Ciao Luca, Luca Filipozzi <lfilipoz@xxxxxxxx> writes: >> [ ... ] > Neat. I do something similar: in order to circumvent obnoxious airport / > coffee shop firewalls that block non-HTTPS traffic, I configured haproxy > to offer 'SSH over HTTPS'. haproxy terminates the HTTPS connection > (which is SNI-aware) while sshd on the target machine terminates the > tunneled SSH connection. > > In ssh_config, I use ProxyCommand to invoke gnutls-client to create the > HTTPS connection. Quite nice as well! > You've indicated that you don't want to compel your users to make > significant changes to ssh_config, but others in this thread have noted > that an SNI option for OpenSSH will take some time to propagate from > ideation through development through widespread* deployment I perfectly understand that. At the moment we give out a wireguard IPv6 VPN for free to all users, which also has the nice side effect of giving anyone anywhere (even behind cgnat) IPv6 connectivity. Surprisingly adding a totally new program with totally different characteristics so far turned out to be easier than having users edit their ssh config. > Would this SSH-over-HTTPS option be worth considering for your use case > while the SNI-aware OpenSSH gets more backers? (I think I might be one, > now. You may wish to ask for Proxy-Protocol support, also.) > > * sufficiently widespread that your users can get packages from distros I might have mixed up two cases in my previous mails a bit, which share a lot properties: a) enabling IPv4 to IPv6 users b) enabling load balancing for multi clusters The (b) case has 1 name per cluster, each serving multiple nodes behind the name. (b) is currently solved using round robin DNS with a 60s timeout. And yes, indeed all those nodes have the same host keys and it needs 1 public IPv4 address per cluster. Both cases would significantly profit from an ability of dispatching by name or intent, not only for us, but also other organisations we work with. So I am fine with taking some time to find a good solution that can be agreed on and waiting for all the ripple effects, because I literally see the potential of making life easier for thousands of people. Best regards, Nico -- Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
