Option to enable proxy protocol
rjbaat opened this issue ยท 19 comments
Hi all,
I have an issue trying to get proxy protocol to work with ssh piper.
I have a LB on kubernetes and enabled proxy protocol, but after that I still get to see the host ip's of the k8s nodes, instead of the client ip.
This is what I try to do:
client -> lb -> sshpiper -> ssh container
Has anyone an idea how to get proxy protocol working with sshpiper.
Does sshpiper need an extra ENV maybe to enable proxy protocol on the sshpiper container?
I need to see the client ip to be able to setup the whitelist firewall rules.
seems you are looking for ngx's proxy_set_header X-Real-IP right
no such a thing in ssh protocol :(
why not block it from sshpiper node? sshpiper should act as the firewall
@tg123 Yes something similar. But that's a http header and doesn't work with TCP connections.
To achieve to see the client ip in the sshpiper application that's running behind a proxy protocol loadbalancer, there is an option called mmproxy. This preserves the client ip on proxy protocol enabled loadbalancers (https://github.com/cloudflare/mmproxy).
I see there is also a go package made based on this: https://github.com/path-network/go-mmproxy.
Maybe its an idea to implement this as possible add-on with an ENV or something? This way its possible to see the client ip in the sshpiper container and maybe add the option to add a ip whitelist mysql table on the piper servers that are setup.
That would make it even more dynamic to setup and also secure in production environments where upstream ssh servers are already on private networks. Then it can check both the ssh key and the client ip to accept the connection.
Another option would be https://github.com/pires/go-proxyproto.
@tg123 iam not sure how exactly. But normally you see on ssh the session ip of the last login. The tools above make sure the original client ip is exposed to the ssh service instead of the ip of the loadbalancer.
The SSH server may support this or not. Last time I checked, OpenSSH didn't but there were patches out there to do it. I think what the op is asking for is for the serving side of this project to support it and not the upstream SSH server.
@pires
seems make sense, but not sure if opensshd support PROXY protocol. did not find related info.
Well how it looks to me is that the libraries swap the ip of the loadbalancer for the proxy protocol set ip that preserves the client ip. This way openssh doesnt have to do anything. It just sees the client ip that it gets fed by the mmproxy library. Because i think mmproxy can be placed as separate container in front of sshpiper. I havent tested that yet. But a nicer option would be if this can be integrated as sshpiper option so a separate container isnt needed.
@rjbaat
I am not quite familiar with how PROXY protocol works
first, need to do prototype, no matter with mmproxy or not, to make sshd believe the client ip is what set by us.
then, impl the in sshpiper (as client side in step 2)
however, having this will not improve security. thinking when you can fake your client ip, so can the attacker.
the only benefit is to show client ip, maybe masquerade, when login
Well when the ip is preserved, a whitelist can be setup. Togheter with ssh keys it will improve security it i think. The attacker needs to know the ip that is in the whitelist and some how fake that, plus it needs to have the right ssh key.
Maybe a good idea to setup a poc to see how it works. When i get back from holiday i will try to setup something with a mmproxy container and proxy protocol to see if the client ip is showing up in the sshpiper access logs.
IMHO, the correct way to protect sshd is to hide them in a internal vnet, and do the whitelist on sshpiper
Yes, sshd is in a vnet and sshpiper infront of it. But to add a whitlist to sshpiper with a k8s network policy i need to know the client ip that knocks on the door of sshpiper. Sshd can see the ip of sshpiper container. That is not the problem.
So i dont need to see the client ip on sshd but only on the frontdoor of sshpiper. The thing is i would like to know the ip that is connecting to sshpiper. When sshpiper is behind a loadbalancer this is always the loadbalancer ip and not the client ip.
When putting a loadbalancer in front with proxy protocol togheter with a library that uses the proxy protocol to save the client ip it will show the client ip to sshpiper and not the loadbalancer ip.
ah i see
i got your idea now.
the request is sshpiper should be compatible wirh PROXY protocol enabled lb, right?
Yes thats correct ๐. Would be awesome if sshpiper can work with proxy protocol lb. And even a 2.0 version would be to have a mysql table to be able to whitelist the connections based on client ip addresses, toghether with the ssh keys. This whitelist can also be done by k8s network policies, but with mysql its more dynamic.
thats make sense to me
maybe i know which cloud are you using?
not sure if aws/azure impl PROXY protocol
I am using a haproxy docker container loadbalancer on digitalocean droplet. Also used the digitalocean cloud loadbalancers. Both work with proxy protocol.
Most top public cloud providers support PROXY protocol, eg:
- https://cloud.google.com/load-balancing/docs/tcp/setting-up-tcp#proxy-protocol
- https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#proxy-protocol
- https://developers.cloudflare.com/spectrum/proxy-protocol#enabling-proxy-protocol-v2-for-tcpudp
- https://docs.digitalocean.com/products/networking/load-balancers/#proxy-protocol
new plugins will benefit from this for better routing