[sslh] Better --transparent way on Linux
Jan Moesen
sslh=rutschle.net at moesen.nu
Mon Dec 16 16:47:20 UTC 2019
On 14/12/2019 00:19, Sean Warner wrote in
<http://rutschle.net/pipermail/sslh/2019-December/000713.html>:
> A sample scenario showing sslh transparently proxy requests from the internet to services on two separate hosts that are both on the same LAN is available here which might be helpful to you..
>
> https://github.com/yrutschle/sslh/blob/master/doc/tproxy.md
Yeah, I think my problem is mainly due to having everything on the same
host and wanting to use the newly proposed “simple” transparent proxy
setup that does not involve `iptables`.
On 14/12/2019 03:59, Shachar Shemesh wrote in
<http://rutschle.net/pipermail/sslh/2019-December/000714.html>:
> The configuration this supports is to have the real server and sslh
> listen on the same port. Get your ssh server to bind to 127.0.0.1:22,
> and sslh to bind to 37.187.45.81:22.
I tried that, but it did not work for me. I am not sure you meant to say
:22, because I am multiplexing SSH and SSL/TLS on port 443 (because that
is usually not blocked by firewalls). Either way, I tried both :22 and
:443, to no avail.
I’m now running sslh-fork 1.17-2 (installed with apt-get on Ubuntu) with
the following options:
--user sslh
--verbose
--transparent
--on-timeout ssl
--listen 37.187.45.81:443
--ssh 127.0.0.1:22
--ssl 127.0.0.1:443
--pidfile /var/run/sslh/sslh.pid
So sslh is listening on the external 37.187.45.81:443, while Lighttpd is
listening on 127.0.0.1:443. So like SSH in your example, but then
s/22/443/g.
Here is the --verbose logging for a successful connection from an
external IP to 37.187.45.81:443
Dec 16 16:23:00 purplepixelhost sslh[25386]: accepted fd 4
Dec 16 16:23:00 purplepixelhost sslh[25386]: **** writing deferred on fd -1
Dec 16 16:23:00 purplepixelhost sslh[25386]: probing for ssh
Dec 16 16:23:00 purplepixelhost sslh[25386]: probing for ssl
Dec 16 16:23:00 purplepixelhost sslh[25386]: connecting to
localhost.localdomain:https family 2 len 16
Dec 16 16:23:00 purplepixelhost sslh[25386]: connection from
12-34-56-78.access.telenet.be:45990 to purplepixelhost.moesen.nu:https
forwarded from 12-34-56-78.access.telenet.be:45990 to
localhost.localdomain:https
Dec 16 16:23:00 purplepixelhost sslh[25386]: flushing deferred data to fd 3
And the unsuccessful attempt from localhost to 37.187.45.81:443:
Dec 16 16:22:54 purplepixelhost sslh[25386]: accepted fd 4
Dec 16 16:22:54 purplepixelhost sslh[25386]: **** writing deferred on fd -1
Dec 16 16:22:54 purplepixelhost sslh[25386]: probing for ssh
Dec 16 16:22:54 purplepixelhost sslh[25386]: probing for ssl
Dec 16 16:22:54 purplepixelhost sslh[25386]: connecting to
localhost.localdomain:https family 2 len 16
Dec 16 16:22:54 purplepixelhost sslh[25386]: bind:98:Address already in use
Dec 16 16:22:54 purplepixelhost sslh[25386]: bind_peer:98:Address
already in use
Dec 16 16:22:54 purplepixelhost sslh[25386]: connect: Address already in use
I don’t know why the `ip` rules work in your case and not in mine, but I
routed around (pun intended, and duly regretted) the problem by
explicitly pointing some known domain names like jan.moesen.nu to
127.0.0.1 in /etc/hosts. Not pretty, but now everything works.
Thanks for all the help,
Jan
More information about the sslh
mailing list