[sslh] Many processes

[Aaron Madlon-Kay]

Maurice,

You could be right about the error; I've never bothered looking
because everything works correctly. Perhaps sslh snags the port first,
then apache is smart enough to only take localhost:443, which is where
sslh forwards? Either way, my setup is working with the setup I
described, and without any zombie processes.

-Aaron


2012/2/8 Maurice Commandeur <maurice at nieuwerbrug.org>:
> Aaron,
>
> Your setup could be working due to the fact that your sslh is started before apache is started.
> Have a good look at your log files, there should be some error with "port already in use".
> It is not possible to have two separate processes listening on one TCP port.
>
> I'll try to rework the setup and do some tracing of the process today, I hope...
>
> Maurice.
>
> Op 8 feb. 2012 om 02:48 heeft Aaron Madlon-Kay <aaron at madlon-kay.com> het volgende geschreven:
>
>> Hi Maurice.
>>
>> I wonder if the multiple IPs could be the problem. I have mine setup like this:
>>
>> 1. Server has a single internal IP, 192.168.1.100.
>>
>> 2. Router forwards requests from external IP's port 443 to 192.168.1.100:443.
>>
>> 3. apache listens on 443. ssh listens on 22.
>>
>> 4. sslh listens on 0.0.0.0:443, which you would think would conflict
>> with apache, but somehow it all works out.
>>
>> -Aaron
>>
>>
>> 2012/2/7 Maurice Commandeur <maurice at nieuwerbrug.org>:
>>> Hi Yves,
>>>
>>> It's just a simple home setup.
>>>
>>> internet -> router -> server
>>> All NAT and portforwarding stuff.
>>>
>>> The only thing that I can imagine is that my server has 2 ip's on the en0 interface
>>>
>>> server:~ $ ifconfig en0
>>> en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>>        options=2b<RXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4>
>>>        ether c4:2c:03:0b:20:af
>>>        inet6 fe80::c62c:3ff:fe0b:20af%en0 prefixlen 64 scopeid 0x4
>>>        inet 192.168.0.75 netmask 0xffffff00 broadcast 192.168.0.255
>>>        inet 192.168.0.73 netmask 0xffffff00 broadcast 192.168.0.255
>>>        media: autoselect (1000baseT <full-duplex,flow-control>)
>>>        status: active
>>>
>>> the 192.168.0.73 is the ip with apache running on port 443
>>> the 192.168.0.75 is the ip where sslh runs on port 443.
>>> My router forwards ip's from the internet to port 443 on 192.168.0.75.
>>> then sslh decides where to do what.
>>> Apache is specifically configured to not use *:443 but only 192.168.0.73 and 127.0.0.1.
>>>
>>> I'll try to rebuild it… So that my router sends all traffic coming from the internet to 192.168.0.73:4443
>>> sslh listening on 192.168.0.73:4443 and configure sslh to use port 443 and 22.
>>> Then I can disable the 192.168.0.75 ip number.
>>>
>>> Maurice
>>>
>>> Op 7 feb. 2012, om 07:04 heeft Yves Rutschle het volgende geschreven:
>>>
>>>> On Sat, Feb 04, 2012 at 10:56:27PM +0100, Maurice Commandeur wrote:
>>>>> ## now adding a https session via sslh
>>>>>
>>>>> $ ps -ef | grep [s]slh
>>>>>   -2 88079     1   0 10:36PM ??         0:00.00 /opt/local/sbin/sslh -f -v -u nobody -p 192.168.20.75 443 --ssh localhost 22
>>>>>   -2 88080 88079   0 10:36PM ??         0:00.00 /opt/local/sbin/sslh -f -v -u nobody -p 192.168.20.75 443 --ssh localhost 22
>>>>>   -2 88122 88080   0 10:41PM ??         0:00.03 /opt/local/sbin/sslh -f -v -u nobody -p 192.168.20.75 443 --ssh localhost 22
>>>>>   -2 88146 88080   0 10:42PM ??         0:00.00 (sslh)
>>>>>   -2 88152 88080   0 10:42PM ??         0:00.00 (sslh)
>>>> [...]
>>>>> It seems that the https session is the felon...
>>>>
>>>> This is a little strange, since sslh makes no difference between
>>>> https and ssh once the connection is initiated.
>>>>
>>>> Do you get https connections through another type of proxy?
>>>>
>>>> Y.
>>>