In case anyone is interested in this topic, here is how I solved the issue:
I followed @ljf’s advice and:
- added a local IPv4 to the container
- configured a reverse proxy for http and https in a third container
Now the diagnosis can run properly.
This solution makes http/https accesses possible for the container in IPv4: it makes you believe that the second yunohost instance is accessible in IPv4 but this is not true (for mail, xmpp, etc.).
So I’m not sure I will stick with this solution for long… Anyway, here is how I proceeded.
Description of the network for the LXC containters:
The host server has one ipv4 address and a block of ipv6 addresses.
A first yunohost is installed in a container: its local IPv4 is 192.168.10.3.
Its domain is “first.nohost.me”.
Its IPv4 is NATed for all needed ports except 80 and 443.
It has one IPv6.
A second yunohost is installed in a container: its local IPv4 is 192.168.10.4.
Its domain is “second.nohost.me”.
No port is NATed to its local IPv4.
It has one IPv6.
A third container is a debian with nginx installed: its local IPv4 is 192.168.10.5.
Its IPv4 is NATed for ports 80 and 443.
Configuration of nginx:
The following configuration is achieved in the third container.
Here is the content of file: /etc/nginx/sites-enabled/default.
server {
listen 80;
server_name first.nohost.me;
location / {
proxy_pass http://192.168.10.3:80/;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/first.nohost.me_access.log;
error_log /var/log/nginx/first.nohost.me_error.log;
}
server {
listen 80;
server_name second.nohost.me;
location / {
proxy_pass http://192.168.10.4:80/;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/second.nohost.me_access.log;
error_log /var/log/nginx/second.nohost.me_error.log;
}
For https, I did not want the third container to handle the certificates: each yunohost instance already has its own certificate and yunohost does the hard work.
So I just wanted to proxy ssl stream depending on the domain name.
I created a file: /etc/nginx/modules-enabled/ssl.conf with this content:
stream {
map $ssl_preread_server_name $ssl_name {
second.nohost.me second_backend;
*.second.nohost.me second_backend;
default default_backend;
}
upstream https_second_backend { server 192.168.10.4:443; }
upstream https_default_backend { server 192.168.10.3:443; } # first yunohost
server {
listen 443;
proxy_pass https_${ssl_name};
ssl_preread on;
}
}
In the end, I restarted nginx:
systemctl restart nginx.service
Conclusion:
Once again, this solves the issue but makes you believe that the second yunohost instance is accessible in IPv4, which is only true for http and https.
It is probably possible to use nginx and configure a reverse proxy for mail and xmpp, but this is a story for an other time.