SSH non standard port connection closed by remote host

TLeduc · February 25, 2020, 8:00pm

I found an example on how to setup ssh behind traefik and it works fine if I leave it on port 22, when I try to change the port to another port I can no longer connect. Can someone have a peak at my file and see if I have missed something.

22:22
ssh -T git@localhost -p 22
git@localhost: Permission denied (publickey).

2224:22
ssh -T git@localhost -p 2224
ssh_exchange_identification: Connection closed by remote host

version: "3"

services:
  edge:
    image: traefik:v2.1.3
    command:
      - --providers.docker
      - --entrypoints.http.address=:80
      - --entrypoints.ssh.address=:**2224**
      - --api
    ports:
      - "80:80"
      - "8080:8080"
      - "**2224**:22"
    labels:
      - "traefik.enable=false"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"

  gitea:
    image: gitea/gitea:1.9
    environment:
      - USER_UID=1000
      - USER_GID=1000
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.gitea-web.rule=Host(`localhost`)"
      - "traefik.http.routers.gitea-web.entrypoints=http"
      - "traefik.http.routers.gitea-web.service=gitea-web-svc"
      - "traefik.http.services.gitea-web-svc.loadbalancer.server.port=3000"
      - "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.gitea-ssh.entrypoints=ssh"
      - "traefik.tcp.routers.gitea-ssh.service=gitea-ssh-svc"
      - "traefik.tcp.services.gitea-ssh-svc.loadbalancer.server.port=22"

thavlik · April 29, 2020, 1:16pm

I am also running into this issue. Other TCP entrypoints work fine, but SSH seems to choke. I am actualy getting ssh_exchange_identification: Connection closed by remote host. The issue has been localized to traefik as I am able to SSH into my container w/ port forwarding. The entrypoints are created, it shows the destination service, and there is no further relevant output.

Things I have tried:

(Docker) run with -p and connect with `ssh user@localhost -p 2222" (works)
(Kubernetes) port-forward into the container, same as above (works)
(Kubernetes) port-forward through the service (as a sanity check, works)
ssh through the load balancer on an external domain (via traefik, does NOT work)
port-forward directly to traefik container on pod entrypoint port (does NOT work)

The same ssh_exchange_identification is yielded in both failure cases.

EDIT: Attempting to curl the traefik container's entrypoint port yields 404 page not found. Relevant post: TCP Route not working

thavlik · April 30, 2020, 4:58pm

Update: I'm working around this issue by using nginx ingress. AMQP with TLS passthrough works with traefik, SSH does not...

Topic		Replies	Views
Issues reaching tcp service from outside Traefik v2 (latest) docker , tcp	3	1400	October 12, 2021
SSH (Gitea) with Traefik V2 Traefik v2 (latest) docker , tcp	7	8486	August 24, 2022
Help setting up Gitea with SSH Traefik v2 (latest) docker , tcp	12	3237	January 22, 2023
Problem with SSH in self-hosted GitLab instance Traefik v3 (beta) docker , tcp	2	813	April 11, 2023
Routing the SSH port for GitLab container Traefik v2 (latest) docker	5	11227	August 6, 2022

SSH non standard port connection closed by remote host

Related Topics