to setup one unique public IP per SSH service. So I would need to create a public DNS record for sftp.my.domain to VPS#1’s public IP and ssh.forgejo.my.domain to VPS#2’s public IP. Assuming both VPS#1 and VPS#2 have some means of accessing the internal network (eg: VPN) then I could port forward traffic received by VPS#1 on port 22 to 192.168.1.40:22 and traffic received by VPS#2 on port 22 to 192.168.1.50:22. I had not considered this and based on what I have seen so far, I think that this would be the only solution to allow external traffic to access these services using the normal port 22 when there is more than one service in k3s expecting traffic on port 22 (or any other port that receives traffic without SNI details).
Findmysec@infosec.pub 2 months ago
If you can only use port 22 for multiple SSH endpoints (for example), then yes your going to need multiple IPs. Or Port-mapping as a compromise