TCP Route not working

Hello,
I am trying to get my first TCP service to work.

ssh.yml:

tcp:
    # Add the router
    routers:
      nuc:
        entryPoints:
          - ssh
        service: sshnucnuc-svc
        rule: HostSNI(`*`)
        tls: 
          passthrough: true
          certresolver: basic
          domains:
          - main: <mydomain>
            sans:
            - "*.<mydomain>"
  
    # Add the service
    services:
      sshnucnuc-svc:
        loadBalancer:
          servers:
          - address: "192.168.1.138:22"

tls:
  options:
    foo:
      minVersion: VersionTLS12
      # cipherSuites:
      #   - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      #   - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
      #   - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      #   - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      #   - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

This shows up as green on the Traefik 2 dashboard, trying to ssh into the service is failing.

SSH through Traefik:

ssh -vvv steve@ssh.mydomain -p 10022
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/steve/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to nodered.grooms.page port 10022.
debug1: Connection established.
debug1: identity file /Users/steve/.ssh/id_rsa type 0
debug1: identity file /Users/steve/.ssh/id_rsa-cert type -1
debug1: identity file /Users/steve/.ssh/id_dsa type -1
debug1: identity file /Users/steve/.ssh/id_dsa-cert type -1
debug1: identity file /Users/steve/.ssh/id_ecdsa type -1
debug1: identity file /Users/steve/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/steve/.ssh/id_ed25519 type -1
debug1: identity file /Users/steve/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/steve/.ssh/id_xmss type -1
debug1: identity file /Users/steve/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: kex_exchange_identification: banner line 0: HTTP/1.1 400 Bad Request
debug1: kex_exchange_identification: banner line 1: Content-Type: text/plain; charset=utf-8
debug1: kex_exchange_identification: banner line 2: Connection: close
debug1: kex_exchange_identification: banner line 3:
kex_exchange_identification: Connection closed by remote host

SSH direct:

ssh -v steve@192.168.1.138 -p 22
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/steve/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to 192.168.1.138 [192.168.1.138] port 22.
debug1: Connection established.
debug1: identity file /Users/steve/.ssh/id_rsa type 0
debug1: identity file /Users/steve/.ssh/id_rsa-cert type -1
debug1: identity file /Users/steve/.ssh/id_dsa type -1
debug1: identity file /Users/steve/.ssh/id_dsa-cert type -1
debug1: identity file /Users/steve/.ssh/id_ecdsa type -1
debug1: identity file /Users/steve/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/steve/.ssh/id_ed25519 type -1
debug1: identity file /Users/steve/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/steve/.ssh/id_xmss type -1
debug1: identity file /Users/steve/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to 192.168.1.138:22 as 'steve'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:22m+SJgR+9+lb2O/EwZ4d+Zkvr7j3FauJEOGP3zNuAc
debug1: Host '192.168.1.138' is known and matches the ECDSA host key.
debug1: Found key in /Users/steve/.ssh/known_hosts:27
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/steve/.ssh/id_rsa RSA SHA256:wyRMq2m73tUfPC0Avp/JVe1d/tS9Q7HItsyjk/TL+Pk
debug1: Will attempt key: /Users/steve/.ssh/id_dsa
debug1: Will attempt key: /Users/steve/.ssh/id_ecdsa
debug1: Will attempt key: /Users/steve/.ssh/id_ed25519
debug1: Will attempt key: /Users/steve/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/steve/.ssh/id_rsa RSA SHA256:wyRMq2m73tUfPC0Avp/JVe1d/tS9Q7HItsyjk/TL+Pk
debug1: Server accepts key: /Users/steve/.ssh/id_rsa RSA SHA256:wyRMq2m73tUfPC0Avp/JVe1d/tS9Q7HItsyjk/TL+Pk
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.1.138 ([192.168.1.138]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LC_TERMINAL_VERSION = 3.3.9
debug1: Sending env LANG = en_GB.UTF-8
debug1: Sending env LC_TERMINAL = iTerm2
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

In traefik/docker-compose.yml the command - "--log.level=DEBUG" is set, however there does not appear to be anything logged when I try to connect.

I also tried to connect with CURL to see if that gave any clues:

curl via Traefik:

curl http://ssh.mydomain:10022 -v
*   Trying 178.193.xx.xx...
* TCP_NODELAY set
* Connected to ssh.mydomain (178.193.xx.xx) port 10022 (#0)
> GET / HTTP/1.1
> Host: ssh.mydomain:10022
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Thu, 16 Apr 2020 08:02:00 GMT
< Content-Length: 19
<
404 page not found
* Connection #0 to host ssh.mydomain left intact
* Closing connection 0

Curl did get a response. However, if I try the same locally:

curl direct:

curl 192.168.1.138:22
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
curl: (56) Recv failure: Connection reset by peer

Could this mean that Traefik is trying to use an HTTP router and not the TCP one I want?

What do you suggest for the next debugging / tracing steps I can take?

best regards
Steve

1 Like

I've ignored this problem for ages and am trying again to get to SSH into my network.

I spent several hours check and changing config but come to exactly the same issue.

When I ssh -vvv steve@myhome.network -p 10022 I get the same HTTP/1.1 400 Bad Request.

To me this means that the TCP connection is being handled by one of my HTTP routers and not the TCP router. Is there a way to trace how Traefik is routing the request?

TO RESTATE MY GOAL:

  • ssh to my DSL router on port 10022.
  • DSL router port forwards 10022 to 10022 on the traefix docker instance
  • Traefik then routes the TCP request to the server hosting the traefik docker instance.

This will then give me a secure ingress to any of my home servers where I need shell access.

Is this achievable?

regards
Steve