I would like to identify the username in an incoming SSH connection and pass it on to a Lua script. Then from that Lua script I can decide what backend to route that connection to.
HA Proxy will provide the Lua script with the username part averyniceusername and through whatever logic will decide that the backend server this connection should be directed at is 192.168.0.123. Or do I need to parse out the username from within the Lua script?
No, this is not possible and never will be, for multiple reasons.
a) the username is not present in the first packet from the client, which is necessary to make a routing decision. You can’t have a connection on server 1 and then, after the n-th back and forth with server 1 decide to move the SSH connection to server 2.
Yes, fundamental technical facts like this don’t change. In the blog post, the author suggests to tunnel SSH through TLS, and then use the TLS SNI value to route it.
I know for a fact that there was one technical implementation (in Python) that did/does this. I’ve seen it myself and used it. However, it performed very poorly because it’s well… Python.
The difference is this Python based implementation acted as an SSH server at the edge. It was key based authentication. It would accept the connection, understand the SSH protocol, then attempt to ‘proxy’ the connection by opening a new client connection to the destination server determined by the username. From here I would think that this would be a TCP tunnel (I’ll need to look back at the source code) since I can’t imagine how the auth/encryption would work otherwise.