Solved Access Gitea repository via SSH through pf/haproxy

jbodenmann

Aspiring Daemon

Reaction score: 308
Messages: 552

Let there be this setup:
Code:
                      ┌──────────────┐       ┌─────────────────┐      ┌───────┐
                      │   Gateway    │       │ Physical Server │      │ Jail  │
 "Internet" ──────────┤              ├───────┤                 ├──────┤       │
                      │ HAproxy & pf │       │  FreeBSD 13.0   │      │ Gitea │
                      └──────────────┘       └─────────────────┘      └───────┘

So there's a physical server (running FreeBSD 13.0-RELEASE) with a jail hosting www/gitea. The gitea web UI can be accessed "from the internet". Cloning git repositories via HTTP(S) works.

Now I would like to setup repository access via SSH. However, I'm not exactly sure how to achieve that.

The physical server hosts multiple different jails each hosting another instance of www/gitea. From the physical host, the gitea jails are listening for incoming SSH connections on <jail_ip>:2222.

I would like to be able to access my repositories via the default SSH port (22):
Code:
git clone ssh://git@git.my.domain/user/repo.git

Therefore, my gateway (also running FreeBSD 13.0-RELEASE with pf and net/haproxy would need to forward incoming connections on port 22 to the correct jail IP (and redirect the port from 22 to 2222).
How would I go about achieving this?

Some of my thoughts:
  • Redirect SSH via pf on the gateway. However, I would need to do this by inspecting the host information (i.e. requests on port 22 to git.my.domain need to be redirect to 192.168.1.50:2222 while requests on port 22 to git.another.domain need to be redirected to 192.168.1.51:2222). Does pf have any mechanism to allow this?
  • Create a TCP frontend binding to port 22 in HAproxy and hopefully being able to create ACLs based on the header information (is that even possible?)
  • I have to make sure that I can still SSH into the gateway itself. I assume that I would achieve by changing the default port from 22 to something else.
  • Drop this forwarding from 22 non-sense and just have each gitea jail listen on an individual port (2222, 2223, 2224, ...) and live with the fact that git clone URLs have a non-default port.
 

derekschrock

Active Member

Reaction score: 48
Messages: 105

I would just use a different port for git access or use a different port for ssh to the server and forward 22 to jail:2222
 
OP
jbodenmann

jbodenmann

Aspiring Daemon

Reaction score: 308
Messages: 552

That is exactly what I want to do - my question is how to do that in a way that I can forward on a 'per host basis'. I'm looking for a way to do the forwarding from 22 to jail:2222 based on the the host information.
 

derekschrock

Active Member

Reaction score: 48
Messages: 105

You can't. This is ssh not http. The host info isn't there in the protocol. You would forward 22 to the jail and forward non-22 the server.

You can use a proxycommand client side to auth on the server then auth in the jail.
 
OP
jbodenmann

jbodenmann

Aspiring Daemon

Reaction score: 308
Messages: 552

Alright, so at least my understanding was not off :)
Thanks!
 
Top