HAProxy community

Ssh timeout and sometimes not working


#1

Hello
I use this configuration. web work perfect but when i try to use ssh sometimes not working and when is working after 1 min that i am not use it is timeout. how i can fix this. how i can remove do not make me timeout. i change the ssh port on my proxy server

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 1h
timeout client 1h
timeout server 1h
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend main
bind *:80
mode http
option forwardfor
option http-server-close
default_backend app-main

backend app-main
balance roundrobin
server web1 ip:80 check fall 3 rise 2

frontend sshd
bind *:22
default_backend ssh
timeout client 1h
mode tcp

backend ssh
mode tcp
server localhost-bitbucket-ssh ip:22


#2

Sounds like this has nothing to do with haproxy, but is caused by other, intermediate devices. Just because you configure haproxy with a timeout of 1 hour does not mean your firewall or NAT device use a 1 hour timeout for SSH traffic.


#3

when i try to connect direct on proxy or on real server i don’t have this timeout. i try to configure 2nd haproxy on dif server but i have the same issue. any idea how i can found what is wrong. after 1min is timeout if is on idle. if i use it is ok


#4

Could be outgoing firewall rules on your haproxy instance then, or firewalling between the instance and the destination servers.

You can check haproxy logs, but it won’t change the fact that the haproxy timeouts are set to 1 hour.