GitLab SSH behind envoy proxy
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
I have a local Gitlab instance and I have to access it through Envoy reverse proxy.
The GitLab instance drops SSH connections that are made through envoy proxy but a direct ssh connection works fine. -> The Instance SSH is OK
I have tested my envoy configuration with github.com and my machine and both ssh connections are working fine. -> The Envoy Proxy config is OK
I tested the envoy proxy with gitlab.com and it has the same issue -> the problem is probably from GitLab.
Steps to reproduce
I have created an Envoy Proy config for your testing purpose:
./volumes/envoy.yml
# Admin API Settings
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 9901
static_resources:
listeners:
# ================================ SSH - Git ================================
- name: gitlab_ssh
address:
socket_address:
address: 0.0.0.0
port_value: 7894
filter_chains:
- filters:
- name: envoy.filters.network.tcp_proxy
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
cluster: ssh_forwarder_to_gitlab
stat_prefix: git_ssh_passthrough
access_log:
- name: envoy.access_loggers.stdout
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
clusters:
# ================================ SSH - Git ================================
- name: ssh_forwarder_to_gitlab
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: ssh_forwarder_to_gitlab
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
# Test if SSH passthrough is working correctly with my own machine -> OK
#address: 192.168.1.20
# My GitLab Instance -> FAILED
#address: 192.168.7.50
# GitHub -> OK
#address: github.com
# GitLab.com -> FAILED
address: gitlab.com
port_value: 22
dns_resolution_config:
resolvers:
- socket_address:
address: "1.1.1.1"
port_value: 53
- socket_address:
address: "8.8.8.8"
port_value: 53
dns_resolver_options:
no_default_search_domain: truedocker-compose.yml:
version: '3.7'
services:
envoy-proxy:
image: envoyproxy/envoy:v1.26-latest
init: true
restart: always
ports:
#-9901:9901 # Envoy
- 7894:7894 # SSH - GitLab
volumes:
- ./volumes/envoy.yml:/etc/envoy/envoy.yaml:Z.ssh/config
Host gitlab.com
#HostName gitlab.local
HostName gitlab.com
Port 7894
IdentityFile ~/.ssh/git_rsaWhat is the current bug behavior?
you are not able to clone/pull/push/... using SSH.
What is the expected correct behavior?
You should be able to connect to the server using SSH
Relevant logs and/or screenshots
git clone git@gitlab.com:group/my_project.git
Cloning into 'my_project'...
kex_exchange_identification: read: Connection reset by peer
Connection reset by 192.168.7.10 port 7894
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.Output of checks
This bug happens on GitLab.com