[sslh] startup problem -- IPv6 and legacy listening sockets
Christian Schoenebeck
christian.schoenebeck at gmail.com
Thu Apr 9 22:02:39 CEST 2015
Hi Simon,
Am 08.04.2015 um 17:24 schrieb Simon Iremonger:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>> /usr/sbin/sslh -p 0.0.0.0:443 [...] works fine,
> NB: This means 'listen on all legacy IP addresses on port 443'.
>
>
>> same with /usr/sbin/sslh -p [::]:443 [...]
> NB: The behaviour of this depends on the configuration of the
> IPv6-stack and any 'options' on the socket-opening used by sslh.
>
> If "cat /proc/sys/net/ipv6/bindv6only" is showing '0' then
> (unless overridden by application requesting the socket using
> IPV6_V6ONLY socket option by the looks of things) -- the
> [::]:443 socket actually causes IPv6 AND legacy connections
> (on all IPv4 interfaces) to be 'listened for' in one go.
> In this 'mode' legacy connections appear to 'come from' IPv6
> address ::ffff:IP.v4.ad.dr -- IPv4 address embedded in
> IPv6-space, and these addresses typically appear in logs as shown.
>
> If "cat /proc/sys/net/ipv6/bindv6only" is '1' or the application
> uses the IPV6_V6ONLY flag, then the socket will only listen for
> IPv6 connections.
> In THIS case, you'd need a separate 0.0.0.0:443 socket to listen
> for legacy connections as well..
>
>
>
>> starting sslh with /usr/sbin/sslh -p [::]:443 -p 0.0.0.0:443 [...]
>> produce error: 0.0.0.0:https:bind: Address already in use
> See above for reason why this doesn't work (looks like bindv6only=0).
>
>
>> Thanks for support Christian
>
> Hope that helps,
>
setting inside /etc/sysctl.conf - "net.ipv6.bindv6only=1"
followed by sysctl -p command fixes the problem.
I'm wondering why sslh is not setting IPV6_V6ONLY when opening the socket.
I never run into this problem before with other services.
thanks
Christian
>
> - --Simon
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Topal (http://freshmeat.net/projects/topal)
>
> iF4EAREIAAYFAlUlSEUACgkQA62i3HuJ2aFGMwD5AXMbIj2m7keBHe2J3R4jhz0k
> vTZjZ8RS6HDm8gX0vakA/RkD7ejlHP+hx8x25R8+/WlMXCuEwDpkwukzS9Upsh9k
> =Bjm1
> -----END PGP SIGNATURE-----
>
More information about the sslh
mailing list