[sslh] Restrictive squid proxy

Ruzsinszky Attila ruzsinszky.attila at gmail.com
Wed Aug 7 07:44:27 CEST 2013 

Hi,

SSH over proxy is working. I can connect any hosts if SSH is
running on default TCP/22 port. Only 22!

Yesterday evening I tried to reconfigure my router.
sslh is listening to port 443 on wan interface.
(It was not too easy configure it because my public IP is
dynamic, so I can't use 0.0.0.0:443. The init script is working
if I start by hand. I haven't checked the situation if the router
restarts and it doesn't work if my ISP change the IP. I have
to use hotplug scrips. Temporary I used the DNS name instead
of IP address. I'm afraid of the boot process when maybe no
DNS resolve, yet.)

Router's GUI is listening to localhost:443 (HTTPS for sslh)
and lan:80 (HTTP) for internal usage.
It seems working. Configuration was not to easy because of
the IP:443 format parameters.

Now I'm going to test SSH.
SSH is more complicated. One dropbear is running on localhost:22
for sslh. An other one for lan:22 for internal usage and the last one
is the original wan:<non-default-port> if something goes wrong.
(that was the original setup before sslh).

If SSH works with sslh, my config is perfect for that two protocols.
I have to rewrite the init script and hotpugging sslh for the dynamic
IP.
There is problem with PID file, whom permission is denied because
sslh drops the root privilege and /tmp/run (/var/run) under OpenWRT
is not writable by nobody. I solved it changing the prmission of /tmp
to 777 but I don't know if there is security problem in any situations.

But what about reaching my NAS?
There are some very interesting ports for me:
- 22 (SSH) [configurable] for login
- 80 (HTTP) and 81 (HTTPS) [both configurable] are for admin page
- 8080 (HTTP) and 8081 (HTTPS) [both configurable] are for WEB service
- other ports for example OpenVPN, rsync, FTP, etc.

The most important for me: 22, 80 or 81 (the same page) and 8080 or 8081
(the same page for unencrypted or crypted format).

Can I use the configured sslh for that? I think no, because the SSH and
HTTPS
protocols are configured. Am I right?

I've got two ports on the router from the Net (reaching from the proxy!):
- 80 and 22.

Do I have to setup a new sslh for port 80 and forwarding SSH and HTTPS
to my NAS's 22 and 443 ports? What can I do the remained 8080 and 8081
ports?

TIA,
Ruzsi

Ps: Is that normal behaviour there are two sslh processes are running
for SSH and HTTPS protocols? One process for one protocol?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rutschle.net/pipermail/sslh/attachments/20130807/98fb8e67/attachment.html>

More information about the sslh mailing list