I have a pretty default lxc-setup with one host and several containers. One container webfrontend is getting all host-traffic on ports 80 and 443 via DNATing the ports. An nginx on webfrontend decides via vhosts, which container webappX should get the request and proxies the request through to the webappX' private ip:
host:443 <--prerouting--> webfrontend:443 <--nginx--> webappX-private:80
-A PREROUTING -d 80.x.x.x/32 -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.3.100:443
- Host (public): 80.x.x.x
- webfrontend (lxcbr0): 10.0.3.100
- webappX (lxcbr0): 10.0.3.200
- webappY (lxcbr0): 10.0.3.201
- ...
This works fine and allows a central point for letsencrypt-certificates, etc.
However, when webappX needs to access webappY, the connection is refused and the webfrontend never sees the request. Now, what I don't get is why te webfrontend-container does not have a problem proxying requests to webappX-containers, but the webappX-container can't connect tocan access webappY on the private ip of webappY(from webappX), although all of the containers share the same bridgebut I cannot access webappY-public lxcbr0.(aka the webfrontend):
root@webappX:~# curl -I http://10.0.3.201
HTTP/1.1 200 OK
[...]
root@webappX:~# curl -I http://webappY.example.com
curl: (7) Failed to connect to webappY.example.com port 80: Connection refused
root@webappX:~# nslookup webappY.example.com
[...]
Name: webappY.example.com
Address: 80.x.x.x
Forwarding between the hostscontainers are given:
*filter
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
So far, I've tried setting POSTROUTING-rules and OUTPUT-rules on eth0 and lo without success.
Any ideas?