Ssh

通過 haproxy 通過 HTTPS 進行 SSH

  • October 22, 2014

我正在嘗試使用 haproxy 通過 https 連接設置 ssh。我還沒有找到任何工作範例,因此將不勝感激!

客戶端配置;

~$ cat ~/.stunnel/stunnel.conf
pid=
client=yes
foreground=yes
[ssh]
accept=4444
connect=ssh.example.com:443

客戶端輸出;

~$ stunnel ~/.stunnel/stunnel.conf 
2014.08.15 10:16:50 LOG5[5454]: stunnel 5.02 on x86_64-unknown-linux-gnu platform
2014.08.15 10:26:05 LOG5[5598]: s_connect: connected 115.0.0.0:443
2014.08.15 10:26:05 LOG5[5598]: Service [ssh] connected remote server from 10.0.0.0:45343
2014.08.15 10:26:05 LOG5[5598]: Connection closed: 23 byte(s) sent to SSL, 188 byte(s) sent to socket

~$ ssh -v -p 4444 user@localhost
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: ssh_exchange_identification: HTTP/1.0 400 Bad request

伺服器配置;

~$ cat /etc/haproxy/haproxy.cfg

global
   log /dev/log    local0
   log /dev/log    local1 notice
   chroot /var/lib/haproxy
   stats socket /run/haproxy/admin.sock mode 660 level admin
   stats timeout 30s
   user haproxy
   group haproxy
   daemon
   maxconn 500
   ca-base /etc/ssl/certs
   crt-base /etc/ssl/private
   ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA

defaults
   log global
   mode http
   option tcplog
   timeout connect 20s
   timeout client 50s
   timeout server 50s
   timeout tunnel 1h

frontend public
   mode tcp
   bind :443 ssl crt example.pem no-tls-tickets

   tcp-request inspect-delay 5s
   tcp-request content accept if HTTP

   use_backend ssh if !HTTP
   use_backend ssh if { hdr(host) -i ssh.example.com }
   use_backend btsync if { hdr(host) -i btsync.example.com }

   default_backend nginx

backend nginx
   reqadd X-Forwarded-Proto:\ https
   server nginx localhost:8001 check

backend btsync
   server btsync localhost:8888 check

backend ssh
   mode tcp
   server ssh localhost:22
   timeout server 2h

伺服器輸出;

~$ tail -f /var/log/haproxy.log
Aug 15 16:10:20 localhost haproxy[42548]: 203.0.0.0:52385 [15/Aug/2014:16:10:20.278] public~ nginx/<NOSRV> -1/-1/83 187 PR 0/0/0/0/3 0/0

據我所知,stunnel 實際上並沒有連接到ssh.example.com子域,它只是進行查找並通過 ip 連接,因此 haproxy 中的路由將轉到主 nginx 塊……

我設法讓它通過使用ssl_fc_sni而不是選擇 ssh 後端hdr(host)

use_backend ssh if { ssl_fc_sni ssh.ceaseless.info }

我沒有設法為此使用 ssl_fc_sni,所以我使用了另一種方法。基本上,它包括檢查連接的第一個數據包是否以字元串“SSH-2.0”開頭。這轉化為:

acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30
use_backend ssh if !HTTP
use_backend ssh if client_attempts_ssh

我希望有人覺得這很有用。

引用自:https://serverfault.com/questions/620585