I need to use haproxy to load-balance SFTP connections but currently i cannot bind it to port 22 (cutomer constraint). Can i bind to port xxx and listen on port 22 to achieve this or must I bind to 22?
Thanks
Asked
Active
Viewed 3,839 times
-1
-
1What's the difference between "binding to a port" and "listening to a port"? – gxx Jan 13 '16 at 22:31
-
that's my beginners question, apologies if its too simplistic? Perhaps they are synonymous? – user1843591 Jan 13 '16 at 23:21
-
This is the case, yes. – gxx Jan 14 '16 at 00:40
2 Answers
2
The bind and listen are not the same things nor things that can be done independently. They are consequent stages on the same port number. It is well described in this diagram from Wikipedia:
Jakuje
- 9,715
- 2
- 42
- 45
1
You can expose SSH on any port you desire. The clients must be aware of that, however.
listen ssh-balanced
bind <public-ip>:5022
mode tcp
server term01 <internal-ip1>:22 check
server term02 <internal-ip2>:22 check
You need to use ssh -p5022 to connect, and scp -P5022 etc.
Felix Frank
- 3,093
- 1
- 16
- 22
-
Hi Felix, yes, i can get this working, the problem is i cannot instruct clients to use a different port. I am considering using iptables to use a route connections on 22 to an arbitrary port such as 5022, i could use it that way – user1843591 Jan 14 '16 at 11:22
-
You could get away with NAT, but why even bother not binding port 22 then. I disbelieve that such a setup would honor the constraint from your customer. – Felix Frank Jan 14 '16 at 12:37
-
my customer must send to port 22 (cannot modify) but my employer does not want me to bind to 22 on our server as haproxy already running here and bound for http load balancing etc – user1843591 Jan 14 '16 at 13:36
-
This is not a haproxy issue whatsoever. If you don't open port 22, it will not be reachable for the customer. It's as simple as that. You might be able to reconcile this conflict of interests using a VPN. – Felix Frank Jan 15 '16 at 10:08