[sslh] Using sslh transparent proxy on FreeBSD?
Matt Smith
sslh at xtaz.co.uk
Thu Apr 14 10:36:37 UTC 2016
On Apr 14 11:56, Matthias Fechner wrote:
>Apache is configured to listen on 192.168.0.251:4443.
>netstat -an | grep LISTEN | grep 443
>tcp4 0 0 192.168.0.251.4443 *.* LISTEN
So here you are listening on port 4443.
>ipfw list:
>20000 fwd 192.168.0.251,443 log tcp from 192.168.0.251 8443 to any out
So here you are forwarding to port 8443.
>I started sslh with:
>sslh-fork --transparent -f -v -p 192.168.0.251:443 --ssl 192.168.0.251:4443
And here you are forwarding to port 4443.
It therefore looks like you are using the wrong port, and also don't
have a return rule setup for ipfw.
My setup is that I have nginx listening on port 444, and sslh forwarding
to port 444 for tls/ssl. My ipfw rules are as follows:
ipfw add 00020 fwd 10.0.0.10,4444 tcp from 'table(2)' to 10.0.0.10 443
in via re0
ipfw add 00021 fwd 10.0.0.10,4444 tcp from 10.0.0.10 422,444 to
'table(2)' out via re0
This is setup so that any source IP address that is found in table 2 is
transparently forwarded to nginx, return traffic that is sent back to
any IP found in table 2 is rerouted back to sslh. In my case nginx/sslh
is running on 10.0.0.10 which is on the re0 interface.
You could change the table 2 to just say any and then all traffic will
go via sslh but I didn't want that. I wanted most connections to go
directly to nginx, and only a whitelist that I select to go to sslh.
--
Matt
More information about the sslh
mailing list