[sslh] sslh with load balancing across multiple ports

Yves Rutschle yves at rutschle.net
Sat Mar 31 17:58:51 UTC 2018 

>     If I need to make some changes to sslh code to get this done,
> could you please give me some pointers on where to touch the source ?

Yes, this should be not too hard as the 'target protocol' is
already a list (so you can e.g. specify a https target such
as 'www.example.org' and that resolves to several IPv4 and
several IPv6 addresses).

The idea would be to change config_parse() (which reads the
configuration file) and parse_cmdline() (which reads the
command line) so that you can specify multiple targets for a
probe setting, e.g.:

protocols:
(
     { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; keepalive: true; fork: true; },
     { 
         name: "http"; 
         target: ( 
         { host: "www1.example.org"; port: "80"; },
         { host: "www2.example.org"; port: "80"; },
         { host: "www3.example.org"; port: "80"; }
         ) 
     },
}

This would add several target to the protocols 'saddr'
target list (so instead of setting p->saddr to whatever
resolve_split_name() returns, you'd append the result of
each resolve_split_name() to the p->saddr list).

(Actually, I wouldn't blame you if you only change
config_parse() and declare this setting is only available
through the configuration file).

Now you have several targets. The second part is to change
connect_addr(), which currently runs through each of the
p->saddr targets until one works. Now we want to remember the
last one we tried for that probe (which means we need a new
field in `probe.h:struct proto`, e.g. 'struct addrinfo
*last_tried_saddr'), and start connecting from that one
instead of from the beginning of the list. And obviously
fail if we go all the way around back to the beginning.

If we can still specify 'host' and 'port' in the
configuration file, that doesn't even break current setups
as the behaviour would be almost exactly the same; the only
difference is that if someone has their target that resolves
to many addresses, and currently the first one always
succeeds, the new version would loop through the next ones.
I'm not sure that's a problem in real life.

Cheers,
Y.

More information about the sslh mailing list