example2

return to main page

Example 2

graph TB

    a1[curl] -.->a2[caddy container reverse proxy]
    a2 -->|"for http://whoami.example.com:8080"| a3["whoami container"]
    a2 -->|"for http://nginx.example.com:8080"| a4["nginx container"]

Loading

Set up a systemd user service example2.service for the user test where rootless podman is running the container image docker.io/library/caddy. Configure socket activation for TCP port 8080. The caddy container is acting as a HTTP reverse proxy that forwards requests to 2 backends. Requests to http://whoami.example.com:8080 are forwarded to the whoami container. Requests to http://ngnix.example.com:8080 are forwarded to the nginx container.

In this example the curl option --resolve option is used for name resolution. In other words, the domain names whoami.example.com and nginx.example.com do not need to be resolvable in public DNS.

1. Create a test user

   sudo useradd --create-home test
   

2. Open a shell for user test

   sudo machinectl shell --uid=test
   

3. Optional step: enable lingering to avoid services from being stopped when the user test logs out.

   loginctl enable-linger test
   

4. Create directories

   mkdir -p ~/.config/systemd/user
   mkdir -p ~/.config/containers/systemd
   mkdir ~/caddy_etc
   

5. Pull caddy container image

   podman pull docker.io/library/caddy
   

6. Pull whoami container image

   podman pull docker.io/traefik/whoami
   

7. Clone git repo

   git clone https://github.com/eriksjolund/podman-caddy-socket-activation.git
   

8. Install the network unit file

   cp podman-caddy-socket-activation/examples/example2/mynet.network \
      ~/.config/containers/systemd/
   

9. Install the container unit files

   cp podman-caddy-socket-activation/examples/example2/*.container \
      ~/.config/containers/systemd/
   

10. Install the socket unit files

    cp podman-caddy-socket-activation/examples/example2/caddy.socket \
       ~/.config/systemd/user/
    

11. Install the Caddyfile

    cp podman-caddy-socket-activation/examples/example2/Caddyfile \
       ~/caddy_etc/Caddyfile
    

    (The path ~/caddy_etc/Caddyfile was arbitrarily chosen)
12. Reload the systemd user manager

    systemctl --user daemon-reload
    

13. Start the socket for TCP port 8080

    systemctl --user start caddy.socket
    

14. Pull the whoami container image

    podman pull docker.io/traefik/whoami
    

15. Pull the nginx container image

    podman pull docker.io/library/nginx
    

16. Start the nginx container

    systemctl --user start nginx.service
    

17. Start the whoami container

    systemctl --user start whoami.service
    

18. Download the URL http://nginx.example.com:8080 from the caddy container and see that the request is proxied to the container nginx. Resolve nginx.example.com to 127.0.0.1.

    curl -s --resolve nginx.example.com:8080:127.0.0.1 \
      http://nginx.example.com:8080 | head -4
    

    The following output is printed

    <!DOCTYPE html>
    <html>
    <head>
    <title>Welcome to nginx!</title>
    

    result: The default nginx web page was downloaded
19. Download the URL http://whoami.example.com:8080 from the caddy container and see that the request is proxied to the container whoami. Resolve whoami.example.com to 127.0.0.1.

    curl -s --resolve whoami.example.com:8080:127.0.0.1 \
      http://whoami.example.com:8080 | grep X-Forwarded-For
    

    The following output is printed

    X-Forwarded-For: 127.0.0.1
    

    result: The IPv4 address 127.0.0.1 matches the IP address of X-Forwarded-For
20. Check the IPv4 address of the main network interface. Run the command

    hostname -I
    

    The following output is printed

    192.168.10.108 192.168.39.1 192.168.122.1 fd25:c7f8:948a:0:912d:3900:d5c4:45ad
    

    result: The IPv4 address of the main network interface is 192.168.10.108 (the address furthest to the left). Note, the detected IP address will most probably be different when you try it out on your system.
21. Download the URL http://whoami.example.com:8080 from the caddy container and see that the request is proxied to the container whoami. Resolve whoami.example.com to the IP address of the main network interface. Use the IP address that was detected in the previous step.

    curl -s --resolve whoami.example.com:8080:192.168.10.108 \
      http://whoami.example.com:8080 | grep X-Forwarded-For
    

    The following output is printed

    X-Forwarded-For: 192.168.10.108
    

    result: The IPv4 address of the main network interface, 192.168.10.108, matches the IPv4 address of X-Forwarded-For
22. From another computer download a web page http://whoami.example.com:8080 from the caddy container and see that the request is proxied to the container whoami.

    curl -s --resolve whoami.example.com:8080:192.168.10.108 \
      http://whoami.example.com:8080 | grep X-Forwarded-For
    

    The following output is printed

    X-Forwarded-For: 192.168.10.161
    

    Check the IP address of the other computer (which in this example runs macOS). In the macOS terminal run the command

    ipconfig getifaddr en0
    

    The following output is printed

    192.168.10.161
    

    result: The IPv4 address of the other computer matches the IPv4 address of X-Forwarded-For

Using Internal=true

The file mynet.network currently contains

[Network]
Options=isolate=true
Internal=true
Network=mynet

The line

Internal=true

prevents containers on the network mynet to connect to the internet. To allow containers on that network to download files from the internet you would need to remove the line.