Hi Everybody,
Thank you for Syncthing and this amazing community.
I have a webserver with multiple websites in multiple containers and with HAProxy that terminates SSL. In other words a client hits the server with
Server Name Indication (SNI) myweb1.com
in HTTPS request and the HAProxy decrypts HTTPS and send the HTTP traffic to a container that hosts myweb1.com
. And same for myweb2.com
, myweb3.com
…
I’d wanted to repurpose the server also to sync data. I managed to install Syncthing in another container. I got Let’s Encrypt cert for syncadmin.mydomain.com
and I route traffic from this subdomain to Syncthing GUI management. Another subdomain sync.mydomain.com
is pointing to the server and I can use iptables/nftables to route traffic from unused port (by default 22000) to the container with Syncthing.
In other words if I connect Syncthing GUI management, the traffic goes through HAProxy. Data synchronization bypasses HAProxy and goes directly to the container.
And it’s working great!
One thing I learned is that with this configuration I don’t need to use Global Discovery Server. The Syncthing instance in container can disable Global Discovery and clients can point the server directly by specifying: tcp://sync.mydomain.com:22000
in Advanced tab when adding new remote.
I was thinking about running multiple Syncthing instances in multiple containers. One for me and other completely isolated for my family.
I wanted to try to run it through HAProxy and I made the following configuration to work:
frontend fe-tcp
mode tcp
bind :22000
default_backend tcp-syncthing1
mode tcp
in HAProxy config tells HAProxy to pass-through the traffic to the backend (container) without checking SSL certificate. Opposite mode would be mode http
that I use for all other services since all other services are just web servers (including Synthing management GUI).
Another level (that I can’t make it to work) would be something like this:
frontend fe-tcp
mode tcp
bind :22000
use_backend tcp-syncthing1 if { req_ssl_sni -i sync.mydomain.com }
use_backend tcp-syncthing2 if { req_ssl_sni -i sync.otherdomain.com }
But that doesn’t work. In other words Syncthing doesn’t (I guess) use SNI.
Could you please tell me is there a way to differentiate multiple client requests? Do clients include for example remote domain name or Device ID
somewhere in the request?
P.S. I don’t really need to make it work since I can simple use port 22000
for the first Syncthing instance, port 22001
for another…, but I’d like to try to make it work over a single port as a kind of a research project ;-). Thank you.
Kind regards,
Matej