SSHD real-ip behind haproxy

ssh haproxy stunnel

I'm trying to setup an ssh over https connection using haproxy.

I'm currently looking for a way for SSHD to get the source ip from haproxy, similar to reading X-Forwarded-For or X-Real-IP headers.

client config;

~$ cat ~/.stunnel/stunnel.conf
pid=
client=yes
foreground=yes
[ssh]
accept=4444
connect=ssh.example.com:443

client output;

~$ ssh -v -p 4444 user@localhost
OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to localhost [::1] port 4444.
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x04000000
.....
debug1: SSH2_MSG_KEXINIT sent
Bad packet length 1349676916.
Disconnecting: Packet corrupt

server config;

~$ cat /etc/haproxy/haproxy.cfg
frontend public
        mode tcp

        bind :80
        redirect scheme https code 301 if !{ ssl_fc }

        bind :443 ssl crt example.pem no-tls-tickets

        tcp-request inspect-delay 5s
        tcp-request content accept if HTTP

        # ....
        use_backend ssh if { ssl_fc_sni ssh.example.com }


backend ssh
        mode tcp
        server ssh 127.0.0.1:22 send-proxy
        timeout server 2h

server output;

~$ tail -f /var/log/haproxy.log
Aug 15 23:31:57 localhost haproxy[50379]: 115.000.000.000:51924 [15/Aug/2014:23:31:57.907] public~ ssh/ssh 2/0/8 60 SD 0/0/0/0/0 0/0

~$ tail -f /var/log/auth.log
Aug 15 23:31:57 localhost sshd[50757]: debug1: inetd sockets after dupping: 3, 3
Aug 15 23:31:57 localhost sshd[50757]: Connection from 127.0.0.1 port 36333 on 127.0.0.1 port 22
Aug 15 23:31:57 localhost sshd[50757]: Bad protocol version identification 'PROXY TCP4 115.000.000.000 192.168.000.000 51924 443' from 127.0.0.1 port 36333

The send-proxy line in haproxy.cfg is causing the Bad protocol version identification

I can connect when removing send-proxy however this connects from 127.0.0.1 which continuously gets appended to /etc/hosts.deny

Aug 15 23:55:22 localhost sshd[55997]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Aug 15 23:55:22 localhost sshd[55997]: debug1: inetd sockets after dupping: 3, 3
Aug 15 23:55:22 localhost sshd[55997]: debug1: Connection refused by tcp wrapper
Aug 15 23:55:22 localhost sshd[55997]: refused connect from localhost (127.0.0.1)

I would prefer that ssh knows the source ip.


In mode tcp, you neet tproxy to pass the original client IP to the server behind haproxy.

The linked article has a lot of technical background, most of which is not a problem anymore - recent versions of Linux and haproxy will most likely support tproxy out of the box.

TL;DR in the backend section, try

source 0.0.0.0 usesrc clientip

That's not possible I'm afraid. Unlike HTTP, the SSH protocol has no way for a proxy to tell you what the original source IP was.

Related

How to configure routing between Azure virtual networks?
Simple EXPECT script to execute remote command and displat output
Batch file to MASS ping group of computers on network by name, check reply, and resolve hostname
linux router setup
"He has yet to" vs. "he is yet to"
Are there other idioms like "a stone's throw away" that both describe an activity and act as a measurement?
"have been working" vs. "have worked"
Adjective + to infinitive vs. gerund
"Seem", "appear", "look" — how to differentiate?
What is the category name for words like notwithstanding, forthwith, etc...?
Favourite untranslatables [closed]
In which cases would you say, "I am seeing" instead of "I see"?