[sslh] Using sslh transparent proxy on FreeBSD?
Matthias Fechner
idefix at fechner.net
Thu Apr 14 09:56:07 UTC 2016
Dear all,
I tried to get the transparent proxy with FreeBSD working.
But as I do no know how the transparent proxy in sslh is working, it is
very hard to get a glue why it is not working.
I will describe what I did, maybe someone see the problem:
The server is running with IP 192.168.0.251 (server.idefix.lan).
I tried only apache now.
Apache is configured to listen on 192.168.0.251:4443.
netstat -an | grep LISTEN | grep 443
tcp4 0 0 192.168.0.251.4443 *.* LISTEN
So apache is listen correctly.
I tried to connect with:
telnet 192.168.0.251 4443
Trying 192.168.0.251...
Connected to server.idefix.lan.
Escape character is '^]'.
GET /index.html HTTP/1.1
host: server.idefix.lan
HTTP/1.1 400 Bad Request
Date: Thu, 14 Apr 2016 09:35:57 GMT
Server: Apache/2.4.18 (FreeBSD) OpenSSL/1.0.2g
Strict-Transport-Security: max-age=15768000; includeSubdomains; preload
Content-Length: 362
Connection: close
Content-Type: text/html; charset=iso-8859-1
...
So apache is really answering on this port. I think the apache
configuration should be fine like it is.
I added a forward rule as described here:
https://github.com/yrutschle/sslh#transparent-proxy-support
ipfw list:
20000 fwd 192.168.0.251,443 log tcp from 192.168.0.251 8443 to any out
I started sslh with:
sslh-fork --transparent -f -v -p 192.168.0.251:443 --ssl 192.168.0.251:4443
I access it now by using a browser with URI https://192.168.0.251/
sslh logs on the console:
accepted fd 4
**** writing deferred on fd -1
probing for ssl
connecting to server.idefix.lan:4443 family 2 len 16
forward to ssl failed:connect: Operation timed out
connect: Operation timed out
For a reason the forwarding to apache seems not to work.
Has anyone a working setup for FreeBSD or can give me a tip what is
wrong here?
Thanks
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
More information about the sslh
mailing list