How to use HAproxy for SFTP & Mailservers!? Is it possible!?

I have pfSense as router (2.7) for my network and recently installed HA-proxy (develop) as proxy.

The main reasons to install HA-proxy was to distribute in coming traffic towards my (virtual) servers. The idea is to use SNI to point to a webserver, to access my public services from both local and internet in an easy way (using a split dns) and to switch between my old and my new config. I am using both IPV4 & IPV6.

And … my intention was to do that for:

  • the webserver(s)
  • the mailserver(s) [ at the moment only one]
  • the sftpservers

For the web-servers that works :wink:

And for the mailserver and the sftp-server, it does (almost) not.

The problem seems to be the SSH-handshake. The packages are:

  • arriving at the HA-proxy frontend and
  • are forwarded to the HA-proxy backend and
  • towards the vlan gateway of the server-vlan

And despite that … it does not work
(connecting to the SSH-server does work using BitVise-client SSH-client from the local network, but that is the exception)

If I try to analyze the problem, it is clear from the logging that the initial handshake between the client(/source) and the mail-server / sftp-server causes the trouble. The connection starts and stops immediately due to a failing handshake.

My setup looks like this / some additional info:

  • I did create a couple of VIPs to forward the local traffic to
  • on the WAN interface, the relevant ports are passed to ‘This Firewall’ using FW-rules
  • the HA-proxy-frontends are listen to both the WAN interface and the VIP (in ssl/https mode, in most cases one FE per portnumber)
  • The HA-proxy backend’s are specific per portnumber
  • If a backend is pointing to more than one server, there is only one active
  • in case of SSH it is impossible to determine the destination

That brings me to a second problem … HA-proxy is … a proxy. So without additional measures the original source is gone / replaced by the proxy address. Which I absolutely do not like (specially in case of the sftp-server).

So … that is all . It almost works … but almost == not :hot_face:

So I hope that some one knows how to solve this ‘handshake issue’, other wise I have to go back to the classical ‘forward-rules’ for sftp and mail-server :zipper_mouth_face:

I wouldn’t use HAproxy for SMTP or SFTP. If it were me I would just do a port forward for those particular services. No need to go through the proxy and complicate the setup.

There is a write up on how to use SSH & HAProxy but I have never done it.

Tom,

When I started this direction, it seems so logical to me to proxy all the ‘public-servers’. Not just the web-server. So I started working in that direction.

How logical that sounds and the advantages it has, it turned out to be much more complicated than expected!

To note:

  • the SNI-advantage is only there for http(s).
  • big disadvantage, the proxy tend to hide the source IP
  • big advantage, is routing via VIPs in combination with a split DNS makes routing and security easier
  • not yet mentioned the proxy hides the internal IP-addresses from the outside world. Which also implies that your DNS settings are no longer related to the internal network.
  • if the proxy is configured in a smart way, it is probably a little bit easier to switch between ‘active’ and ‘standby’

What ever, for the moment I revered my setup to "forward and nat’, in regard to the ftp- and mail- server. Note that I still have ‘web-mail’ and ‘mail- manager’ via the proxy.

I did turn the related HA-proxy frontend off, did nor delete them. Perhaps I will do some further testing in the future :wink:

Unless there is some special use case for those services to go through the proxy I would only go the NAT route. Proxies can be used for a single point of entry into your DMZ but, proxies really shine when it comes to services utilizing the same port and it routes the traffic based on FQDN and utilizing certificates. It’s not that you can’t do it, but its more of asking “why?” when there is a simpler solution (NAT).