sslh/README

===== sslh -- A ssl/ssh multiplexer. =====

sslh lets one accept both HTTPS and SSH connections on the
same port. It makes it possible to connect to an SSH server
on port 443 (e.g. from inside a corporate firewall) while
still serving HTTPS on that port. 

==== Compile and install ====

If you're lucky, the Makefile will work for you:

make install

(see below for configuration hints)


Otherwise:

Compilation instructions:

Solaris:
  cc -o sslh sslh.c -lresolv -lsocket -lnsl

LynxOS:
  gcc -o tcproxy tcproxy.c -lnetinet

Linux:
  cc -o sslh sslh.c -lnet
or:
  cc -o sslh sslh.c

To compile with libwrap support:
  cc -o sslh -DLIBWRAP sslh.c -lwrap

To install:

make
cp sslh /usr/local/sbin
cp scripts/etc.init.d.sslh /etc/init.d/sslh
cp scripts/etc.default.sslh /etc/default/sslh

and probably create links in /etc/rc<x>.d so that the server
start automatically at boot-up, e.g. under Debian:
update-rc.d sslh defaults


==== Configuration ====

You can edit settings in /etc/default/sslh:

LISTEN=ifname:443
SSH=localhost:22
SSL=localhost:443

A good scheme is to use the external name of the machine in
$LISTEN, and bind httpd to localhost:443 (instead of all
binding to all interfaces): that way, https connections
coming from inside your network don't need to go through
sslh, and sslh is only there as a frontal for connections
coming from the internet.


==== Libwrap support ====

Sslh can optionnaly perform libwrap checks for the sshd
service: because the connection to sshd will be coming
locally from sslh, sshd cannot determine the IP of the
client.

Comments? questions? sslh@rutschle.net

HISTORY

v1.6: 25APR2009
        Added -V, version option.
        Install target directory configurable in Makefile
        Changed syslog prefix in auth.log to "sslh[%pid]"
        Man page
        new 'make install' and 'make install-debian' targets
        PID file now specified using -P command line option
        Actually fixed zombie generation (the v1.5 patch got
        lost, doh!)


v1.5: 10DEC2008
        Fixed zombie generation.
        Added support scripts (), Makefile.
        Changed all 'connexions' to 'connections' to please
        pesky users. Damn users.

v1.4: 13JUL2008
	Added libwrap support for ssh service (Christian Weinberger)
        Only SSH is libwraped, not SSL.

v1.3: 14MAY2008
        Added parsing for local interface to listen on
        Changed default SSL connection to port 442 (443 doesn't make
        sense as a default as we're already listening on 443)
        Syslog incoming connections

v1.2: 12MAY2008
        Fixed compilation warning for AMD64 (Thx Daniel Lange)

v1.1: 21MAY2007
        Making sslhc more like a real daemon:
        * If $PIDFILE is defined, write first PID to it upon startup
        * Fork at startup (detach from terminal)
        (thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
        * Less memory usage (?)

v1.0: 
        * Basic functionality: privilege dropping, target hostnames and ports
        configurable.
v1.6: 25APR2009 Added -V, version option. Install target directory configurable in Makefile Changed syslog prefix in auth.log to "sslh[%pid]" Man page new 'make install' and 'make install-debian' targets PID file now specified using -P command line option Actually fixed zombie generation (the v1.5 patch got lost, doh!) 2013-07-10 17:10:43 -04:00			`===== sslh -- A ssl/ssh multiplexer. =====`
v1.5: 10DEC2008 Fixed zombie generation. Added support scripts (), Makefile. Changed all 'connexions' to 'connections' to please pesky users. Damn users. 2013-07-10 17:09:40 -04:00
			`sslh lets one accept both HTTPS and SSH connections on the`
			`same port. It makes it possible to connect to an SSH server`
			`on port 443 (e.g. from inside a corporate firewall) while`
			`still serving HTTPS on that port.`

v1.6: 25APR2009 Added -V, version option. Install target directory configurable in Makefile Changed syslog prefix in auth.log to "sslh[%pid]" Man page new 'make install' and 'make install-debian' targets PID file now specified using -P command line option Actually fixed zombie generation (the v1.5 patch got lost, doh!) 2013-07-10 17:10:43 -04:00			`==== Compile and install ====`

			`If you're lucky, the Makefile will work for you:`

			`make install`

			`(see below for configuration hints)`


			`Otherwise:`
v1.5: 10DEC2008 Fixed zombie generation. Added support scripts (), Makefile. Changed all 'connexions' to 'connections' to please pesky users. Damn users. 2013-07-10 17:09:40 -04:00
			`Compilation instructions:`

			`Solaris:`
			`cc -o sslh sslh.c -lresolv -lsocket -lnsl`

			`LynxOS:`
			`gcc -o tcproxy tcproxy.c -lnetinet`

			`Linux:`
			`cc -o sslh sslh.c -lnet`
			`or:`
			`cc -o sslh sslh.c`

			`To compile with libwrap support:`
			`cc -o sslh -DLIBWRAP sslh.c -lwrap`

			`To install:`

			`make`
			`cp sslh /usr/local/sbin`
			`cp scripts/etc.init.d.sslh /etc/init.d/sslh`
			`cp scripts/etc.default.sslh /etc/default/sslh`

v1.6: 25APR2009 Added -V, version option. Install target directory configurable in Makefile Changed syslog prefix in auth.log to "sslh[%pid]" Man page new 'make install' and 'make install-debian' targets PID file now specified using -P command line option Actually fixed zombie generation (the v1.5 patch got lost, doh!) 2013-07-10 17:10:43 -04:00			`and probably create links in /etc/rc<x>.d so that the server`
			`start automatically at boot-up, e.g. under Debian:`
			`update-rc.d sslh defaults`



			`==== Configuration ====`

v1.5: 10DEC2008 Fixed zombie generation. Added support scripts (), Makefile. Changed all 'connexions' to 'connections' to please pesky users. Damn users. 2013-07-10 17:09:40 -04:00			`You can edit settings in /etc/default/sslh:`

			`LISTEN=ifname:443`
			`SSH=localhost:22`
			`SSL=localhost:443`

			`A good scheme is to use the external name of the machine in`
v1.6: 25APR2009 Added -V, version option. Install target directory configurable in Makefile Changed syslog prefix in auth.log to "sslh[%pid]" Man page new 'make install' and 'make install-debian' targets PID file now specified using -P command line option Actually fixed zombie generation (the v1.5 patch got lost, doh!) 2013-07-10 17:10:43 -04:00			`$LISTEN, and bind httpd to localhost:443 (instead of all`
			`binding to all interfaces): that way, https connections`
			`coming from inside your network don't need to go through`
			`sslh, and sslh is only there as a frontal for connections`
			`coming from the internet.`


			`==== Libwrap support ====`
v1.5: 10DEC2008 Fixed zombie generation. Added support scripts (), Makefile. Changed all 'connexions' to 'connections' to please pesky users. Damn users. 2013-07-10 17:09:40 -04:00
			`Sslh can optionnaly perform libwrap checks for the sshd`
			`service: because the connection to sshd will be coming`
			`locally from sslh, sshd cannot determine the IP of the`
			`client.`

			`Comments? questions? sslh@rutschle.net`

			`HISTORY`

v1.6: 25APR2009 Added -V, version option. Install target directory configurable in Makefile Changed syslog prefix in auth.log to "sslh[%pid]" Man page new 'make install' and 'make install-debian' targets PID file now specified using -P command line option Actually fixed zombie generation (the v1.5 patch got lost, doh!) 2013-07-10 17:10:43 -04:00			`v1.6: 25APR2009`
			`Added -V, version option.`
			`Install target directory configurable in Makefile`
			`Changed syslog prefix in auth.log to "sslh[%pid]"`
			`Man page`
			`new 'make install' and 'make install-debian' targets`
			`PID file now specified using -P command line option`
			`Actually fixed zombie generation (the v1.5 patch got`
			`lost, doh!)`


v1.5: 10DEC2008 Fixed zombie generation. Added support scripts (), Makefile. Changed all 'connexions' to 'connections' to please pesky users. Damn users. 2013-07-10 17:09:40 -04:00			`v1.5: 10DEC2008`
			`Fixed zombie generation.`
			`Added support scripts (), Makefile.`
			`Changed all 'connexions' to 'connections' to please`
			`pesky users. Damn users.`

			`v1.4: 13JUL2008`
			`Added libwrap support for ssh service (Christian Weinberger)`
			`Only SSH is libwraped, not SSL.`

			`v1.3: 14MAY2008`
			`Added parsing for local interface to listen on`
			`Changed default SSL connection to port 442 (443 doesn't make`
			`sense as a default as we're already listening on 443)`
			`Syslog incoming connections`

			`v1.2: 12MAY2008`
			`Fixed compilation warning for AMD64 (Thx Daniel Lange)`

			`v1.1: 21MAY2007`
			`Making sslhc more like a real daemon:`
			`* If $PIDFILE is defined, write first PID to it upon startup`
			`* Fork at startup (detach from terminal)`
			`(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)`
			`* Less memory usage (?)`

			`v1.0:`
			`* Basic functionality: privilege dropping, target hostnames and ports`
			`configurable.`