From 8cd30e1661ebabf790db653dbdd0e848f197987c Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Fri, 26 Jan 2024 21:08:48 +0200
Subject: [PATCH] Router: Route SSH through HAProxy.

Use the HTTPS port so I can break out from restricted networks.
---
 Ansible/roles/router/files/haproxy.cfg | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Ansible/roles/router/files/haproxy.cfg b/Ansible/roles/router/files/haproxy.cfg
index 34e85fe..94830ff 100644
--- a/Ansible/roles/router/files/haproxy.cfg
+++ b/Ansible/roles/router/files/haproxy.cfg
@@ -58,12 +58,19 @@ frontend https
         acl private_ip src 62.219.131.121
         acl shore_ip src 62.219.131.121
         acl shore_ip src 163.172.74.36
+        acl ssh req.payload(0,7) -m str "SSH-2.0"
+        acl ssl req_ssl_hello_type 1
         tcp-request content reject if lam !private_ip
         tcp-request content reject if auth !shore_ip !private_ip
-        tcp-request content accept if { req_ssl_hello_type 1 }
+        tcp-request content accept if ssh ssl
         use_backend kodi_https if kodi
+        use_backend localhost_ssh if ssh
         default_backend host01_https
 
+backend localhost_ssh
+        mode tcp
+        server ns1 127.0.0.1:22 check
+
 backend host01_http
         mode http
         option forwardfor
-- 
GitLab