[sslh] Restrictive squid proxy

Wed Aug 7 08:25:57 CEST 2013

(please keep the discussion on the list!)

On Wed, Aug 07, 2013 at 07:44:27AM +0200, Ruzsinszky Attila wrote:
> SSH over proxy is working. I can connect any hosts if SSH is
> running on default TCP/22 port. Only 22!

Ok.

> Yesterday evening I tried to reconfigure my router.
> sslh is listening to port 443 on wan interface.
> (It was not too easy configure it because my public IP is
> dynamic, so I can't use 0.0.0.0:443. The init script is working
> if I start by hand. I haven't checked the situation if the router
> restarts and it doesn't work if my ISP change the IP. I have
> to use hotplug scrips. Temporary I used the DNS name instead
> of IP address. I'm afraid of the boot process when maybe no
> DNS resolve, yet.)

Ok, that's a separate issue: arguably if you specify sslh
--listen my_dns_name.example.com:443, sslh should change IP
addresses when/if that address changes (it doesn't, at the
moment, and I'm not sure it's possible). Alternatively, you
need to stop/restart it.

> If SSH works with sslh, my config is perfect for that two protocols.
> I have to rewrite the init script and hotpugging sslh for the dynamic
> IP.

Ok, so your issue is not with sharing ssh and https on 443,
it's accessing 80 and 8080?

> There is problem with PID file, whom permission is denied because
> sslh drops the root privilege and /tmp/run (/var/run) under OpenWRT
> is not writable by nobody. I solved it changing the prmission of /tmp
> to 777 but I don't know if there is security problem in any situations.

That's probably not so good, it's better to pre-create the
PID file you'll use and chown it to nobody. (that said, sslh
opens the PID file before dropping privileges, so there is
something else going on here).

> But what about reaching my NAS?
> There are some very interesting ports for me:
> - 22 (SSH) [configurable] for login
> - 80 (HTTP) and 81 (HTTPS) [both configurable] are for admin page
> - 8080 (HTTP) and 8081 (HTTPS) [both configurable] are for WEB service
> - other ports for example OpenVPN, rsync, FTP, etc.
> 
> The most important for me: 22, 80 or 81 (the same page) and 8080 or 8081
> (the same page for unencrypted or crypted format).
> 
> Can I use the configured sslh for that? I think no, because the SSH and
> HTTPS
> protocols are configured. Am I right?
> 
> I've got two ports on the router from the Net (reaching from the proxy!):
> - 80 and 22.

You're talking about 443 at the beginning of this e-mail.

Right now I'm confused as to what is open, what works, and
what you're trying to achieve.

You should be able to forward SSH, HTTP, HTTPS like this:

sslh --listen my_wan:443 --ssh localhost:22 --http localhost:80 --ssl:80

This may or may not work while listening on 80, depending on
how your proxy work. Most likely it won't work.

> Do I have to setup a new sslh for port 80 and forwarding SSH and HTTPS
> to my NAS's 22 and 443 ports? What can I do the remained 8080 and 8081
> ports?

For HTTP, it may be possible to do something like virtual
domains, and have sslh look at the URL and forward to
different ports based on the URL (using the regexp probe).
This sounds like fun.

> Ps: Is that normal behaviour there are two sslh processes are running
> for SSH and HTTPS protocols? One process for one protocol?

Yes, normal. One process per listening port, plus the
original process that runs them all. (that doesn't use any
resource beyond a PID).

Y.