[sslh] Better --transparent way on Linux
cel at celehner.com
cel at celehner.com
Tue Oct 29 23:32:38 UTC 2019
Hi,
Nice, I confirm it works. Likewise with the IPv6 version:
ip -6 rule add from ::1 lookup 100
ip -6 route add local ::/0 dev lo table 100
But I'm not sure what you mean about binding the real service to localhost:443. If I do that with nginx, while sslh is listening on 0.0.0.0:443, I get Address already in use. So instead I have nginx listen on 4430.
Regards,
Charles
On Mon, 14 Oct 2019 08:50:53 +0300
Shachar Shemesh <shachar at shemesh.biz> wrote:
> Hi everyeone,
>
> After spending way too much time on this, I found a better way to make --transparent work on Linux. No changing kernel parameters and then trying to undo the effect through iptables. In fact, no iptables rules at all (not even mangle rules). Even better, it is possible to bind the real service to localhost:443.
>
> All you need is to add the following two lines:
>
> ip rule add from 127.0.0.1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
>
> What they do is tell the routing table that any packet coming from 127.0.0.1 should be routed to the loopback device. Presto: --transparent is working.
>
> Hope this helps.
>
> Shachar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://rutschle.net/pipermail/sslh/attachments/20191029/1399da14/attachment.sig>
More information about the sslh
mailing list