HAProxy community

SSH into multiple servers based on Domain HOST ACL

Hi,
What I’m trying to achieve here is using 1 Entry point for all of my servers using a private network.

1 server with Public IP access and then pointed multiple domains on it, after that use ACL to decide which backend to use.

Example Configurations:

frontend UK-1
bind *:77
option tcplog
mode tcp
  
tcp-request inspect-delay 60s
acl is_ssh payload(0,7) -m bin 5353482d322e30 # "SSH-2.0" in hex
tcp-request content accept if is_ssh

# Define hosts
acl l1_dom req.ssl_sni -i uk-ep-1.example.com
use_backend l1_ssh if l1_dom
  
acl i1_dom req.ssl_sni -i -i uk-ep-1.i1.example.com
use_backend i1_ssh if i1_dom

backend DefaultBackend
mode http
http-request deny deny_status 403

backend i1_ssh
mode tcp
timeout connect 3000
timeout server  7200000
option          httpchk
server          ssh 192.168.0.155:2905

backend l1_ssh
mode tcp
timeout connect 3000
timeout server  7200000
option          httpchk
server          ssh 192.168.0.167:2917

Unfortunately, this is not working.

Hi,
There is no sni with ssh because there is no TLS Client Hello.
If you want to do this you will have to terminate ssl on haproxy, and use openssl s_client as ProxyCommand for your ssh client.

Thanks for your response can you please share any example configs if done?