'SSH git traffic Access control
My SSH trafic flow is as shown in the diagram below.
Requirement is to Block all SSH traffic and allow only few list of project to be accessed from F5 LB which will be originated from for DMZ zone.
The Node1 & Node 2 are also part of internal network serving SSH trafic and these nodes /servers has large number of Repos hosted and we do not want to open all repo access through DMZ zone.
I understand end users are able to clone only repos on which SSH key is added however an user from DMZ can add his key to other repo which must not be Approved to access from DMZ zone and get access to a repo hosted on Bitbucket server.
Goal to Achieve:
Block all SSH traffic and allow only few list of project to be accessed from F5 LB which will be originated from for DMZ zone.
The git SSH traffic will carry URLs like “ssh://[email protected]:7999/prj_name/repo_name.git”
Questions:
How can I enforce access control for SSH traffic in this environment?
I tried setting up HAproxy however could not block / apply ACL on ssh urls. Is HAproxy helps to block ssh using url strings? if yes please guide / share an example HAProxy rules for SSH URL blocking.
Seeking suggestions / guidance in this regard.
Thank you for your attention in advance :)
Solution 1:[1]
There is a blog post which could help you to solve your requirement.
Solution 2:[2]
I resolved this by using a Bitbucket Mirror server by opening only SSH port for the mirror server :)
Thanks a lot for your attention.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Aleksandar |
| Solution 2 | rgh |