I have an issue with a guest using virsh behind a server running with iptables firewall. This guest hosts websites, one is mattermost with reverse proxy.
Everything is working well. I then installed collabora online 1: https://www.collaboraoffice.com/code/. Super cool to open documents and they have a plugin for mattermost
I tested this plugin from a remote server also running mattermost that reaches out to this local box behind my iptables, and it is working perfectly. However, when I test this plugin from the guest local server itself, behind iptables, so NAT basically, it cannot find itself. I get timed out.
So, my guest behind iptables, with proper rules setup to pass traffic, holds mattermost AND CollaboraOnline, but if I point the public URL from mattermost to fetch CollaboraOnline, both localhost they cannot find each other. I can't do localhost:9980 or 127.0.0.1:9980 (which is where CollaboraOnline is) in the plugin, it does not like the port in the address...
If I do curl https://CollaboraOnline.domain.ca I can see it times out.
If I edit /etc/hosts file on localhost server to 127.0.0.1 CollaboraOnline.domain.ca
, then curl works, mattermost-plugin does find CollaboraOnline, but it still will not work because I end up with an SSL type verification error like this.
AH02032: Hostname provided via SNI and hostname provided via HTTP have no compatible SSL setup how to bypass
So now I am running out of bright ideas. I have another public box not behind virsh with iptables, if I do curl to one of its localhost, everything is fine. This only leads me to believe iptables might need a rule for my guest running mattermost and CollaboraOnline to be able to loop back to itself when requesting a public URL it serves itself?!?
Does anyone have any idea about this?
My guest VM is 192.168.122.126 and my parent server hosting Vrish guests and iptables is 192.168.122.1
Here are the iptables rules ( removed some clutter like fail2ban stuff)
iptables -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all
ACCEPT all
ACCEPT all
ACCEPT all
REJECT all
REJECT all
iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp
DNAT tcp
DNAT tcp
DNAT tcp
DNAT tcp
DNAT tcp
DNAT tcp
DNAT tcp
DNAT udp
DNAT tcp
DNAT tcp