sslh/README

sslh -- A ssl/ssh multiplexer.

sslh lets one accept both HTTPS and SSH connections on the
same port. It makes it possible to connect to an SSH server
on port 443 (e.g. from inside a corporate firewall) while
still serving HTTPS on that port. 


Compilation instructions:

Solaris:
  cc -o sslh sslh.c -lresolv -lsocket -lnsl

LynxOS:
  gcc -o tcproxy tcproxy.c -lnetinet

Linux:
  cc -o sslh sslh.c -lnet
or:
  cc -o sslh sslh.c

To compile with libwrap support:
  cc -o sslh -DLIBWRAP sslh.c -lwrap

To install:

make
cp sslh /usr/local/sbin
cp scripts/etc.init.d.sslh /etc/init.d/sslh
cp scripts/etc.default.sslh /etc/default/sslh

You can edit settings in /etc/default/sslh:

PIDFILE=/var/run/sslh.pid
LISTEN=ifname:443
SSH=localhost:22
SSL=localhost:443

A good scheme is to use the external name of the machine in
$LISTEN, and bind httpd to localhost:443: that way, https
connections coming from inside your network don't need to go
through sslh, and sslh is only there as a frontal for
connections coming from the internet.

Sslh can optionnaly perform libwrap checks for the sshd
service: because the connection to sshd will be coming
locally from sslh, sshd cannot determine the IP of the
client.

Comments? questions? sslh@rutschle.net

HISTORY

v1.5: 10DEC2008
        Fixed zombie generation.
        Added support scripts (), Makefile.
        Changed all 'connexions' to 'connections' to please
        pesky users. Damn users.

v1.4: 13JUL2008
	Added libwrap support for ssh service (Christian Weinberger)
        Only SSH is libwraped, not SSL.

v1.3: 14MAY2008
        Added parsing for local interface to listen on
        Changed default SSL connection to port 442 (443 doesn't make
        sense as a default as we're already listening on 443)
        Syslog incoming connections

v1.2: 12MAY2008
        Fixed compilation warning for AMD64 (Thx Daniel Lange)

v1.1: 21MAY2007
        Making sslhc more like a real daemon:
        * If $PIDFILE is defined, write first PID to it upon startup
        * Fork at startup (detach from terminal)
        (thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
        * Less memory usage (?)

v1.0: 
        * Basic functionality: privilege dropping, target hostnames and ports
        configurable.
v1.5: 10DEC2008 Fixed zombie generation. Added support scripts (), Makefile. Changed all 'connexions' to 'connections' to please pesky users. Damn users. 2013-07-10 17:09:40 -04:00			`sslh -- A ssl/ssh multiplexer.`

			`sslh lets one accept both HTTPS and SSH connections on the`
			`same port. It makes it possible to connect to an SSH server`
			`on port 443 (e.g. from inside a corporate firewall) while`
			`still serving HTTPS on that port.`


			`Compilation instructions:`

			`Solaris:`
			`cc -o sslh sslh.c -lresolv -lsocket -lnsl`

			`LynxOS:`
			`gcc -o tcproxy tcproxy.c -lnetinet`

			`Linux:`
			`cc -o sslh sslh.c -lnet`
			`or:`
			`cc -o sslh sslh.c`

			`To compile with libwrap support:`
			`cc -o sslh -DLIBWRAP sslh.c -lwrap`

			`To install:`

			`make`
			`cp sslh /usr/local/sbin`
			`cp scripts/etc.init.d.sslh /etc/init.d/sslh`
			`cp scripts/etc.default.sslh /etc/default/sslh`

			`You can edit settings in /etc/default/sslh:`

			`PIDFILE=/var/run/sslh.pid`
			`LISTEN=ifname:443`
			`SSH=localhost:22`
			`SSL=localhost:443`

			`A good scheme is to use the external name of the machine in`
			`$LISTEN, and bind httpd to localhost:443: that way, https`
			`connections coming from inside your network don't need to go`
			`through sslh, and sslh is only there as a frontal for`
			`connections coming from the internet.`

			`Sslh can optionnaly perform libwrap checks for the sshd`
			`service: because the connection to sshd will be coming`
			`locally from sslh, sshd cannot determine the IP of the`
			`client.`

			`Comments? questions? sslh@rutschle.net`

			`HISTORY`

			`v1.5: 10DEC2008`
			`Fixed zombie generation.`
			`Added support scripts (), Makefile.`
			`Changed all 'connexions' to 'connections' to please`
			`pesky users. Damn users.`

			`v1.4: 13JUL2008`
			`Added libwrap support for ssh service (Christian Weinberger)`
			`Only SSH is libwraped, not SSL.`

			`v1.3: 14MAY2008`
			`Added parsing for local interface to listen on`
			`Changed default SSL connection to port 442 (443 doesn't make`
			`sense as a default as we're already listening on 443)`
			`Syslog incoming connections`

			`v1.2: 12MAY2008`
			`Fixed compilation warning for AMD64 (Thx Daniel Lange)`

			`v1.1: 21MAY2007`
			`Making sslhc more like a real daemon:`
			`* If $PIDFILE is defined, write first PID to it upon startup`
			`* Fork at startup (detach from terminal)`
			`(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)`
			`* Less memory usage (?)`

			`v1.0:`
			`* Basic functionality: privilege dropping, target hostnames and ports`
			`configurable.`