ssh: add proxyproto support #318

bretello · 2025-01-17T15:53:45Z

When using uptermd through a tcp reverse proxy, such as Traefik, the real IP address of ssh clients is masked by the proxy.

By leveraging the proxy protocol and goproxyproto, the correct addresscan be reported by uptermd.

This PR adds a --proxy-protocol flag to enable this feature.

An example traefik docker-compose configuration is also provided.

this is useful for scenarios in which uptermd is behind a proxy, in order for it to properly show IP addresses associated with ssh connections. Also see https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt

bretello · 2025-01-17T16:01:01Z

server/server.go

+		if opt.ProxyProtocol {
+			sshln = &proxyproto.Listener{Listener: sshln}
+		}


We could similarly wrap the wsln listener below, although in that case there are multiple methods in which the client's real IP address can reported (X-Forwarded-For and X-real-ip headers for example). So I excluded it as out of the scope for this PR.

bretello added 2 commits January 17, 2025 16:43

add proxyproto support

7000d7b

this is useful for scenarios in which uptermd is behind a proxy, in order for it to properly show IP addresses associated with ssh connections. Also see https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt

README: add traefik section

5614f5a

bretello commented Jan 17, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ssh: add proxyproto support #318

ssh: add proxyproto support #318

bretello commented Jan 17, 2025 •

edited

Loading

bretello Jan 17, 2025

ssh: add proxyproto support #318

Are you sure you want to change the base?

ssh: add proxyproto support #318

Conversation

bretello commented Jan 17, 2025 • edited Loading

bretello Jan 17, 2025

Choose a reason for hiding this comment

bretello commented Jan 17, 2025 •

edited

Loading