[sslh] Systemd configuration
Eamon Doyle
eamon at cornercase.net
Tue Mar 27 21:27:00 UTC 2018
Hi all. I’m trying to get sslh running on Debian 9.3 using the standard
Debian sslh package (sslh -V = sslh-fork 1.18-1) with systemd. I can run
sslh just fine by issuing a terminal command to get it running but if I try
to start it with systemctl, it always fails and systemd gives me an exit
status of 213/SECUREBITS for the main process. I’m really not sure what
I’m doing wrong. If anyone can point me in the right direction, that would
be much appreciated.
My configs are as follows:
/etc/sslh/sslh.cfg
verbose: true;
foreground: true;
inetd: false;
numeric: false;
transparent: false;
timeout: "2";
user: "sslh";
#pidfile: "/var/run/sslh.pid";
#chroot: "/var/empty";
# Change hostname with your external address name.
listen:
(
{ host: "192.168.12.13"; port: "443"; }
);
protocols:
(
{ name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; },
#{ name: "openvpn"; host: "localhost"; port: "1194"; },
#{ name: "xmpp"; host: "localhost"; port: "5222"; },
#{ name: "http"; host: "localhost"; port: "80"; },
{ name: "ssl"; host: "localhost"; port: "444"; log_level: 0; },
);
/etc/default/sslh
DAEMON_OPTS="--listen 192.168.12.13:443 --ssh 127.0.0.1:22 --ssl
127.0.0.1:444"
/etc/systemd/system/sslh.service.d/override.conf
[Service]
# Replace the start command and make it use sslh-select
ExecStart=
ExecStart=/usr/sbin/sslh-select --foreground $DAEMON_OPTS
# Run sslh as an user and use capabilities to bind ports
User=sslh
# Systemd 229
# AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
# Systemd 228 and bellow
SecureBits=keep-caps
Capabilities=cap_net_bind_service,cap_net_admin+pie
# Limit access
PrivateTmp=true
PrivateDevices=true
ProtectSystem=full
ProtectHome=true
# Set routing rules automaticaly on script start
PermissionsStartOnly=true
# Check for mark 0x4155 (set by nftables) and forward packet to table 0x4155
ExecStartPre=/sbin/ip rule add fwmark 0x4155 lookup 0x4155
ExecStopPost=/sbin/ip rule del fwmark 0x4155
# Table 0x4155 to route all packets back to loopback interface
ExecStartPre=/sbin/ip route add local 0.0.0.0/0 dev lo table 0x4155
ExecStopPost=/sbin/ip route del table 0x4155
Output of systemctl status sslh.server
sslh.service - SSL/SSH multiplexer
Loaded: loaded (/lib/systemd/system/sslh.service; enabled; vendor
preset: enabled)
Drop-In: /etc/systemd/system/sslh.service.d
└─override.conf
Active: failed (Result: exit-code) since Tue 2018-03-27 16:17:44
CDT; 911ms ago
Docs: man:sslh(8)
Process: 15386 ExecStartPre=/sbin/ip route add local 0.0.0.0/0 dev
lo table 0x4155 (code=exited, status=2)
Process: 15385 ExecStartPre=/sbin/ip rule add fwmark 0x4155 lookup
0x4155 (code=exited, status=0/SUCCESS)
Main PID: 11239 (code=exited, status=213/SECUREBITS)
Mar 27 16:17:44 homedeb systemd[1]: Starting SSL/SSH multiplexer...
Mar 27 16:17:44 homedeb ip[15386]: RTNETLINK answers: File exists
Mar 27 16:17:44 homedeb systemd[1]: sslh.service: Control process
exited, code=exited status=2
Mar 27 16:17:44 homedeb systemd[1]: Failed to start SSL/SSH multiplexer.
Mar 27 16:17:44 homedeb systemd[1]: sslh.service: Unit entered failed state.
Mar 27 16:17:44 homedeb systemd[1]: sslh.service: Failed with result
'exit-code'.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rutschle.net/pipermail/sslh/attachments/20180327/8d437fbd/attachment.html>
More information about the sslh
mailing list