Solved Access Gitea repository via SSH through pf/haproxy

jbo@

Developer
Let there be this setup:
Code:
                      ┌──────────────┐       ┌─────────────────┐      ┌───────┐
                      │   Gateway    │       │ Physical Server │      │ Jail  │
 "Internet" ──────────┤              ├───────┤                 ├──────┤       │
                      │ HAproxy & pf │       │  FreeBSD 13.0   │      │ Gitea │
                      └──────────────┘       └─────────────────┘      └───────┘

So there's a physical server (running FreeBSD 13.0-RELEASE) with a jail hosting www/gitea. The gitea web UI can be accessed "from the internet". Cloning git repositories via HTTP(S) works.

Now I would like to setup repository access via SSH. However, I'm not exactly sure how to achieve that.

The physical server hosts multiple different jails each hosting another instance of www/gitea. From the physical host, the gitea jails are listening for incoming SSH connections on <jail_ip>:2222.

I would like to be able to access my repositories via the default SSH port (22):
Code:
git clone ssh://git@git.my.domain/user/repo.git

Therefore, my gateway (also running FreeBSD 13.0-RELEASE with pf and net/haproxy would need to forward incoming connections on port 22 to the correct jail IP (and redirect the port from 22 to 2222).
How would I go about achieving this?

Some of my thoughts:
  • Redirect SSH via pf on the gateway. However, I would need to do this by inspecting the host information (i.e. requests on port 22 to git.my.domain need to be redirect to 192.168.1.50:2222 while requests on port 22 to git.another.domain need to be redirected to 192.168.1.51:2222). Does pf have any mechanism to allow this?
  • Create a TCP frontend binding to port 22 in HAproxy and hopefully being able to create ACLs based on the header information (is that even possible?)
  • I have to make sure that I can still SSH into the gateway itself. I assume that I would achieve by changing the default port from 22 to something else.
  • Drop this forwarding from 22 non-sense and just have each gitea jail listen on an individual port (2222, 2223, 2224, ...) and live with the fact that git clone URLs have a non-default port.
 
That is exactly what I want to do - my question is how to do that in a way that I can forward on a 'per host basis'. I'm looking for a way to do the forwarding from 22 to jail:2222 based on the the host information.
 
You can't. This is ssh not http. The host info isn't there in the protocol. You would forward 22 to the jail and forward non-22 the server.

You can use a proxycommand client side to auth on the server then auth in the jail.
 
Back
Top