fix: use haproxy to strip PROXY protocol before sshd — nginx sends PROXY headers on all TCP

2026-04-04 10:04:42 -05:00
parent cc5ab41da4
commit b318345fdf
2 changed files with 25 additions and 3 deletions
--- a/Dockerfile.devpod
+++ b/Dockerfile.devpod
@@ -8,7 +8,7 @@ ENV PATH="/root/.bun/bin:$PATH"
 RUN apt-get update && apt-get install -y --no-install-recommends \
    curl wget git openssh-server ca-certificates gnupg \
    build-essential unzip jq tmux zsh ripgrep \
-    postgresql-client redis-tools \
+    postgresql-client redis-tools haproxy \
    && rm -rf /var/lib/apt/lists/*

 # Bun
--- a/entrypoint-devpod.sh
+++ b/entrypoint-devpod.sh
@@ -41,12 +41,34 @@ if [ ! -f /root/.gitconfig ]; then
 EOF
 fi

-# Allow root login via SSH key
+# Allow root login via SSH key, listen on internal port 2222
 echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
+echo "Port 2222" >> /etc/ssh/sshd_config

-# Start SSH daemon
+# Start SSH daemon on internal port 2222
 /usr/sbin/sshd

+# Start haproxy on port 22 to accept PROXY protocol from nginx and forward to sshd:2222
+cat > /etc/haproxy/haproxy.cfg <<'EOF'
+global
+  daemon
+  maxconn 256
+
+defaults
+  mode tcp
+  timeout connect 5s
+  timeout client  60s
+  timeout server  60s
+
+frontend ssh
+  bind *:22 accept-proxy
+  default_backend sshd
+
+backend sshd
+  server local 127.0.0.1:2222
+EOF
+haproxy -f /etc/haproxy/haproxy.cfg
+
 # Start code-server
 exec code-server \
  --bind-addr 0.0.0.0:8080 \