nginx + ssh_exchange_identification: Connection closed by remote host

Question

an nginx server is connected upstream as a reverse proxy server to separate SSH and SSL on one port (12345). The nginx recognizes the data transfer protocol and separates the data traffic behind the proxy accordingly on two ports -> SSH is forwarded to PORT 9999 and SSL requests to PORT 8080 (Python web server).

The nginx is configured as follows:

/etc/nginx/nginx_conf

[...]

stream {
    upstream ssh {
        server localhost:9999;
    }

    upstream https {
        server localhost:8080;
    }

    map $ssl_preread_protocol $upstream {
        default ssh;
        "" https;
        "TLSv1.2" https;
        "TLSv1.3" https;
        "TLSv1.1" https;
        "TLSv1.0" https;
    }

    # SSH and SSL on the same port
    server {
        listen 12345;

        proxy_pass $upstream;
        ssl_preread on;
    }
}

[...]

When the web server is called via http://rpi_ip:12345, port 8080 is forwarded cleanly and access to the web server is carried out as requested.

The problem lies in trying to establish a connection via SSH.

I can connect locally to the Raspberry Pi via ssh user@ip-rpi -p 9999 but not via the nginx port 12345.

Adjustments in /etc/ssh/sshd_config

[...]

Port 9999
AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::

[...]

A call to ssh user@ip-rpi -p 12345 -vvv brings:

OpenSSH_7.9p1 Raspbian-10+deb10u2, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.2.198 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.2.198 [192.168.2.198] port 12345.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Raspbian-10+deb10u2
debug1: ssh_exchange_identification: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"

debug1: ssh_exchange_identification:         "http://www.w3.org/TR/html4/strict.dtd">

debug1: ssh_exchange_identification: <html>

debug1: ssh_exchange_identification:     <head>

debug1: ssh_exchange_identification:         <meta http-equiv="Content-Type" content="text/html;charset=utf-8">

debug1: ssh_exchange_identification:         <title>Error response</title>

debug1: ssh_exchange_identification:     </head>

debug1: ssh_exchange_identification:     <body>

debug1: ssh_exchange_identification:         <h1>Error response</h1>

debug1: ssh_exchange_identification:         <p>Error code: 400</p>

debug1: ssh_exchange_identification:         <p>Message: Bad HTTP/0.9 request type ('SSH-2.0-OpenSSH_7.9p1').</p>

debug1: ssh_exchange_identification:         <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>

debug1: ssh_exchange_identification:     </body>

debug1: ssh_exchange_identification: </html>

ssh_exchange_identification: Connection closed by remote host

At this point I hope for your help/ideas to solve my problem.

Answer 1

Changing "" https; to "" ssh; should work.

From the module documentation:

map $ssl_preread_protocol $upstream {
    ""        ssh.example.com:22;
    "TLSv1.2" new.example.com:443;
    default   tls.example.com:443;
}