HAProxy SSH/HTTPS multiplexing

[stasheck]

Hi,
For quite some time I am trying to figure out HAProxy configuration that would _reliably_ work for switching between SSH and HTTPS. There are tons of guides all over the network, and most of them work, but not reliably. Although I'm often able to make SSH work every time, HTTPS is hit or miss - often from the same PC it will work on one browser, but not another. This doesn't depend on browser as well.

Can you please have a look at my config and advise what I should change?

Code: [Select]

root@opnsense:/usr/local/etc # less haproxy.conf
#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    # NOTE: Could be a security issue, but required for some feature.
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    1
    tune.ssl.default-dh-param   1024
    ssl-server-verify           none
    spread-checks               0
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats



# Frontend: Router-443
frontend Router-443
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend HTTPS_SERVERPool
    # tuning options
    timeout client 30s

    # logging options
    option tcplog
    # ACL: HTTPS-HTTPS_SERVER
    acl acl_5ed8f96fe45bc7.92407970 req.ssl_hello_type 1
    # ACL: SSH-SSH_SERVER-1
    acl acl_5ef0be88c7f291.74440621 req.ssl_hello_type 1
    # ACL: SSH-SSH_SERVER-2
    acl acl_5ed8f9b4806f55.62302544 req.len 0

    # ACTION: HTTPS_SERVER-IIS
    use_backend HTTPS_SERVERPool if acl_5ed8f96fe45bc7.92407970
    # ACTION: SSH_SERVER-SSH
    use_backend SSH_SERVERPool if !acl_5ef0be88c7f291.74440621 acl_5ed8f9b4806f55.62302544

# Backend: HTTPS_SERVERPool ()
backend HTTPS_SERVERPool
    # health checking is DISABLED
    mode tcp
    balance source

    # tuning options
    timeout connect 30s
    timeout server 30s
    server HTTPS_SERVER 192.168.1.99:443

# Backend: SSH_SERVERPool ()
backend SSH_SERVERPool
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s


[Patrick M. Hausen]

Sslh can do that:

https://github.com/yrutschle/sslh

I am looking for things to contribute to OPNsense for Hacktoberfest, anyway ... hmmm ...