[sslh] Better --transparent way on Linux

Jan Moesen sslh=rutschle.net at moesen.nu
Mon Dec 16 16:47:20 UTC 2019 

On 14/12/2019 00:19, Sean Warner wrote in 
<http://rutschle.net/pipermail/sslh/2019-December/000713.html>:

> A sample scenario showing sslh transparently proxy requests from the internet to services on two separate hosts that are both on the same LAN is available here which might be helpful to you..
> 
> https://github.com/yrutschle/sslh/blob/master/doc/tproxy.md

Yeah, I think my problem is mainly due to having everything on the same 
host and wanting to use the newly proposed “simple” transparent proxy 
setup that does not involve `iptables`.


On 14/12/2019 03:59, Shachar Shemesh wrote in 
<http://rutschle.net/pipermail/sslh/2019-December/000714.html>:

> The configuration this supports is to have the real server and sslh 
> listen on the same port. Get your ssh server to bind to 127.0.0.1:22, 
> and sslh to bind to 37.187.45.81:22.

I tried that, but it did not work for me. I am not sure you meant to say 
:22, because I am multiplexing SSH and SSL/TLS on port 443 (because that 
is usually not blocked by firewalls). Either way, I tried both :22 and 
:443, to no avail.

I’m now running sslh-fork 1.17-2 (installed with apt-get on Ubuntu) with 
the following options:

--user sslh
--verbose
--transparent
--on-timeout ssl
--listen 37.187.45.81:443
--ssh 127.0.0.1:22
--ssl 127.0.0.1:443
--pidfile /var/run/sslh/sslh.pid

So sslh is listening on the external 37.187.45.81:443, while Lighttpd is 
listening on 127.0.0.1:443. So like SSH in your example, but then 
s/22/443/g.


Here is the --verbose logging for a successful connection from an 
external IP to 37.187.45.81:443

Dec 16 16:23:00 purplepixelhost sslh[25386]: accepted fd 4
Dec 16 16:23:00 purplepixelhost sslh[25386]: **** writing deferred on fd -1
Dec 16 16:23:00 purplepixelhost sslh[25386]: probing for ssh
Dec 16 16:23:00 purplepixelhost sslh[25386]: probing for ssl
Dec 16 16:23:00 purplepixelhost sslh[25386]: connecting to 
localhost.localdomain:https family 2 len 16
Dec 16 16:23:00 purplepixelhost sslh[25386]: connection from 
12-34-56-78.access.telenet.be:45990 to purplepixelhost.moesen.nu:https 
forwarded from 12-34-56-78.access.telenet.be:45990 to 
localhost.localdomain:https
Dec 16 16:23:00 purplepixelhost sslh[25386]: flushing deferred data to fd 3


And the unsuccessful attempt from localhost to 37.187.45.81:443:

Dec 16 16:22:54 purplepixelhost sslh[25386]: accepted fd 4
Dec 16 16:22:54 purplepixelhost sslh[25386]: **** writing deferred on fd -1
Dec 16 16:22:54 purplepixelhost sslh[25386]: probing for ssh
Dec 16 16:22:54 purplepixelhost sslh[25386]: probing for ssl
Dec 16 16:22:54 purplepixelhost sslh[25386]: connecting to 
localhost.localdomain:https family 2 len 16
Dec 16 16:22:54 purplepixelhost sslh[25386]: bind:98:Address already in use
Dec 16 16:22:54 purplepixelhost sslh[25386]: bind_peer:98:Address 
already in use
Dec 16 16:22:54 purplepixelhost sslh[25386]: connect: Address already in use


I don’t know why the `ip` rules work in your case and not in mine, but I 
routed around (pun intended, and duly regretted) the problem by 
explicitly pointing some known domain names like jan.moesen.nu to 
127.0.0.1 in /etc/hosts. Not pretty, but now everything works.



Thanks for all the help,

Jan

More information about the sslh mailing list