Easily accessing containers/KVM hosts using ProxyPass

This guide is for HTTPS, however it works exactly the same for HTTP.

This is a short and sweet guide, however its something that needs to be documented as it is extremely fiddly!

At home I have a few KVM-based virtual machines, and quite a few Docker containers running using internal networks that (by design) only the server and themselves can access.

This is all well and good and secure, however its a bit of a pain in the ass when you want to test things or even worse use them (without a plethora of routes, or having to NAT the hell out of everything…).

In this example, I have a virtual machine listening on the internal network running an Apache based application. I know it works because if I hit it up on telnet it works:

Naturally if i try that from a desktop not containing a route (or if my server didnt have NAT) then it wouldnt work.

What I want to be able to do is hit a URL, i.e. ‘site.ehertz.uk’, and have that Apache application, on that VM (or container) appear.

You can do this with iptables, as mentioned earlier:

.. along with enabling conntrack, ipv4_forward, etc.

(In my example above i’ve got port 80 in use, which is common, so im having to redirect on a different port).

This is a pain in the ass as you have to connect to the host and remember to enter the port every time, and its not hugely elegant.

So, whats the answer?


What I ended up with, was using ProxyPass and DNS to allow me to hit a URL, i.e. site.ehertz.uk and have the Apache application on the VM load.

First, simply create a DNS A record to your server’s IP using your chosen DNS server – i.e. in bind it’ll be:

Once you can dig that address and get the correct IP (i.e. ‘dig site.ehertz.uk’ returns the IP, you can crack on with the ProxyPass configuration.

First, ensure that you have the correct modules enabled:

Next, navigate to /etc/apache2/sites-available/ and create a new site:

Within this new conf, paste something similar to the following:

Few points:

  • Ensure your SSL crt, key and pem file paths are all correct.
  • Ensure your VirtualHost IP is correct.
  • Ensure your port is set to 443 for SSL.
  • If you are not using SSL, change 443 to 80 and remove all the lines between ‘Configuration for SSL’ and ‘End of SSL configuration’.
  • Ensure the IP ( is set to the IP of the internal VM/container on both lines at the bottom of the config!

Thats about it really. Restart apache2 using ‘service apache2 reload’, and then test it out. If you have any issues then double check /var/log/apache2/error.log.

Leave a Reply