On Wed, Oct 26, 2016 at 8:04 AM, mal reddy <[email protected]> wrote:
> Hi Ha proxy Team, > > Any updates. > You appear to be attempting to do something that isn't possible, for reasons that are related to the protocol design of SSH/SFTP. > I checked HA-Proxy document and other website but most of solution that > found was http. > > using ha proxy configuration document, i successfully upload file for > one client. > > but problem when i have to configuration more then one clients that > time > > it will redirect all clients request to one sftp server instead of > different sftp server. > Earlier you said: >Kindly suggest how to fetch the servername from which the request is coming so that I can map that particular client to the associated sftp servers. If this point has already been made, I apologize for the redundancy, but otherwise seems worth clarifying: That's not possible to do with SFTP. SFTP is not HTTP, of course, but this is important because unlike HTTP, there is no Host: header for HAProxy to interpret. SFTP does not use TLS, and this is important because it means there is no SNI available to interpret. Those are the two mechanisms by which HAProxy typically makes name-based routing decisions. SFTP allows neither. In both HTTP and TLS, the client talks first. But SFTP uses SSH as its transport, and in SSH, the server talks first. The server begins the negotiation, so HAProxy has no mechanism to know anything about what's going on at layer 7 until it is too late to make any routing decisions, and even then, HAProxy is a man-in-the-middle of what is almost always going to be an encrypted and thus HAProxy is unable to learn anything from the connection's payload. SSH does not readily support name-based virtual hosting, which is essentially what you are trying to accomplish. See also http://serverfault.com/q/34552/153161. Potential workaround: if it is possible to constrain the clients to access your endpoint from known/fixed IP addresses, you could use the source IP address to select the back-end.
