1

I'm trying to relay ssh connections from port 122/tcp to another server on port 22/tcp based on the FQDN.

Here is my HAProxy configuration :

frontend my_ssh_frontend
    bind *:122
    mode tcp
    option tcplog
    acl my_ssh_acl hdr(host) myHostname.myDomain.com
    use_backend my_ssh_backend if my_ssh_acl

backend my_ssh_backend
    mode tcp
    server myserver1 x2.y2.z2.t2:22 check

But it is as if the ACL condition is never true and therefore, the traffic is not routed to the backend.

Here is the ssh -vvv output :

 ssh.exe -p 122 -l admin-media myHostname.myDomain.com -vvv 2>&1 | egrep.exe -vw "identity file|Failed to open"
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug2: resolving "myHostname.myDomain.com" port 122
debug2: ssh_connect_direct
debug1: Connecting to myHostname.myDomain.com [x1.y1.z1.t1] port 122.
debug1: Connection established.
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
kex_exchange_identification: Connection closed by remote host

How can I do that with HAProxy ?

SebMa
  • 2,035

1 Answers1

2

I'm trying to relay ssh connections from port 122/tcp to another server on port 22/tcp based on the FQDN.

That's not possible, as the FQDN is never known by the server.

It is only sent as part of some application protocols, like TLS or HTTP (each of which HAProxy needs specific support for), not as part of the TCP layer handshake; so FQDN-based proxying of raw TCP connections cannot be done, neither with HAProxy or otherwise.

The FQDN is also not sent as part of the SSH handshake, either – SSH has is no equivalent to the HTTP 'Host' header or TLS SNI – meaning that even if HAProxy did have an SSH-specific mode, it still could not proxy by FQDN.

grawity
  • 501,077