-1

I'm trying to set up GitLab on my home server. HTTPS is working and I can get to GitLab's interface, but SSH is not and thus I can't push code to the server.

Here is the setup:

Cloudflare <--> Reverse Proxy (nginx, hosted on Digital Ocean) <--- VPN ---> Untangle Firewall <--> GitLab Server (on ESXi)

If I try to SSH directly from the Reverse Proxy to the GitLab server (over VPN connection), it works perfect.

If I try to SSH from my laptop using the domain name, I get:

kex_exchange_identification: Connection closed by remote host
Connection closed by 104.31.73.156 port 2095

If I try to SSH from my laptop using the Reverse Proxy's IP (thus cutting out Cloudflare), I get:

Bad packet length 1231976033.
ssh_dispatch_run_fatal: Connection to {{ IP }} port 2095: message authentication code incorrect

I'm currently trying to use the nginx stream module to do so, and this is the stream setup:

stream {
        upstream git-ssh {
                server {{INTERNAL GITLAB IP}}:22;
        }
        server {
                listen 2095;
                proxy_pass {{INTERNAL GITLAB IP}}:22;
                proxy_protocol on;
        }
}

The reason I have upstream git-ssh and then don't use it was because I was wondering if that was the problem, but it makes no difference if I use it or not.

I'm not familiar with iptables, but I tried the following commands:

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2095 -j DNAT --to-destination {{GITLAB IP}}:22
sudo iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 2095 -j SNAT --to-source {{PROXY IP}}

But it didn't seem to work. ssh just sits there returning nothing and eventually times out.

UFW is currently set to disabled on the proxy for testing, so nothing is going on there. 2095 is an approved port for Cloudflare (https://support.cloudflare.com/hc/en-us/articles/200169156-Identifying-network-ports-compatible-with-Cloudflare-s-proxy), so that shouldn't be it. SSH is allowed through the GitLab firewall, so that shouldn't be it. I don't have the Firewall set up in DigitalOcean yet, so that shouldn't be it.

I am lost now, and was hoping someone could give me pointers?

Cody Dostal
  • 11
  • 2
  • Why are you trying to ssh to CloudFlare's servers? – Michael Hampton Aug 25 '20 at 16:37
  • I'm not trying to SSH to CloudFlare's servers. I'm trying to SSH to my Gitlab server. However, everything to my Home Server is pushed through an nginx reverse proxy at digital ocean which is protected by CloudFlare. Thus, everything goes through CloudFlare. – Cody Dostal Aug 25 '20 at 16:40

1 Answers1

0

Nevermind, I was able to finally fix it, although not entirely to my liking.

From my stream configuration, I had to remove proxy_protocol on;

Cloudflare continued to be an issud. Running ssh -vvv to the host/protocol over Cloudflare would show it was returning a 400 html page instead of allowing it through. So I had to add a new record to allow traffic through Cloudflare's network without proxying it, which is why I'm not entirely happy with my fix.

Finally, I had to edit my ~/.ssh/config file and add a HostName parameter so that I wouldn't have to fix the git upstream origin for each of my projects.

If anyone has a better fix that lets me keep using Cloudflare with Proxy, I'd love to hear it.

Cody Dostal
  • 11
  • 2