fix: use haproxy to strip PROXY protocol before sshd — nginx sends PROXY headers on all TCP

Dockerfile.devpod

@@ -8,7 +8,7 @@ ENV PATH="/root/.bun/bin:$PATH"
 RUN apt-get update && apt-get install -y --no-install-recommends \
     curl wget git openssh-server ca-certificates gnupg \
     build-essential unzip jq tmux zsh ripgrep \
-    postgresql-client redis-tools \
+    postgresql-client redis-tools haproxy \
     && rm -rf /var/lib/apt/lists/*
 
 # Bun

entrypoint-devpod.sh

@@ -41,12 +41,34 @@ if [ ! -f /root/.gitconfig ]; then
 EOF
 fi
 
-# Allow root login via SSH key
+# Allow root login via SSH key, listen on internal port 2222
 echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
+echo "Port 2222" >> /etc/ssh/sshd_config
 
-# Start SSH daemon
+# Start SSH daemon on internal port 2222
 /usr/sbin/sshd
 
+# Start haproxy on port 22 to accept PROXY protocol from nginx and forward to sshd:2222
+cat > /etc/haproxy/haproxy.cfg <<'EOF'
+global
+  daemon
+  maxconn 256
+
+defaults
+  mode tcp
+  timeout connect 5s
+  timeout client  60s
+  timeout server  60s
+
+frontend ssh
+  bind *:22 accept-proxy
+  default_backend sshd
+
+backend sshd
+  server local 127.0.0.1:2222
+EOF
+haproxy -f /etc/haproxy/haproxy.cfg
+
 # Start code-server
 exec code-server \
   --bind-addr 0.0.0.0:8080 \