I am using the following Haproxy configuration to pass SSH connections to the backend servers.
global
log 127.0.0.1 local0
daemon
maxconn 2048
defaults
log global
timeout connect 500000ms
timeout client 86400s
timeout server 86400s
listen stats
bind :1936
mode http
stats enable
stats realm Haproxy\ Statistics
stats uri /
frontend front-ssh-servers
mode tcp
option tcplog
bind *:22
default_backend back-ssh-servers
timeout client 8h
backend back-ssh-servers
mode tcp
balance leastconn
stick-table type ip size 1m expire 8h
stick on src
server server1 X.X.X.X:22 check send-proxy
server server2 X.X.X.X:22 check send-proxy
server server3 X.X.X.X:22 backup send-proxy
The idea of adding send-proxy was to capture the actual client IP in the backend SSH servers. However, with send-proxy or send-proxy-v2, the connections are not reaching the destination backend SSH servers. Without the send-proxy option, the connections are reaching the backend SSH servers.
The Haproxy version is 1.8. Haproxy logs show the below.
2023-02-09T10:27:59-08:00 127.0.0.1 haproxy[3190902]: X.X.X.X:36730 [09/Feb/2023:10:27:59.175] front-ssh-servers back-ssh-servers/X.X.X.X 1/0/8 21 SD 2/1/0/0/0 0/0
The termination code is "SD". I read that proxy protocol also needs to be enabled at the backend hosts. Appreciate any help on how to achieve this for SSH connections. My backend hosts are running OpenSSH_7.4p1.
