[sslh] Apache and the right IP address?

[Brom]

Hi,
Indeed I don't get the setsockopt error when I run as root, but as sslh 
I do. The binary has the right capabilities. I tried compiling with 
libcap, too. The error message was:
/$ make
cc -Wall -g   -o sslh-fork sslh-fork.o common.o sslh-main.o probe.o  
-lconfig -lcap
/usr/bin/ld: cannot find -lcap
collect2: error: ld returned 1 exit status
make: *** [sslh-fork] error 1/
I installed libpcap-dev with all its dependencies so that can't be the 
problem. That's why I removed it from Makefile.

Brom

Am 20.07.2014 09:49, schrieb Yves Rutschle:
> [Please keep the list posted!]
>
> Hi Brom,
>
> On Sat, Jul 19, 2014 at 09:18:08PM +0200, Brom wrote:
> [...]
>> The last lines are repeating then. It looks like Apache is not
>> responding, but without the transparent proxy everything works and
>> directly connecting to port 4443 is also possible. (And yes, it's right
>> that OpenVPN listens on port 21, with is for FTP usually.)
>> Could it have sth. to do with fail2ban? In the configuration I changed
>> nothing because I use sslh primary for OpenVPN and HTTPS and not for SSH
>> (although I activated it).
> I assume you still get 'setsockopt: Operation not permitted'
> that you mentionned in a previous e-mail.
>
> Check that your binary has the right capabilities:
>
> # getcap sslh-select
> sslh-select = cap_net_bind_service,cap_net_admin+ep
>
> And if that's right, you need to be running NOT as root, but
> as a normal user (the idea being that you start from the
> minimal rights, and you've given the binary the additional
> rights it needs using setcap(8)).
>
> It might be more straightforward to also compile with
> libcap, which works the other way around (run as root and
> drop all capabilities except those required) and is somewhat
> more intuitive...
>
> Y.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rutschle.net/pipermail/sslh/attachments/20140720/05a14c3f/attachment.html>