[sslh] My transparent SSLH setup

Clément Parisot clement.parisot at gmail.com
Sat Sep 27 10:44:57 CEST 2014 

Hello,

First I would like to thank all the contributors to this software, because it works great and it has been very useful to me. Thanks!

Now I read in the documentation (about transparent proxying):
> I don't think it is possible to have httpd listen to 443 in this scheme -- let me know if you manage that.
So I thought I should share my own setup, because I use a little trick that achieves that, and you might be interested.

I thought of that trick when I didn't want to make apache listen on port 4443 and modify every vhost so that they still work. Another reason was that I didn't like the iptables rule redirecting outgoing port 22 to sslh. If sslh broke, I would lose my ssh port ? I could have used another port for SSH proxying but that makes a lot of ports.

The idea is that the next line will not work because 127.0.0.1 is bound to the lo interface (as stated in the documentation)

# sslh --listen 192.168.0.1:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443

But what if we use an address that is bound to another interface, like eth0 ? We can't use 192.168.0.1 for apache because 192.168.0.1:443 is used by sslh itself. What about adding another address to eth0 ? Yes, it's possible and very simple with the iproute2 tools. Let's use an address that is used nowhere else in the network. You could probably use an unused address in your network, like 192.168.0.250, but what I did was to assign an address of a completely different range:

# Add a new address to eth0
# ip addr add 172.16.0.1/32 dev eth0

# check that the new address is there
# ip addr show dev eth0

The sslh command line is now:
# sslh --listen 192.168.0.1:443 --ssh 172.16.0.1:22 --ssl 172.16.0.1:443

Do not forget to make Apache / OpenSSH listen on the new address ! Now, by convention, all the traffic using that "virtual" address will be dedicated to sslh and transparent proxying.
It makes the iptables commands even simpler: only one rule instead of one by port previously, so we can add another software (OpenVPN ? I haven't tested but it should work) without changing the iptables rules. Besides, we don't need to redirect outgoing port 22, so if sslh breaks the actual SSH on port 22 is still there.

# iptables -t mangle -N SSLH
# iptables -t mangle -A OUTPUT --source ||172.16.0.1 --out-interface eth0 --jump SSLH
# iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
# iptables -t mangle -A SSLH --jump ACCEPT|

The ip route / ip rule commands are unchanged.

That should be it !

To be honest, I haven't tested those exact commands, because my setup is a bit weirder (I don't use eth0 to add the IP but a dummy virtual interface that already existed for other reasons). I am also not sure of all the implications of having a virtual address of a different range bound to an interface on the LAN (but so far, with my firewall rules, I have seen no problem).

One of my concerns about transparent proxying was also that previously the whole thing seemed to be quite fragile (redirecting port 22, the routing rules must be set up correcty, etc..).
If you are interested, I can also share the Debian configuration bits that make the whole setup reboot-proof. With those, I am now fairly confident that sslh can be used on my VPS box. I think the worse that could happen in case of sslh failure is to lose the https Apache server, but SSH will still work on port 22.

Tell me if you have questions regarding this setup, or if you want to know more.

Regards,

Clément

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rutschle.net/pipermail/sslh/attachments/20140927/cc3f1d6c/attachment.html>

More information about the sslh mailing list