As part of the process of migrating as many instances as possible from public IPv4 addresses, because it's going to get expensive I have to use a proxy from the backend interface to github in order to pull updates from the repos. This is part of the distribution of the whole system apart from configuration not in the repos. To begin with I planned on adding a forward Proxy on the existing HAProxy on the front of the production web servers, it's in the same backend subnet and it's always going to have an IPv4 interface. But that got very ugly. I decided instead on using ssh and proxy through the sshd already running on the HAProxy instance. After a lot of complexity I went back to the simplest.
Host github.com
HostName github.com
AddressFamily inet
IdentityFile ~/.ssh/github_rsa
IdentityFile ~/.ssh/keyforproxyinstance
User git
ProxyJump proxyInstance-dns %h %p
The AddressFamily is set to inet because this evolved from the simple config for ssh to github. Without it the connection uses IPv6 first and only after it times out (which is ~60 seconds), does it fall back to IPv4. However, using the proxy the AddressFamily setting is lost along the way, there might be ProxyCommand magic by invoking yet another ssh connection but that seems horribly ugly, so I set the AddressFamily in the /etc/ssh/sshd_config on the HAProxy instead. That gives a clean IPv4 connection.
The two IdentityFile entries are for the initial connection to the proxy instance and then to github. I have to add the keyforproxyinstance (not a real file name) to the ssh_agent as it prompts for the password each time which is a different pain as it's intended to be used in a batch Fabric 2 process.
The config for proxyInstance-dns is simple, it should use the IdentityFile entry on that config but it didn't appear to.