[sslh] transparent proxy
Yves Rutschle
yves at naryves.com
Thu Feb 7 07:35:18 CET 2013
On Wed, Feb 06, 2013 at 08:47:45AM -0500, MrDiga wrote:
> That'd be great if you can publish the patch. Does this mean iptables
> would have to be introduced to the mix including the patch?
Yes. Patch attached.
Basically, what the patch does is bind the local side
of the connection to an outside IP, so that the usual:
<IP1> -------> sslh <127.0.0.1> -------> <127.0.0.1> apache
turns to:
<IP1> -------> sslh <IP1> ---------> <127.0.0.1> apache
sslh needs to be root for that (otherwise Linux won't let
the process bind to an IP that's not on that machine).
Also, the patch is a bit chatty and only works for
sslh-fork. I'll port it for sslh-select if it's confirmed it
works.
So, you need iptables rules in there, probably to redirect
traffic from apache to sslh instead of IP1. There is a
number of pages that talk about transparent proxying, but I
didn't get it to work myself...
> I believe sshttp (https://github.com/stealth/sshttp) gets this done via
> iptables similarly but was hoping it can be avoided somehow.
I'm afraid that's not possible...
Let me know if and how you get this to work!
Cheers,
Y.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: transparent.patch
Type: text/x-diff
Size: 2889 bytes
Desc: not available
URL: <http://rutschle.net/pipermail/sslh/attachments/20130207/c9850973/attachment.patch>
More information about the sslh
mailing list