2013-07-10 17:10:43 -04:00
|
|
|
===== sslh -- A ssl/ssh multiplexer. =====
|
2013-07-10 17:09:40 -04:00
|
|
|
|
2013-07-10 17:12:42 -04:00
|
|
|
sslh accepts HTTPS, SSH and OpenVPN connections on the same
|
|
|
|
port. This makes it possible to connect to an SSH server or
|
|
|
|
an OpenVPN on port 443 (e.g. from inside a corporate
|
|
|
|
firewall, which almost never block port 443) while still
|
|
|
|
serving HTTPS on that port.
|
2013-07-10 17:09:40 -04:00
|
|
|
|
2013-07-10 17:10:43 -04:00
|
|
|
==== Compile and install ====
|
|
|
|
|
|
|
|
If you're lucky, the Makefile will work for you:
|
|
|
|
|
|
|
|
make install
|
|
|
|
|
2013-07-10 17:12:42 -04:00
|
|
|
The Makefile produces two different executables: sslh-fork
|
|
|
|
and sslh-select.
|
2013-07-10 17:10:43 -04:00
|
|
|
|
2013-07-10 17:12:42 -04:00
|
|
|
sslh-fork forks a new process for each incoming connection.
|
|
|
|
It is well-tested and very reliable, but incurs the overhead
|
|
|
|
of many processes. sslh-select uses only one thread, which
|
|
|
|
monitors all connections at once. It is more recent and less
|
|
|
|
tested, but only incurs a 16 byte overhead per connection.
|
|
|
|
Also, if it stops, you'll lose all connections, which means
|
|
|
|
you can't upgrade it remotely.
|
2013-07-10 17:10:43 -04:00
|
|
|
|
2013-07-10 17:12:42 -04:00
|
|
|
If you are going to use sslh for a "small" setup (less than
|
|
|
|
a dozen ssh connections and a low-traffic https server) then
|
|
|
|
sslh-fork is probably more suited for you. If you are going
|
|
|
|
to use sslh on a "medium" setup (a few thousand ssh
|
|
|
|
connections, and another few thousand sslh connections),
|
|
|
|
sslh-select will be better. If you have a very large site
|
|
|
|
(tens of thousands of connections), you'll need a vapourware
|
|
|
|
version that would use libevent or something like that.
|
2013-07-10 17:09:40 -04:00
|
|
|
|
|
|
|
|
|
|
|
To install:
|
|
|
|
|
|
|
|
make
|
2013-07-10 17:12:42 -04:00
|
|
|
cp sslh-fork /usr/local/sbin/sslh
|
2013-07-10 17:09:40 -04:00
|
|
|
cp scripts/etc.default.sslh /etc/default/sslh
|
|
|
|
|
2013-07-10 17:11:40 -04:00
|
|
|
For Debian:
|
|
|
|
cp scripts/etc.init.d.sslh /etc/init.d/sslh
|
|
|
|
For CentOS:
|
|
|
|
cp scripts/etc.rc.d.init.d.sslh /etc/rc.d/init.d/sslh
|
|
|
|
|
2013-07-10 17:10:43 -04:00
|
|
|
and probably create links in /etc/rc<x>.d so that the server
|
|
|
|
start automatically at boot-up, e.g. under Debian:
|
|
|
|
update-rc.d sslh defaults
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
==== Configuration ====
|
|
|
|
|
2013-07-10 17:09:40 -04:00
|
|
|
You can edit settings in /etc/default/sslh:
|
|
|
|
|
|
|
|
LISTEN=ifname:443
|
|
|
|
SSH=localhost:22
|
|
|
|
SSL=localhost:443
|
|
|
|
|
|
|
|
A good scheme is to use the external name of the machine in
|
2013-07-10 17:10:43 -04:00
|
|
|
$LISTEN, and bind httpd to localhost:443 (instead of all
|
|
|
|
binding to all interfaces): that way, https connections
|
|
|
|
coming from inside your network don't need to go through
|
|
|
|
sslh, and sslh is only there as a frontal for connections
|
|
|
|
coming from the internet.
|
|
|
|
|
2013-07-10 17:11:40 -04:00
|
|
|
Note that 'external name' in this context refers to the
|
|
|
|
actual IP address of the machine as seen from your network,
|
|
|
|
i.e. that that is not 127.0.0.1 in the output of
|
|
|
|
ifconfig(8).
|
2013-07-10 17:10:43 -04:00
|
|
|
|
|
|
|
==== Libwrap support ====
|
2013-07-10 17:09:40 -04:00
|
|
|
|
|
|
|
Sslh can optionnaly perform libwrap checks for the sshd
|
|
|
|
service: because the connection to sshd will be coming
|
|
|
|
locally from sslh, sshd cannot determine the IP of the
|
|
|
|
client.
|
|
|
|
|
2013-07-10 17:11:40 -04:00
|
|
|
==== OpenVPN support ====
|
|
|
|
|
2013-07-10 17:12:42 -04:00
|
|
|
OpenVPN clients connecting to OpenVPN running with
|
|
|
|
-port-share reportedly take more than one second between
|
2013-07-10 17:11:40 -04:00
|
|
|
the time the TCP connexion is established and the time they
|
|
|
|
send the first data packet. This results in sslh with
|
|
|
|
default settings timing out and assuming an SSH connexion.
|
|
|
|
To support OpenVPN connexions reliably, it is necessary to
|
|
|
|
increase sslh's timeout to 5 seconds.
|
|
|
|
|
2013-07-10 17:12:42 -04:00
|
|
|
Instead of using OpenVPN's port sharing, it is more reliable
|
|
|
|
to use sslh's -o option to get sslh to do the port sharing.
|
|
|
|
|
|
|
|
==== Using proxytunnel with sslh ====
|
|
|
|
|
|
|
|
If you are connecting through a proxy that checks that the
|
|
|
|
outgoing connection really is SSL and rejects SSH, you can
|
|
|
|
encapsulate all your traffic in SSL using proxytunnel (this
|
|
|
|
should work with corkscrew as well). On the server side you
|
|
|
|
receive the traffic with stunnel to decapsulate SSL, then
|
|
|
|
pipe through sslh to switch HTTP on one side and SSL on the
|
|
|
|
other.
|
|
|
|
|
|
|
|
In that case, you end up with something like this:
|
|
|
|
|
|
|
|
ssh -> proxytunnel -e --------ssh/ssl------> stunnel ---ssh---> sslh --> sshd
|
|
|
|
|
|
|
|
navigateur --------http/ssl------> stunnel ---http---> sslh --> http:80
|
|
|
|
|
|
|
|
Configuration goes like this:
|
|
|
|
|
|
|
|
On the server side, using stunnel3:
|
|
|
|
stunnel -f -p mycert.pem -d thelonious:443 -l /usr/local/sbin/sslh -- sslh -i -l localhost:80 -s localhost:22
|
|
|
|
|
|
|
|
stunnel options: -f for foreground/debugging, -p specifies
|
|
|
|
the key + certificate, -d specifies which interface and port
|
|
|
|
we're listening to for incoming connexions, -l summons sslh
|
|
|
|
in inetd mode.
|
|
|
|
|
|
|
|
sslh options: -i for inetd mode, -l to forward SSL
|
|
|
|
connexions (in fact normal HTTP at that stage) to port 80,
|
|
|
|
and SSH connexions to port 22. This works because sslh
|
|
|
|
considers that anything that is not SSH is SSL.
|
|
|
|
|
2013-07-10 17:11:40 -04:00
|
|
|
==== IP_TPROXY support ====
|
2013-07-10 17:09:40 -04:00
|
|
|
|
2013-07-10 17:11:40 -04:00
|
|
|
There is a netfilter patch that adds an option to the Linux
|
|
|
|
TCP/IP stack to allow a program to set the source address
|
|
|
|
of an IP packet that it sends. This could let sslh set the
|
|
|
|
address of packets to that of the actual client, so that
|
|
|
|
sshd would see and log the IP address of the client, making
|
|
|
|
sslh transparent.
|
2013-07-10 17:09:40 -04:00
|
|
|
|
2013-07-10 17:11:40 -04:00
|
|
|
This is not, and won't be, implemented in sslh for the
|
|
|
|
following reasons (in increasing order of importance):
|
|
|
|
|
|
|
|
* It's not vital: the real connecting IP address can be
|
|
|
|
found in logs. Little gain.
|
|
|
|
* It's Linux only: it means increased complexity for no
|
|
|
|
gain to some users.
|
|
|
|
* It's a patch: it means it'd only be useful to Linux
|
|
|
|
users who compile their own kernel.
|
|
|
|
* Only root can use the feature: that's a definite no-no.
|
|
|
|
Sslh should not, must not, will never run as root.
|
|
|
|
|
|
|
|
This isn't to mean that it won't eventually get implemented,
|
|
|
|
when/if the feature finds its way into the main kernel and
|
|
|
|
it becomes usuable by non-root processes.
|
|
|
|
|
|
|
|
|
2013-07-10 17:12:42 -04:00
|
|
|
==== Comments? Questions? ====
|
|
|
|
|
|
|
|
You can subscribe to the sslh mailing list here:
|
|
|
|
http://rutschle.net/cgi-bin/mailman/listinfo/sslh
|
|
|
|
|
|
|
|
This mailing list should be used for discussion, feature
|
|
|
|
requests, and will be the prefered channel for
|
|
|
|
announcements.
|
|
|
|
|