sftp and haproxy

Jasmin shahrzad
Jasmin shahrzad used Ask the Experts™
on
i have a sftp server on docker. In compose file i open a port 2121:2121 and 2222:22 as you can see here
 sftp_server                                      "/usr/local/bin/entr…"   40 hours ago         Up 2 hours              0.0.0.0:2121->2121/tcp, 0.0.0.0:2222->22/tcp
it's working fine when i ask    sftp -P 2121 "user_name@"host_name"
in my domain.
i create an haproxy in other server (is internet connection)  i add following in my /etc/haproxy.cfg
listen  sftp-server
            bind   *:2121
            mod     tcp
            option  tcplog
             default_backend          sftp-server01
backend       sftp-server01
 server ftp01         "docker_container_with_sftp_name"."domain":2222 check port 2222
and i restart haproxy

in my domain i can ssh to sftp with port 2121 (ssh "user_name"@"host_name" -p 2222)
without any problem.
but nor working with haproxy even in my domain. what is wrong ?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018

Commented:
You should connect to the docker_host on 2222,   and to the docker_container_with_sftp with port 22.

The docker -p either creates a NAT rule in iptables or runs a proxy process on the host to accomplish the same.

Author

Commented:
I just confuse. you mean I need to change ha proxy? I change it like that
bind *:2222. and
server ftp01         "docker_container_with_sftp_name"."domain":22 check port 22

but stil I can't login. what I want to login like that
sftp://"haproxy_server_name" with username and password in port 2121 or 2222  from fx. filezila.

what you say I can do it in all server in my domain I sftp -P 2121 username@"container_host"
and ssh user_name@container_host -p 22
what I want is write haproxy server name istedet.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
What you can do in your local network  SHOULD be in the backend of a haproxy config.

so if you type on your firewall     :   sftp -o Port=2222 user@docker-host-ip
then the backend is                                      
backend sftp01
  mode tcp
  server docker-host docker-host-ip:2222

Open in new window


If you use:
so if you type on your firewall     :   sftp  user@docker-container-ip
then the backend is                                      
backend sftp01
  mode tcp
  server docker-container docker-container-ip:22

Open in new window


with check dont specify a port, the server entry is used.
Be aware that if ssh server uses fail2ban to protect against excessive failed login attempts (you should do that) then you may ban your  proxy because check will never produce a succesful login.

The front end is wat is seen outside your reverse proxy. so bind *:3333  means to listen on port 3333 externally; The world needs to use sftp -o Port=3333 user@your-public-ip
( there can be a DNS resolvable FQDN hostname in the ssh / sftp commands  instead of the IP address ).
You CANNOT listen on 2222 for haproxy AND listen on 2222 for sftp on the same host.!!  (in case you bind haproxy to 2222 and use -p 2222:22 on docker wher the container is running onthe same host.

(-o Port=xxx is the same as -P xxx for sftp).
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Author

Commented:
I use the first one.
then my ha proxy is like

listen  sftp-server
        bind    *:3333
        default_backend sftp-server

backend sftp-server
        mode tcp
        server docker-host-name    docker-host-ip:2222

it's not working.

Author

Commented:
it says connection refused connection closed
Software Engineer
Distinguished Expert 2018
Commented:
listen doesn't use a backend, use frontend there...

frontend  sftp-server
        bind    *:3333
        mode tcp
        default_backend sftp-server

backend sftp-server
        mode tcp
        server docker-host-name    docker-host-ip:2222

Open in new window


A front end uses a backend to connect.

listen is handled internally INSIDE haproxy, (fe. requesting statistics...).
Ha proxy logs to the syslog server (default config). So check the /var/log directory for entries from haproxy.

Author

Commented:
it's not working and nothing in /var/log.
it look like, haproxy not see the sftp container.

Error:      Network error: Connection refused
Error:      Could not connect to server

Author

Commented:
whst i have as port from my compose file is
Address: 0.0.0.0; Public port: 2121; Private port: 2121; Protocol: tcp
Address: 0.0.0.0; Public port: 2222; Private port: 22; Protocol: tcp
and haproxy is
..
.. (standard)
frontend        sftp-server
        bind    *:3333
        mode tcp
        default_backend sftp-server

backend sftp-server
        mode tcp
        server container_host_name container_ip:2222

Author

Commented:
in file /etc/default/haproxy
enable=0 it means not started and doesn't matter i restart services.
it look a little better. now i can't restart haproxy service it's failed with status =2

Author

Commented:
after start it's missing some directories /var/lib/haproxy and /run/haproxy
after created directories it's working now on port 3333.
if i want to move and use port 2121, is it enough to remove port 2121 from docker-cpmpose and just have a 2222:22 and using 2121 or what?

Author

Commented:
it's working now perfect.

Author

Commented:
thank you noci.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial