• 3 Posts
  • 39 Comments
Joined 4 months ago
cake
Cake day: July 6th, 2024

help-circle








  • In short, you need a reverse-proxy + traffic segregation with domain names (SNI).

    I don’t remember much about ingresses, but this can be super easy to set up with Gateway API (I’m looking at it right now).

    Basically, you can set up sftp.my.domain/ssh to 192.168.1.40:22, sftp.my.domain/sftp to 192.168.1.40:121 (for example). Same with Forgejo, forgejo.my.domain/ssh will point to 192.168.1.50:22 and forgejo.my.domain/gui will point to 192.168.1.50:443.

    The Gateway API will simply send it over to the right k8s service.

    About your home network: I think you could in theory open up a DMZ and everything should work. I would personally use a cheap VPS as a VPN server and NAT all traffic through it. About traffic from your router maintaining the SNI, that’s a different problem depending on your network setup. Yes, you’ll have to deal with port-mapping because at the end of the day, even Gateway API is NodePort-esque when exposing traffic outside.


  • You’d receive traffic on IP:PORT, that’s segregation right there. Slap on a DNS name for convenience.

    I might have my MetalLB config lying around somewhere (it’s super easy, I copied most of it from their website), I can probably paste it here if you’d like.

    Exposing services publicly on the Internet is a L3-L4/L7 networking problem, unfortunately I don’t know enough about your situation to comment.

    Edit: the latter end of your post is correct. You could route to different end-points that way