[sslh] Making Transparent Proxy work without iptables
Yves Rutschle
yves at rutschle.net
Mon Apr 23 18:29:46 UTC 2018
On Mon, Apr 23, 2018 at 03:50:37PM +0100, Sean Warner wrote:
> Hello,
[...] thanks for the vert detailed report!
> # nano /etc/sslh/sslh.cfg
>
>
>
> verbose: false;
[...]
> user: "sslh";
> I am using a binary that I compiled from sources and enabled USELIBCAP so
> sslh runs as the unpriviledged user: sslh but magically gives itself the
> cap_net_admin capability for transparent proxy support. That's another thing
> I don't really understand but at least it works!
There are 2 ways capabilities might work:
sslh starts as user root, then changes to user 'sslh' as
specified in your sslh.cfg, but retains cap_net_admin if it
needs to transparent proxy.
sslh start as another user, but then doesn't try to change
user, nor to drop capabilities (it wouldn't be allowed). You
can then give the executable the right capabililities
(cap_net_admin and cap_net_bind_service so it can bind to a
priviledged port) using the setcap(8) command.
My guess is you're using the first possiblity. Changing
verbose to true in sslh.cfg might help show what's happening
(you'll get a notification if sslh changes its user, and
it'll print capabilities).
Cheers,
Y.
More information about the sslh
mailing list