SSHD real-ip behind haproxy

Question

I'm trying to setup an ssh over https connection using haproxy.

I'm currently looking for a way for SSHD to get the source ip from haproxy, similar to reading X-Forwarded-For or X-Real-IP headers.

client config;

~$ cat ~/.stunnel/stunnel.conf
pid=
client=yes
foreground=yes
[ssh]
accept=4444
connect=ssh.example.com:443

client output;

~$ ssh -v -p 4444 user@localhost
OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to localhost [::1] port 4444.
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x04000000
.....
debug1: SSH2_MSG_KEXINIT sent
Bad packet length 1349676916.
Disconnecting: Packet corrupt

server config;

~$ cat /etc/haproxy/haproxy.cfg
frontend public
        mode tcp

        bind :80
        redirect scheme https code 301 if !{ ssl_fc }

        bind :443 ssl crt example.pem no-tls-tickets

        tcp-request inspect-delay 5s
        tcp-request content accept if HTTP

        # ....
        use_backend ssh if { ssl_fc_sni ssh.example.com }


backend ssh
        mode tcp
        server ssh 127.0.0.1:22 send-proxy
        timeout server 2h

server output;

~$ tail -f /var/log/haproxy.log
Aug 15 23:31:57 localhost haproxy[50379]: 115.000.000.000:51924 [15/Aug/2014:23:31:57.907] public~ ssh/ssh 2/0/8 60 SD 0/0/0/0/0 0/0

~$ tail -f /var/log/auth.log
Aug 15 23:31:57 localhost sshd[50757]: debug1: inetd sockets after dupping: 3, 3
Aug 15 23:31:57 localhost sshd[50757]: Connection from 127.0.0.1 port 36333 on 127.0.0.1 port 22
Aug 15 23:31:57 localhost sshd[50757]: Bad protocol version identification 'PROXY TCP4 115.000.000.000 192.168.000.000 51924 443' from 127.0.0.1 port 36333

The send-proxy line in haproxy.cfg is causing the Bad protocol version identification

I can connect when removing send-proxy however this connects from 127.0.0.1 which continuously gets appended to /etc/hosts.deny

Aug 15 23:55:22 localhost sshd[55997]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Aug 15 23:55:22 localhost sshd[55997]: debug1: inetd sockets after dupping: 3, 3
Aug 15 23:55:22 localhost sshd[55997]: debug1: Connection refused by tcp wrapper
Aug 15 23:55:22 localhost sshd[55997]: refused connect from localhost (127.0.0.1)

I would prefer that ssh knows the source ip.

Those solutions only apply to Linux and with tproxy compiled in... — , Mar 23 '16 at 16:54

score 3 · Accepted Answer · edited Mar 09 '20 at 08:22

3

In mode tcp, you neet tproxy to pass the original client IP to the server behind haproxy.

The linked article has a lot of technical background, most of which is not a problem anymore - recent versions of Linux and haproxy will most likely support tproxy out of the box.

TL;DR in the backend section, try

source 0.0.0.0 usesrc clientip

edited Mar 09 '20 at 08:22

Nick ODell

174
8

answered Aug 15 '14 at 21:23

Felix Frank

3,063
1
15
22

when I try to restart haproxy with this config, it fails without any helpful information – Nickolay Kondratenko Nov 03 '21 at 17:16

score 1 · Answer 2 · answered Aug 15 '14 at 13:59

1

That's not possible I'm afraid. Unlike HTTP, the SSH protocol has no way for a proxy to tell you what the original source IP was.

answered Aug 15 '14 at 13:59

Dennis Kaarsemaker

18,793
2
43
69

score 0 · Answer 3 · answered Jan 29 '20 at 05:29

This is possible with mmproxy daemon (running on SSH server) to terminate haproxy's PROXY protocol.

Currently there are two implementations of mmproxy:

Reed more in the following blog post:

https://blog.cloudflare.com/mmproxy-creative-way-of-preserving-client-ips-in-spectrum/

SSHD real-ip behind haproxy

3 Answers3

Linked