Re: Using haproxy to have SSH in a HTTPS connection with HTX
Hi Matthias. Am 31.03.2019 um 10:11 schrieb Matthias Fechner: > Dear all, > > as HTTP2 is getting stable in haproxy 1.9.6 I decided to give it a try. > Currently I have the following setup: > frontend www-https > mode tcp > option tcplog > bind 0.0.0.0:443 ssl crt /usr/local/etc/haproxy/certs/ > alpn h2,http/1.1 > bind :::443 ssl crt /usr/local/etc/haproxy/certs/ alpn > h2,http/1.1 > > tcp-request inspect-delay 5s > tcp-request content accept if HTTP > > acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30 > use_backend ssh if client_attempts_ssh > > use_backend nginx-http2-backend if { ssl_fc_alpn -i h2 } > default_backend nginx-http-backend > > backend nginx-http-backend > mode tcp > server www-1 127.0.0.1:8082 check send-proxy I would do the following, untested. > backend nginx-http2-backend mode http option http-use-htx > http-request add-header X-Forwarded-Proto https > server www-1 127.0.0.1:8083 check send-proxy add `alpn h2` to the server line Best regards aleks > > backend ssh > mode tcp > option tcplog > source 0.0.0.0 usesrc clientip > server ssh 192.168.200.6:22 > timeout server 8h > > What I understood correctly from the documentation: > https://www.haproxy.com/de/blog/haproxy-1-9-has-arrived/ > > I must have the mode on http instead of tcp. > > Is it possible to keep this ssh switch in place and use HTX for http > traffic? > (currently switching to http is not possible, as the mode for backend > and frontend must by equal, so I have to use tcp or http for both of them) > But if I switch to http, I cannot use the ssh backend anymore. > > What do you recommend to get this solved (using another frontend you > forward the traffic to it?). > > Thanks. > > Gruß > Matthias >
Using haproxy to have SSH in a HTTPS connection with HTX
Dear all, as HTTP2 is getting stable in haproxy 1.9.6 I decided to give it a try. Currently I have the following setup: frontend www-https mode tcp option tcplog bind 0.0.0.0:443 ssl crt /usr/local/etc/haproxy/certs/ alpn h2,http/1.1 bind :::443 ssl crt /usr/local/etc/haproxy/certs/ alpn h2,http/1.1 tcp-request inspect-delay 5s tcp-request content accept if HTTP acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30 use_backend ssh if client_attempts_ssh use_backend nginx-http2-backend if { ssl_fc_alpn -i h2 } default_backend nginx-http-backend backend nginx-http-backend mode tcp server www-1 127.0.0.1:8082 check send-proxy backend nginx-http2-backend mode tcp http-request add-header X-Forwarded-Proto https server www-1 127.0.0.1:8083 check send-proxy backend ssh mode tcp option tcplog source 0.0.0.0 usesrc clientip server ssh 192.168.200.6:22 timeout server 8h What I understood correctly from the documentation: https://www.haproxy.com/de/blog/haproxy-1-9-has-arrived/ I must have the mode on http instead of tcp. Is it possible to keep this ssh switch in place and use HTX for http traffic? (currently switching to http is not possible, as the mode for backend and frontend must by equal, so I have to use tcp or http for both of them) But if I switch to http, I cannot use the ssh backend anymore. What do you recommend to get this solved (using another frontend you forward the traffic to it?). Thanks. Gruß Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook