[sslh] Apache and the right IP address?
Yves Rutschle
yves at naryves.com
Sun Jul 20 09:49:47 CEST 2014
[Please keep the list posted!]
Hi Brom,
On Sat, Jul 19, 2014 at 09:18:08PM +0200, Brom wrote:
[...]
> The last lines are repeating then. It looks like Apache is not
> responding, but without the transparent proxy everything works and
> directly connecting to port 4443 is also possible. (And yes, it's right
> that OpenVPN listens on port 21, with is for FTP usually.)
> Could it have sth. to do with fail2ban? In the configuration I changed
> nothing because I use sslh primary for OpenVPN and HTTPS and not for SSH
> (although I activated it).
I assume you still get 'setsockopt: Operation not permitted'
that you mentionned in a previous e-mail.
Check that your binary has the right capabilities:
# getcap sslh-select
sslh-select = cap_net_bind_service,cap_net_admin+ep
And if that's right, you need to be running NOT as root, but
as a normal user (the idea being that you start from the
minimal rights, and you've given the binary the additional
rights it needs using setcap(8)).
It might be more straightforward to also compile with
libcap, which works the other way around (run as root and
drop all capabilities except those required) and is somewhat
more intuitive...
Y.
More information about the sslh
mailing list