Menu
I am setting up git ssh access via the internet.
The git server is hosted in a private subnet, with no SSH access publicly exposed. In order to provide access (through the public subnet), an HAproxy has been setup forwarding SSH access through to the backend git server from the internet.
I expect users to access git via a URL like:
ssh://[email protected]:8022/repopath.git
My HAProxy stanza looks like this:
my-git-server
bind *:8022",
mode tcp",
server git 172.16.0.1:22 check port 22"
This works, and meets requirements, but has a security issue inherent in it - we are also exposing all other users on the git server. i.e. I can also connect to non-git users like this:
ssh://[email protected]:8022
I would like to make sure that only the git user is exposed (i.e. it is not possible to access other users via the internet).
I would like to do this via the haproxy, if possible, but do not know how to change my haproxy rule to filter out requested URLs without "git@". If it is not possible in HAProxy, would appreciate suggestions on how to manage this via ssh-config on the git server.
214
asked Nov 16 '25 16:11
Maybe someone is still interested in this, even though I'm almost 4 years too late. As far as I know this is not possible with HAProxy. But it is easy to do this on the Git server in the sshd_config file if you still use the HAProxy server to connect to it from remote/internet. Just add this at the end of the sshd_config file:
Match Address IP.OF.HAPROXY.SERVER
AllowUsers git
That way only user git is allowed to login when traffic is coming from the IP of your HAProxy. Nevertheless before reloading sshd you might want to test your new sshd config with:
sshd -t
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With