SSH into multiple servers based on Domain HOST ACL

mzubairsaleem · November 23, 2019, 12:52pm

Hi,
What I’m trying to achieve here is using 1 Entry point for all of my servers using a private network.

1 server with Public IP access and then pointed multiple domains on it, after that use ACL to decide which backend to use.

Example Configurations:

frontend UK-1
bind *:77
option tcplog
mode tcp
  
tcp-request inspect-delay 60s
acl is_ssh payload(0,7) -m bin 5353482d322e30 # "SSH-2.0" in hex
tcp-request content accept if is_ssh

# Define hosts
acl l1_dom req.ssl_sni -i uk-ep-1.example.com
use_backend l1_ssh if l1_dom
  
acl i1_dom req.ssl_sni -i -i uk-ep-1.i1.example.com
use_backend i1_ssh if i1_dom

backend DefaultBackend
mode http
http-request deny deny_status 403

backend i1_ssh
mode tcp
timeout connect 3000
timeout server  7200000
option          httpchk
server          ssh 192.168.0.155:2905

backend l1_ssh
mode tcp
timeout connect 3000
timeout server  7200000
option          httpchk
server          ssh 192.168.0.167:2917

Unfortunately, this is not working.

jerome · November 23, 2019, 3:49pm

Hi,
There is no sni with ssh because there is no TLS Client Hello.
If you want to do this you will have to terminate ssl on haproxy, and use openssl s_client as ProxyCommand for your ssh client.

mzubairsaleem · November 23, 2019, 7:16pm

Thanks for your response can you please share any example configs if done?

Topic		Replies	Views
Multiple port 443 backends - TCP mode Help!	3	2161	November 9, 2018
2 frontends SSL over HTTP and TCP? Help!	14	17621	June 30, 2017
Multiple ssl/sni frontend configs without sharing config settings between sni names Help!	6	3081	July 29, 2020
HAProxy with TCP mode and multiple subdomains Help!	2	1973	November 26, 2021
SSL passthrough with acl Help!	0	1174	March 26, 2018

SSH into multiple servers based on Domain HOST ACL

Related topics