[sslh] Using sslh transparent proxy on FreeBSD?
Matthias Fechner
idefix at fechner.net
Thu Apr 14 14:53:00 UTC 2016
Am 14.04.2016 um 12:42 schrieb Matt Smith:
> On Apr 14 11:36, Matt Smith wrote:
>> My setup is that I have nginx listening on port 444, and sslh
>> forwarding to port 444 for tls/ssl. My ipfw rules are as follows:
>>
>> ipfw add 00020 fwd 10.0.0.10,4444 tcp from 'table(2)' to 10.0.0.10 443
>> in via re0
>> ipfw add 00021 fwd 10.0.0.10,4444 tcp from 10.0.0.10 422,444 to
>> 'table(2)' out via re0
>
> I should also mention that sslh is listening on port 4444 and openssh is
> listening on port 422. Just to make the above ruleset a lot clearer.
Mat, thanks for your answers.
I have it now running with ipfw, I posted my config, hopefully it will
help someone else.
For /usr/local/etc/sslh.conf I have now:
# This is a basic configuration file that should provide
# sensible values for "standard" setup.
verbose: false;
foreground: false;
inetd: false;
numeric: false;
transparent: true;
timeout: 2;
user: "root";
pidfile: "/var/run/sslh.pid";
# Change hostname with your external address name.
listen:
(
{ host: "192.168.0.251"; port: "443"; },
{ host: "192.168.1.2"; port: "443"; },
{ host: "192.168.200.6"; port: "443"; }
);
protocols:
(
{ name: "ssh"; service: "ssh"; host: "192.168.200.6"; port: "22";
probe: "builtin"; },
{ name: "openvpn"; host: "192.168.200.6"; port: "1194"; probe:
"builtin"; },
{ name: "xmpp"; host: "192.168.200.6"; port: "5222"; probe:
"builtin"; },
{ name: "http"; host: "192.168.200.6"; port: "80"; probe:
"builtin"; },
{ name: "ssl"; host: "192.168.200.6"; port: "8443"; probe:
"builtin"; },
{ name: "anyprot"; host: "192.168.200.6"; port: "8443"; probe:
"builtin"; }
);
All services are listen on the standard ports, except apache.
As port 443 (https) is already occupied by sslh I bound apache to port
8443 and localhost:443 (required for monitoring setup).
I added the following rules for ipfw:
# ssl
ipfw add 20000 fwd 192.168.0.251,443 log tcp from 192.168.0.251 8443 to
any out
ipfw add 20001 fwd 192.168.200.6,443 log tcp from 192.168.200.6 8443 to
any out
# ssh
ipfw add 20002 fwd 192.168.200.6,443 log tcp from 192.168.200.6 22 to
any out
If have not configured the other protocols as I currently need https and
ssh. But the lines should be the same.
I will check next if I can port it completely to pf, as my complete
setup is based on pf and I use now ipfw only for transparent proxy
support for sslh.
Thanks
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
More information about the sslh
mailing list