tg123 / sshpiper

The missing reverse proxy for ssh scp
https://sshpiper.com/
MIT License
986 stars 134 forks source link

Option to enable proxy protocol #72

Closed rjbaat closed 2 years ago

rjbaat commented 3 years ago

Hi all, I have an issue trying to get proxy protocol to work with ssh piper. I have a LB on kubernetes and enabled proxy protocol, but after that I still get to see the host ip's of the k8s nodes, instead of the client ip.

This is what I try to do: client -> lb -> sshpiper -> ssh container

Has anyone an idea how to get proxy protocol working with sshpiper. Does sshpiper need an extra ENV maybe to enable proxy protocol on the sshpiper container?

I need to see the client ip to be able to setup the whitelist firewall rules.

tg123 commented 3 years ago

seems you are looking for ngx's proxy_set_header X-Real-IP right no such a thing in ssh protocol :(

why not block it from sshpiper node? sshpiper should act as the firewall

rjbaat commented 3 years ago

@tg123 Yes something similar. But that's a http header and doesn't work with TCP connections.

To achieve to see the client ip in the sshpiper application that's running behind a proxy protocol loadbalancer, there is an option called mmproxy. This preserves the client ip on proxy protocol enabled loadbalancers (https://github.com/cloudflare/mmproxy).

I see there is also a go package made based on this: https://github.com/path-network/go-mmproxy.

Maybe its an idea to implement this as possible add-on with an ENV or something? This way its possible to see the client ip in the sshpiper container and maybe add the option to add a ip whitelist mysql table on the piper servers that are setup.

That would make it even more dynamic to setup and also secure in production environments where upstream ssh servers are already on private networks. Then it can check both the ssh key and the client ip to accept the connection.

pires commented 3 years ago

Another option would be https://github.com/pires/go-proxyproto.

tg123 commented 3 years ago

@rjbaat cloud you please explain how a regular sshd read the protocol?

rjbaat commented 3 years ago

@tg123 iam not sure how exactly. But normally you see on ssh the session ip of the last login. The tools above make sure the original client ip is exposed to the ssh service instead of the ip of the loadbalancer.

pires commented 3 years ago

The SSH server may support this or not. Last time I checked, OpenSSH didn't but there were patches out there to do it. I think what the op is asking for is for the serving side of this project to support it and not the upstream SSH server.

tg123 commented 3 years ago

@pires seems make sense, but not sure if opensshd support PROXY protocol. did not find related info.

rjbaat commented 3 years ago

Well how it looks to me is that the libraries swap the ip of the loadbalancer for the proxy protocol set ip that preserves the client ip. This way openssh doesnt have to do anything. It just sees the client ip that it gets fed by the mmproxy library. Because i think mmproxy can be placed as separate container in front of sshpiper. I havent tested that yet. But a nicer option would be if this can be integrated as sshpiper option so a separate container isnt needed.

tg123 commented 3 years ago

@rjbaat I am not quite familiar with how PROXY protocol works first, need to do prototype, no matter with mmproxy or not, to make sshd believe the client ip is what set by us. then, impl the in sshpiper (as client side in step 2)

however, having this will not improve security. thinking when you can fake your client ip, so can the attacker. the only benefit is to show client ip, maybe masquerade, when login

rjbaat commented 3 years ago

Well when the ip is preserved, a whitelist can be setup. Togheter with ssh keys it will improve security it i think. The attacker needs to know the ip that is in the whitelist and some how fake that, plus it needs to have the right ssh key.

Maybe a good idea to setup a poc to see how it works. When i get back from holiday i will try to setup something with a mmproxy container and proxy protocol to see if the client ip is showing up in the sshpiper access logs.

tg123 commented 3 years ago

IMHO, the correct way to protect sshd is to hide them in a internal vnet, and do the whitelist on sshpiper

rjbaat commented 3 years ago

Yes, sshd is in a vnet and sshpiper infront of it. But to add a whitlist to sshpiper with a k8s network policy i need to know the client ip that knocks on the door of sshpiper. Sshd can see the ip of sshpiper container. That is not the problem.

So i dont need to see the client ip on sshd but only on the frontdoor of sshpiper. The thing is i would like to know the ip that is connecting to sshpiper. When sshpiper is behind a loadbalancer this is always the loadbalancer ip and not the client ip.

When putting a loadbalancer in front with proxy protocol togheter with a library that uses the proxy protocol to save the client ip it will show the client ip to sshpiper and not the loadbalancer ip.

tg123 commented 3 years ago

ah i see

i got your idea now. the request is sshpiper should be compatible wirh PROXY protocol enabled lb, right?

rjbaat commented 3 years ago

Yes thats correct 😄. Would be awesome if sshpiper can work with proxy protocol lb. And even a 2.0 version would be to have a mysql table to be able to whitelist the connections based on client ip addresses, toghether with the ssh keys. This whitelist can also be done by k8s network policies, but with mysql its more dynamic.

tg123 commented 3 years ago

thats make sense to me

maybe i know which cloud are you using? not sure if aws/azure impl PROXY protocol

rjbaat commented 3 years ago

I am using a haproxy docker container loadbalancer on digitalocean droplet. Also used the digitalocean cloud loadbalancers. Both work with proxy protocol.

pires commented 3 years ago

Most top public cloud providers support PROXY protocol, eg:

tg123 commented 2 years ago

added in 2ddd69876a1e1119059debc59fe869cb4e754430

tg123 commented 2 years ago

new plugins will benefit from this for better routing