I am testing the configuration of an OpenZiti environment with the goal of having all components (such as the controller, routers, etc.) communicate over a single port to avoid exposing multiple ports.
In the process, I have used the ssl_sni
method for matching, which seems to work for HTTP/HTTPS protocols, but when using it for SSH, it fails. Instead, I successfully used req.payload
to match the TPKT header.
Is there any plan to provide TPKT header-based identification for different components in future versions?
Below is my relevant test setup:
HAProxy Configuration File:
global
# Global Configuration
defaults
timeout connect 5000
timeout client 50000
timeout server 50000
frontend main
mode tcp
bind *:443
tcp-request inspect-delay 3s
# Matching HTTP using payload: (Uncomment the line below if needed)
# acl is_http req.payload(0,3) -m bin 474554 504f53 505554 44454c 4f5054 484541 434f4e 545241
# Matching SSH using payload (TPKT header match, not ssl_sni):
# acl is_ssh req.payload(0,3) -m bin 535348
# Matching RDP using payload (Uncomment the line below if needed):
# acl is_rdp req.payload(0,3) -m bin 030000
acl is_ctrl req.ssl_sni -i ctrl.zer0.eu.org
acl is_route req.ssl_sni -i route.zer0.eu.org
# For 4-layer applications like SSH, matching using ssl_sni failed, switched to TPKT header matching
# acl is_ssh req.ssl_sni -i ssh.zer0.eu.org
acl is_ssh req.payload(0,3) -m bin 535348
tcp-request content accept if is_ctrl
tcp-request content accept if is_route
tcp-request content accept if is_ssh
tcp-request content accept
use_backend ctrl if is_ctrl
use_backend route if is_route
use_backend ssh if is_ssh
backend ctrl
mode tcp
server ctrl 127.0.0.1:8441
backend route
mode tcp
server route 127.0.0.1:8442
backend ssh
mode tcp
server ssh 127.0.0.1:22
Below are some simple tests I conducted.
root@ip-10-111-0-5:/etc/haproxy# curl https://route.zer0.eu.org
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error
root@ip-10-111-0-5:/etc/haproxy# curl https://ctrl.zer0.eu.org
{"data":{"apiVersions":{"edge":{"v1":{"apiBaseUrls":["https://X.X.X.X:8441/edge/client/v1"],"path":"/edge/client/v1"}},"edge-client":{"v1":{"apiBaseUrls":["https://X.X.X.X:8441/edge/client/v1"],"path":"/edge/client/v1"}},"edge-management":{"v1":{"apiBaseUrls":["https://X.X.X.X:8441/edge/management/v1"],"path":"/edge/management/v1"}}},"buildDate":"2024-10-02T12:59:41Z","capabilities":[],"revision":"0eec47ce3c80","runtimeVersion":"go1.23.1","version":"v1.1.15"},"meta":{}}
root@ip-10-111-0-5:/etc/haproxy# ssh ssh.zer0.eu.org -p 443
The authenticity of host '[ssh.zer0.eu.org]:443 ([X.X.X.X]:443)' can't be established.
ED25519 key fingerprint is SHA256:QuFOmgQ5GDSuE642zVAH4YIusjNDWB9LTn6oWo2rgro.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:1: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? ^C```