[sslh] Running sslh with stunnel

Sean Warner plica2006 at gmail.com
Tue May 1 20:25:11 UTC 2018 

Hello again,

I think I'm very close... but not the whole cigar!

Basically I tried both your suggestions...

When I tried with stunnel at the router piping to sslh like this, Scenario
1:

Router --- stunnel ----sslh ---- ssh probe   ----- send to sshd server
                                           ---- http probe  ------ send to
apache web server

My stunnel.conf for Scenario 1:

socket=l:TCP_NODELAY=1
socket=r:TCP_NODELAY=1
socket = l:SO_LINGER=1:1
socket = r:SO_LINGER=1:1

foreground = yes
debug = 7
output = /var/log/stunnel4/stunnel.log
pid = /var/run/stunnel4/stunnel.pid
fips = no

cert = /etc/letsencrypt/live/example.com/fullchain.pem
key = /etc/letsencrypt/live/example.com/privkey.pem

[ssh]
accept = 192.168.1.124:4433 <<--- internal port of router connect =
192.168.1.124:4480 <<-- Port that links to sslh

My sslh config for Scenario 1:

listen:
(
	{ host: "192.168.1.124"; port: "4480"; } );
protocols:
(
        { name: "ssh"; service: "ssh"; host: "127.0.0.2"; port: "1022";
log_level: 1; },
        { name: "ssl"; host: "127.0.0.2"; port: "444"; log_level: 1; },
	{ name: "http"; host: "127.0.0.2"; port: "80"; log_level: 1; } );

I was able to get a ssh session in putty but my website wasn't working. The
sslh logs showed that the probe correctly identified the http connection
when I tried to access a webpage and it forwarded it to Port 80 which I
wanted and which also means it was correctly decrypted by stunnel. But I
think my Virtualhost is wrong. I was trying to re-write the http back to
https like this:
<VirtualHost 127.0.0.2:80>
  DocumentRoot /var/www/nextcloud
  <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
  </IfModule>
</VirtualHost>
... because my nextcloudpi site works with https and I have a letsencrypt
cert for it. The web browser showed activity for a while then errored out
with something like "too many lookups" I think? Maybe it was getting into an
infinite loop of (router --> stunnel --> sslh --> apache -->)n? Anyway,
otherwise I like this approach but maybe I need to encrypt the link back to
https again when it comes out of stunnel so my site will work?!

Then I tried with sslh at the router piping to stunnel like this, Scenario
2:

Router --- sslh ---- sni_hostnames: ["example.com"] ----- send to apache
                        ----- else assume ssh so ------- send to sshd server

I was able to get a ssh session in putty again. However the web request
times out and I get the message on screen: " HTTP Error 504: Gateway
Timeout: The server, while acting as a gateway or proxy, did not receive a
timely response from the upstream server it accessed in attempting to
complete the request." When I check the sslh logs for this second scenario I
see sslh doesn't actually react at all when I try to load the webpage.

Here is my sslh.cfg for Scenario 2:

verbose: true;
foreground: true;
inetd: false;
numeric: true;
transparent: true;
timeout: 2;
user: "sslh"; # "root" works
pidfile: "/var/run/sslh.pid";
chroot: "/var/empty";

listen:
(
	{ host: "192.168.1.124"; port: "4433"; } );

protocols:
(
	{ name: "tls"; host: "192.168.1.124"; port: "444"; sni_hostnames:
["example.com", "www.example.com", "cloud.example.com" ]; log_level: 1; },
	{ name: "tls"; host: "127.0.0.2"; port: "4480"; log_level: 1; } );


Here is my stunnel.conf for Scenario 2:

socket=l:TCP_NODELAY=1
socket=r:TCP_NODELAY=1
socket = l:SO_LINGER=1:1
socket = r:SO_LINGER=1:1

foreground = yes
debug = 7
output = /var/log/stunnel4/stunnel.log
pid = /var/run/stunnel4/stunnel.pid
fips = no

cert = /etc/letsencrypt/live/example.com/fullchain.pem
key = /etc/letsencrypt/live/example.com/privkey.pem

[ssh]
accept = 127.0.0.2:4480
connect = 192.168.1.124:1022

I tried various combinations of ip addresses.... using the addr of my pi =
192.168.1.124 and 127.0.0.2 that works for me with sslh on its own. Maybe
the order of the "Protocol" parameters is important in sslh config? I tried
with sni_hostnames[ ] before and after the host/port values... made no
difference.

I'm thinking the problem here is with the sni_hostnames [] in sslh config.
But here is the sslh log when I restart sslh:

May  1 21:08:14 nextcloudpi systemd[1]: Starting SSL/SSH multiplexer...
May  1 21:08:14 nextcloudpi systemd[1]: Started SSL/SSH multiplexer.
May  1 21:08:14 nextcloudpi sslh[31944]: tls: sni_hostnames[0]: example.com
May  1 21:08:14 nextcloudpi sslh[31944]: tls: sni_hostnames[1]:
www.example.com
May  1 21:08:14 nextcloudpi sslh[31944]: tls: sni_hostnames[2]:
cloud.example.com
May  1 21:08:14 nextcloudpi sslh[31944]: Using /etc/sslh/sslh.cfg
May  1 21:08:14 nextcloudpi sslh[31944]: tls addr: 192.168.1.124:443.
libwrap service: (null) log_level: 1 family 2 2 [] []
May  1 21:08:14 nextcloudpi sslh[31944]: tls addr: 127.0.0.2:4480. libwrap
service: (null) log_level: 1 family 2 2 [] []
May  1 21:08:14 nextcloudpi sslh[31944]: listening on:
May  1 21:08:14 nextcloudpi sslh[31944]: #011192.168.1.124:4433#011[]
May  1 21:08:14 nextcloudpi sslh[31944]: timeout: 2
May  1 21:08:14 nextcloudpi sslh[31944]: on-timeout: tls
May  1 21:08:14 nextcloudpi sslh[31944]: listening to 1 addresses
May  1 21:08:14 nextcloudpi sslh[31944]: sslh-fork v1.19c-2-gf451cc8-dirty
started
May  1 21:08:14 nextcloudpi sslh[31944]: turning into sslh
May  1 21:08:14 nextcloudpi sslh[31944]: chrooting into /var/empty
May  1 21:08:14 nextcloudpi sslh[31944]: capabilities: = cap_net_admin+ep

So it looks like sslh knows about the sni hostnames that are supplied in the
sslh config file but maybe they don't match with what is sent from the web
client? Either way I don't understand what causes the 504 Gateway Timeout.

Any help would be much appreciated :)

Cheers,

Flex

More information about the sslh mailing list