Welcome! Log In Create A New Profile

Advanced

Nginx - ssl_preread for http/https/ssh

Posted by alen.loncaric 
Nginx - ssl_preread for http/https/ssh
September 20, 2021 02:08AM
Hi guys,

I saw examples of combining HTTPS/SSH Selecting an upstream based on SSL protocol version:
map $ssl_preread_protocol $upstream {
default ssh.example.com:22;
"TLSv1.2" new.example.com:443;
}

# ssh and https on the same port
server {
listen 192.168.0.1:443;
proxy_pass $upstream;
ssl_preread on;
}


But i don't know how to combine SSH, HTTPS(TLS) and HTTP on same port? Is this even possible ? So I have one "service port" for serving iot devices pure http, for better units https and for some ssh for reverse tunneling. So all three protocols.

p.s. does this functionality use additional sockets or just redirects the stream to particular http server?

With kind regards,
Re: Nginx - ssl_preread for http/https/ssh
September 20, 2021 02:15AM
alen.loncaric Wrote:
-------------------------------------------------------
> But i don't know how to combine SSH, HTTPS(TLS) and HTTP on same port?
> Is this even possible ? So I have one "service port" for serving iot

Possible but not going to work as http is not encrypted.

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Nginx - ssl_preread for http/https/ssh
September 20, 2021 02:17AM
I saw this example:
stream {
upstream http {
server localhost:8000;
}

upstream https {
server localhost:8001;
}

map $ssl_preread_protocol $upstream {
default https;
"" http;
}

server {
listen 8080;
listen [::]:8080;
proxy_pass $upstream;
ssl_preread on;
}
}

Why this works for http and https ? Or it does not ?

BR
Re: Nginx - ssl_preread for http/https/ssh
September 20, 2021 03:15AM
Technically that should work, but you are mixing 2 different types of traffic on a none standard port and you don't have a ssh redirect.

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Nginx - ssl_preread for http/https/ssh
September 20, 2021 05:01AM
Would it be possible to distinguish where to upstream based on request.
While http requests have GET, POST etc... SSH has SSH-xxxxxxxxx identifier ?
Re: Nginx - ssl_preread for http/https/ssh
September 20, 2021 05:48AM
Ssh does not pass SNI, and thats the only difference with https, after (or before) you could split for http but clients will get confused.

Ea. you have to use a mix of $ssl_preread_protocol and $ssl_preread_server_name to get all 3 working.

---
nginx for Windows http://nginx-win.ecsds.eu/
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 129
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready