SFTP configuration through HAProxy loadbalancing

haproxyload balancingsftp

I have LB server which currently load balancing 2 machines as for apache2 "http" and "https" requests as master/slave,

How to make the same server load balancing "sftp" requests to the same both machines using default port "22"?

frontend ft_app
        bind 1.1.1.1:80
        reqadd X-Forwarded-Proto:\ http
        default_backend bk_app

frontend ft_apps
        bind 1.1.1.1:443 ssl crt /etc/ssl/certs/bundle.pem ca-file /etc/ssl/certs/cert.cer verify optional
        reqadd X-Forwarded-Proto:\ https
        default_backend bk_apps

backend bk_app
        server server1 2.2.2.2:80 check
        server server2 3.3.3.3:80 check backup

backend bk_apps
        server servers1 2.2.2.2:443 ssl check verify none
        server servers2 3.3.3.3:443 ssl check verify none backup

Best Answer

You might try using the following for the backend SFTP servers:

listen frontend_ssh 1.1.1.1:22
        mode tcp
        option tcplog
        balance roundrobin
        server server1 2.2.2.2:22
        server server2 3.3.3.3:22

I based the above on this post: http://jpmorris-iso.blogspot.com/2013/01/load-balancing-openssh-sftp-with-haproxy.html

Hope this helps

Related Solutions

HAProxy – ssl client ca chain cannot be verified

The files server.pem and client.pem should have 3 sections in it and should look like this:

The private key might not be RSA, but it should be first. The first certificate is the signed server certificate. The second certificate should be the CA certificate. You can copy and paste each section using a text editor. To check your certificate, run this.

$ openssl verify -CAfile ca1-certificate.pem server.pem
server.pem: OK

Haproxy logging not work

To have these messages end up in - for example - /var/log/haproxy.log you will need to do two things:

configure your syslog to accept network logs - at least on localhost
configure haproxy to send events to 127.0.0.1 on local2/local3 or any such facility

So, your haproxy.cfgs global section would look something like:

global
    log         127.0.0.1 local2 notice
    log         127.0.0.1 local3

While your syslog.conf should look like:

local2.*        /var/log/haproxy
local3.*        /var/log/haproxy-access_log

If you use modern distro with rsyslog, then just create a file called

/etc/rsyslog.d/haproxy.conf

with following contents:

$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 514

local2.*        /var/log/haproxy
local3.*        /var/log/haproxy-access_log

And after that restart rsyslogd and haproxy.

Best Answer

Related Solutions

HAProxy – ssl client ca chain cannot be verified

Haproxy logging not work

Related Topic