[sslh] sslh on Mac OS X
Yves Rutschle
yves at naryves.com
Thu Mar 10 19:07:36 CET 2011
Hi Aaron,
Sorry I haven't replied to your previous message yet --
thanks for the feedback, I'll add your information in a
README.
On Fri, Mar 11, 2011 at 12:21:48AM +0900, Aaron Madlon-Kay wrote:
> sslh-fork -f -v -u nobody -p 0.0.0.0:443 -s localhost:22 -l localhost:443
^^^^^^^
This is suspicious, you're asking sslh to listen to all
addresses on 443.
> (Apache and sshd are set to listen on the default settings, e.g. all addresses on 443 and 22 respectively.)
You can't have Apache AND sslh listen to all addresses on
443: sslh must have bound the port (otherwise it wouldn't
start) so I'll surmise that Apache started and didn't bind
443, so when sslh forwards to localhost:443 it all goes
pear-shaped.
Try to use your network interface address instead, e.g.:
sslh-fork -f -v -u nobody -p 192.168.0.123:443 -s localhost:22 -l localhost:443
(assuming your network interface is 192.168.0.123).
Also make sure that localhost resolves to 127.0.0.1, which
is what it should, but who knows what Apple decided it
should be ;) :
$ dig localhost
[...]
localhost. 10800 IN A 127.0.0.1
And then make sure that Apache listens only on localhost and
not on your external address as well (192.168.0.123 in my
example):
# netstat -lpnt | grep apache
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 3696/apache2
tcp 0 0 192.168.0.250:80 0.0.0.0:* LISTEN 3696/apache2
tcp 0 0 127.0.0.1:443 0.0.0.0:* LISTEN 3696/apache2
=> my Apache listens on localhost 80 and 443, and external
address on 80. (note in Linux you need to be root for this
command to work -- I don't know about OS X).
> Is there any hope of this working on OS X? If anyone can give me some pointers I would very much appreciate it.
There are FreeBSD people who use it, and I believe OS X is
based on FreeBSD, so there is no reason it shouldn't work.
Which is not to say it won't need some ironing to adapt to
the local quirks...
Y.
More information about the sslh
mailing list