all repos — nixfiles @ 47beb6abd7a17f9527f7e73f8ba8ffcef41d8ac4

System and user configuration, managed by nix and home-manager

linde: add workaround for SSH port blocking

Alan Pearce
commit

47beb6abd7a17f9527f7e73f8ba8ffcef41d8ac4

parent

a132224e340a95eb426819b4b9258f42517df9f3

1 file changed, 30 insertions(+), 0 deletions(-)

changed files
M system/linde.nixsystem/linde.nix
@@ -518,6 +518,35 @@ users.groups.acme.members = [
     "caddy"
   ];
 
+  services.haproxy = {
+    enable = true;
+    config = ''
+      defaults
+        mode tcp
+        timeout connect 5000ms
+        timeout client 50000ms
+        timeout server 50000ms
+
+      frontend https
+        bind *:443
+
+        tcp-request inspect-delay 5s
+        acl sniff_https req.ssl_hello_type 1
+        acl sniff_ssh req.payload(0,7) -m str "SSH-2.0"
+        tcp-request content accept if sniff_https
+        use_backend ssh if sniff_ssh
+
+        default_backend caddy
+
+      backend caddy
+        server caddy :8443
+
+      backend ssh
+        mode tcp
+        server ssh :22
+        timeout server 2h
+    '';
+  };
   services.caddy = {
     enable = true;
     group = "caddy";

@@ -529,6 +558,7 @@ hash = "sha256-LY2rMA1Y3LRkRYpnA/O7O48nx78NnIT5BZQJhe5l/Ks=";
     };
     globalConfig = ''
       cache
+      https_port 8443
     '';
     virtualHosts =
       let