Re: Using haproxy to have SSH in a HTTPS connection with HTX
Hi Matthias.
Am 31.03.2019 um 10:11 schrieb Matthias Fechner:
> Dear all,
>
> as HTTP2 is getting stable in haproxy 1.9.6 I decided to give it a try.
> Currently I have the following setup:
> frontend www-https
> mode tcp
> option tcplog
> bind 0.0.0.0:443 ssl crt /usr/local/etc/haproxy/certs/
> alpn h2,http/1.1
> bind :::443 ssl crt /usr/local/etc/haproxy/certs/ alpn
> h2,http/1.1
>
> tcp-request inspect-delay 5s
> tcp-request content accept if HTTP
>
> acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30
> use_backend ssh if client_attempts_ssh
>
> use_backend nginx-http2-backend if { ssl_fc_alpn -i h2 }
> default_backend nginx-http-backend
>
> backend nginx-http-backend
> mode tcp
> server www-1 127.0.0.1:8082 check send-proxy
I would do the following, untested.
> backend nginx-http2-backend
mode http
option http-use-htx
> http-request add-header X-Forwarded-Proto https
> server www-1 127.0.0.1:8083 check send-proxy
add `alpn h2` to the server line
Best regards
aleks
>
> backend ssh
> mode tcp
> option tcplog
> source 0.0.0.0 usesrc clientip
> server ssh 192.168.200.6:22
> timeout server 8h
>
> What I understood correctly from the documentation:
> https://www.haproxy.com/de/blog/haproxy-1-9-has-arrived/
>
> I must have the mode on http instead of tcp.
>
> Is it possible to keep this ssh switch in place and use HTX for http
> traffic?
> (currently switching to http is not possible, as the mode for backend
> and frontend must by equal, so I have to use tcp or http for both of them)
> But if I switch to http, I cannot use the ssh backend anymore.
>
> What do you recommend to get this solved (using another frontend you
> forward the traffic to it?).
>
> Thanks.
>
> Gruß
> Matthias
>
Using haproxy to have SSH in a HTTPS connection with HTX
Dear all,
as HTTP2 is getting stable in haproxy 1.9.6 I decided to give it a try.
Currently I have the following setup:
frontend www-https
mode tcp
option tcplog
bind 0.0.0.0:443 ssl crt /usr/local/etc/haproxy/certs/
alpn h2,http/1.1
bind :::443 ssl crt /usr/local/etc/haproxy/certs/ alpn
h2,http/1.1
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30
use_backend ssh if client_attempts_ssh
use_backend nginx-http2-backend if { ssl_fc_alpn -i h2 }
default_backend nginx-http-backend
backend nginx-http-backend
mode tcp
server www-1 127.0.0.1:8082 check send-proxy
backend nginx-http2-backend
mode tcp
http-request add-header X-Forwarded-Proto https
server www-1 127.0.0.1:8083 check send-proxy
backend ssh
mode tcp
option tcplog
source 0.0.0.0 usesrc clientip
server ssh 192.168.200.6:22
timeout server 8h
What I understood correctly from the documentation:
https://www.haproxy.com/de/blog/haproxy-1-9-has-arrived/
I must have the mode on http instead of tcp.
Is it possible to keep this ssh switch in place and use HTX for http
traffic?
(currently switching to http is not possible, as the mode for backend
and frontend must by equal, so I have to use tcp or http for both of them)
But if I switch to http, I cannot use the ssh backend anymore.
What do you recommend to get this solved (using another frontend you
forward the traffic to it?).
Thanks.
Gruß
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
