Ssh
通過 haproxy 通過 HTTPS 進行 SSH
我正在嘗試使用 haproxy 通過 https 連接設置 ssh。我還沒有找到任何工作範例,因此將不勝感激!
客戶端配置;
~$ cat ~/.stunnel/stunnel.conf pid= client=yes foreground=yes [ssh] accept=4444 connect=ssh.example.com:443
客戶端輸出;
~$ stunnel ~/.stunnel/stunnel.conf 2014.08.15 10:16:50 LOG5[5454]: stunnel 5.02 on x86_64-unknown-linux-gnu platform 2014.08.15 10:26:05 LOG5[5598]: s_connect: connected 115.0.0.0:443 2014.08.15 10:26:05 LOG5[5598]: Service [ssh] connected remote server from 10.0.0.0:45343 2014.08.15 10:26:05 LOG5[5598]: Connection closed: 23 byte(s) sent to SSL, 188 byte(s) sent to socket ~$ ssh -v -p 4444 user@localhost debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: ssh_exchange_identification: HTTP/1.0 400 Bad request
伺服器配置;
~$ cat /etc/haproxy/haproxy.cfg global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon maxconn 500 ca-base /etc/ssl/certs crt-base /etc/ssl/private ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:RC4-SHA defaults log global mode http option tcplog timeout connect 20s timeout client 50s timeout server 50s timeout tunnel 1h frontend public mode tcp bind :443 ssl crt example.pem no-tls-tickets tcp-request inspect-delay 5s tcp-request content accept if HTTP use_backend ssh if !HTTP use_backend ssh if { hdr(host) -i ssh.example.com } use_backend btsync if { hdr(host) -i btsync.example.com } default_backend nginx backend nginx reqadd X-Forwarded-Proto:\ https server nginx localhost:8001 check backend btsync server btsync localhost:8888 check backend ssh mode tcp server ssh localhost:22 timeout server 2h
伺服器輸出;
~$ tail -f /var/log/haproxy.log Aug 15 16:10:20 localhost haproxy[42548]: 203.0.0.0:52385 [15/Aug/2014:16:10:20.278] public~ nginx/<NOSRV> -1/-1/83 187 PR 0/0/0/0/3 0/0
據我所知,stunnel 實際上並沒有連接到
ssh.example.com
子域,它只是進行查找並通過 ip 連接,因此 haproxy 中的路由將轉到主 nginx 塊……
我設法讓它通過使用
ssl_fc_sni
而不是選擇 ssh 後端hdr(host)
use_backend ssh if { ssl_fc_sni ssh.ceaseless.info }
我沒有設法為此使用 ssl_fc_sni,所以我使用了另一種方法。基本上,它包括檢查連接的第一個數據包是否以字元串“SSH-2.0”開頭。這轉化為:
acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30 use_backend ssh if !HTTP use_backend ssh if client_attempts_ssh
我希望有人覺得這很有用。