[sslh] Running sslh with stunnel
Yves Rutschle
yves at rutschle.net
Thu May 3 08:18:28 UTC 2018
Hi Sean,
On Wed, May 02, 2018 at 01:50:56AM +0100, Sean Warner wrote:
> In my scenario 1:
[...]
> I can ssh to sshd. The web page request https is decapsulated to http and
> the sslh http probe matches it. I want to continue using my site in https so
> sslh sends the http request to a virtualhost that tries to re-write it to
> https like this:
That's wrong -- Apache re-writes the URL, but doesn't
encapsulate the traffic to HTTPS again. If you want to go
that way, you could insert a stunnel between sslh and Apache
to re-encapsulate. However I question the sanity of doing
so, what do you gain by having HTTPS from sslh to Apache?
> Router --- sslh ---- sni_hostnames: ["example.com", "www.example.com"] -----
> send to apache port 443
> ----- else assume ssh so ------- send
> to sshd server
> However sslh
> tries, many times for over a minute, to connect to port 443 but never
> succeeds.
My guess would be a mismatch between the address sslh
connects to (192.168.1.124:443) and the address on which
Apache listens (specified in /etc/apache2/ports.conf on
Debian). It's possible to have both on port 443, but
requires some care: first try to get it to work on different
ports, e.g. sslh listens on port 443 and Apache on port 4443.
Y.
More information about the sslh
mailing list