[sslh] Running sslh with stunnel
Yves Rutschle
yves at rutschle.net
Sun Apr 29 17:16:23 UTC 2018
On Sun, Apr 29, 2018 at 05:47:36PM +0100, Sean Warner wrote:
> Hello,
>
> I've got sslh running on my Pi. I can ssh into port 443 and also use that
> port for https web traffic to a personal web server... great stuff.
>
> But now I would like to encapsulate the ssh traffic so it looks like ssl. I
> was following the hint from
> https://github.com/yrutschle/sslh#using-proxytunnel-with-sslh. I installed
> Proxytunnel and figured out how to link it with Putty. My client is a
> Windows 7 machine and I installed stunnel as a server on the Pi. But with
> Proxytunnel Putty never establishes an SSH session and the website stops
> working too.
This is what I use to connect through a proxy:
ProxyCommand proxytunnel -e -p 10.1.1.250:8080 -d ssh.example.net:443
with 10.1.1.250 being the Web proxy. That proxy doesn't do
authentication, so you may need to add username and login.
[...]
> Now when I try a simple SSH connection via Putty to 127.0.0.1 port 8844 it
> WORKS and I can ssh to my pi. It seems I can encrypt the ssh session which
> goes to server side stunnel and is decrypted then sslh demultiplexes it to
> my sshd server at port 1022. Very cool.
>
> However the website doesn't work...
No, because the server-side stunnel decapsulates TLS, so
you're left with SSH and HTTP, i.e.:
ssh --> proxytunnel --------ssh/tls ------> stunnel ----ssh--->sslh----> sshd
firefox --------http/tls -----------------> stunnel ----http-->sslh----> sshd
(http/tls a.k.a https)
It picks ssh because it doesn't recognise the HTTP. You
could setup a default protocol in sslh to point to httpd
instead, or use the http probe.
The alternative is to use the SNI probe in sslh to direct
the incoming TLS either to httpd or to stunnel to
decapsulate the ssh. In sslh.cfg:
protocols:
(
{ name: "tls"; sni_hostnames: ["www.example.net"]; host: "192.168.122.102"; port: "443"; },
{ name: "tls"; sni_hostnames: ["10.1.1.250"]; host: "localhost"; port: "4443"; }, # SSH over TLS through proxy
);
When proxytunnel connects, it sets the TLS SNI to
the proxy address (here, 10.1.1.250), so sslh only receives
TLS, and depending on the name in SNI, forwards directly to
httpd (which will deal with TLS itself), or to an stunnel on
4443 which further forwards to sshd.
I swear this works, that's my setup (simplified -- I have
way more services than that), but you seriously need to get
a pen and paper and draw all the plumbing with which
protocols are used where, or you'll lose track of what's
going on.
All that being said, I never managed to run proxytunnel on
Windows with Putty; what's above works with ssh+proxytunnel
on Linux on the client side.
Good luck !
Y.
More information about the sslh
mailing list