SSH into multiple servers based on Domain HOST ACL

mzubairsaleem · November 23, 2019, 12:52pm

Hi,
What I’m trying to achieve here is using 1 Entry point for all of my servers using a private network.

1 server with Public IP access and then pointed multiple domains on it, after that use ACL to decide which backend to use.

Example Configurations:

frontend UK-1
bind *:77
option tcplog
mode tcp
  
tcp-request inspect-delay 60s
acl is_ssh payload(0,7) -m bin 5353482d322e30 # "SSH-2.0" in hex
tcp-request content accept if is_ssh

# Define hosts
acl l1_dom req.ssl_sni -i uk-ep-1.example.com
use_backend l1_ssh if l1_dom
  
acl i1_dom req.ssl_sni -i -i uk-ep-1.i1.example.com
use_backend i1_ssh if i1_dom

backend DefaultBackend
mode http
http-request deny deny_status 403

backend i1_ssh
mode tcp
timeout connect 3000
timeout server  7200000
option          httpchk
server          ssh 192.168.0.155:2905

backend l1_ssh
mode tcp
timeout connect 3000
timeout server  7200000
option          httpchk
server          ssh 192.168.0.167:2917

Unfortunately, this is not working.

jerome · November 23, 2019, 3:49pm

Hi,
There is no sni with ssh because there is no TLS Client Hello.
If you want to do this you will have to terminate ssl on haproxy, and use openssl s_client as ProxyCommand for your ssh client.

mzubairsaleem · November 23, 2019, 7:16pm

Thanks for your response can you please share any example configs if done?

Topic		Replies	Views
Multiple ssl/sni frontend configs without sharing config settings between sni names Help!	6	2603	July 29, 2020
SSL passthrough with acl Help!	0	1090	March 26, 2018
ACL filters when using mode tcp? Help!	3	3448	August 27, 2021
Https multiple domain routing Help!	6	708	December 3, 2021
How do I setup acls to split a server by directory Help!	2	1236	June 13, 2018

SSH into multiple servers based on Domain HOST ACL

Related Topics