[sslh] Running sslh with stunnel

Sean Warner plica2006 at gmail.com
Wed May 2 00:50:56 UTC 2018 

Hello once more,

I have spent many more hours since debugging... here is some more update...
more brief this time hopefully, I welcome any feedback or advice about what
I'm doing wrong..

To recap:
I am trying to multiplex ssh and https traffic along port 443 from outside
my network through my router to a web and ssh server on my LAN. I use Google
Chrome https://webaddress to send the https and Proxycommand -e from Putty
to send the SSL encrypted ssh.

In my scenario 1:
Router --- stunnel ----sslh ---- ssh probe   ----- send to sshd server
                                           ---- http probe  ------ send to
apache web server

I can ssh to sshd. The web page request https is decapsulated to http and
the sslh http probe matches it. I want to continue using my site in https so
sslh sends the http request to a virtualhost that tries to re-write it to
https like this:

<VirtualHost 127.0.0.2:80>
  DocumentRoot /var/www/nextcloud
  ServerName mrtosho.com
  ServerAlias www.mrtosho.com cloud.mrtosho.com
  <IfModule mod_rewrite.c>
    RewriteEngine On
    LogLevel info rewrite:trace5
    RewriteCond %{HTTPS} !=on
    #RewriteCond %{HTTP_HOST} !^%{SERVER_NAME}$ [NC]
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
  </IfModule>
</VirtualHost>

But in the error log I get into a rewrite loop...

[May 02 00:06:30 2018] init rewrite engine with requested uri /
[May 02 00:06:30 2018] applying pattern '^/?(.*)' to uri '/'
[May 02 00:06:30 2018] RewriteCond: input='off' pattern='!=on' => matched
[May 02 00:06:30 2018] rewrite '/' -> 'https://cloud.example.com/'
[May 02 00:06:30 2018] explicitly forcing redirect with
https://cloud.example.com/
[May 02 00:06:30 2018] escaping https://cloud.example.com/ for redirect
[May 02 00:06:30 2018] redirect to https://cloud.example.com/ [REDIRECT/302]
[May 02 00:06:31 2018] init rewrite engine with requested uri /
[May 02 00:06:31 2018] applying pattern '^/?(.*)' to uri '/'
[May 02 00:06:31 2018] RewriteCond: input='off' pattern='!=on' => matched
[May 02 00:06:31 2018] rewrite '/' -> 'https://cloud.example.com/'
[May 02 00:06:31 2018] explicitly forcing redirect with
https://cloud.example.com/
[May 02 00:06:31 2018] escaping https://cloud.example.com/ for redirect
[May 02 00:06:31 2018] redirect to https://cloud.example.com/ [REDIRECT/302]
[May 02 00:06:31 2018] init rewrite engine with requested uri /
[May 02 00:06:31 2018] applying pattern '^/?(.*)' to uri '/'
[May 02 00:06:31 2018] RewriteCond: input='off' pattern='!=on' => matched
[May 02 00:06:31 2018] rewrite '/' -> 'https://cloud.example.com/'
[May 02 00:06:31 2018] explicitly forcing redirect with
https://cloud.example.com/
[May 02 00:06:31 2018] escaping https://cloud.example.com/ for redirect
[May 02 00:06:31 2018] redirect to https://cloud.example.com/ [REDIRECT/302]

It goes on for many, many lines... and in the browser it says: "Too many
redirects".

In my scenario 2: 

Router --- sslh ---- sni_hostnames: ["example.com", "www.example.com"] -----
send to apache port 443
                                ----- else assume ssh so       ------- send
to sshd server

Once again I can ssh over port 443 to sshd but the website doesn't work. I
type https://www.example.com in the browser and after a minute or more it
says: "Site can't be reached - ERR_TIMED_OUT".

Here is some output from the sslh log:

May  2 00:57:11 sslh[3221]: accepted fd 4
May  2 00:57:11 sslh[3221]: accepted fd 4
May  2 00:57:11 sslh[3221]: **** writing deferred on fd -1
May  2 00:57:11 sslh[3221]: probing for tls
May  2 00:57:11 sslh[3221]: matching [www.example.com] with [example.com]
May  2 00:57:11 sslh[3221]: matching [www.example.com] with
[www.example.com]
May  2 00:57:11 sslh[3221]: connecting to 192.168.1.124:443 family 2 len 16
May  2 00:57:11 sslh[3221]: **** writing deferred on fd -1
May  2 00:57:11 sslh[3221]: probing for tls
May  2 00:57:11 sslh[3221]: matching [www.example.com] with [example.com]
May  2 00:57:11 sslh[3221]: matching [www.example.com] with
[www.example.com]
May  2 00:57:11 sslh[3221]: connecting to 192.168.1.124:443 family 2 len 16
May  2 00:57:41 sslh[3221]: accepted fd 4
May  2 00:57:41 sslh[3221]: accepted fd 4
May  2 00:57:41 sslh[3221]: **** writing deferred on fd -1
May  2 00:57:41 sslh[3221]: probing for tls
May  2 00:57:41 sslh[3221]: matching [www.example.com] with [example.com]
May  2 00:57:41 sslh[3221]: matching [www.example.com] with
[www.example.com]
May  2 00:57:41 sslh[3221]: connecting to 192.168.1.124:443 family 2 len 16
May  2 00:57:41 sslh[3221]: **** writing deferred on fd -1
May  2 00:57:41 sslh[3221]: probing for tls
May  2 00:57:41 sslh[3221]: matching [www.example.com] with [example.com]
May  2 00:57:41 sslh[3221]: matching [www.example.com] with
[www.example.com]
May  2 00:57:41 sslh[3221]: connecting to 192.168.1.124:443 family 2 len 16
May  2 00:58:16 sslh[3221]: accepted fd 4
May  2 00:58:16 sslh[3221]: accepted fd 4
May  2 00:58:16 sslh[3221]: **** writing deferred on fd -1
May  2 00:58:16 sslh[3221]: probing for tls
May  2 00:58:16 sslh[3221]: matching [www.example.com] with [example.com]
May  2 00:58:16 sslh[3221]: matching [www.example.com] with
[www.example.com]
May  2 00:58:16 sslh[3221]: connecting to 192.168.1.124:443 family 2 len 16
May  2 00:58:16 sslh[3221]: **** writing deferred on fd -1

This time sslh sees the https web request and successfully uses sni_hostname
in sslh config to capture the hostname in the request url. However sslh
tries, many times for over a minute, to connect to port 443 but never
succeeds.

My questions:
In scenario 1 above, stunnel decapsulates the https to http. How can I make
the request get to the server as https again? Is the ReWriteRule in the
Virtualhost the right way to make it work? Maybe it's not possible?
In scenario 2 above, why do you think sslh never succeeds in connecting to
Port 443?

Thank you,

Flex

More information about the sslh mailing list