git ssb

0+

cel / sslh



Tree: 26b4bcd089f6c3a3c43d1380969c939e600b3ef2

Files: 26b4bcd089f6c3a3c43d1380969c939e600b3ef2 / README

5528 bytesRaw
1===== sslh -- A ssl/ssh multiplexer. =====
2
3sslh accepts HTTP, HTTPS, SSH, OpenVPN, tinc and XMPP
4connections on the same port. This makes it possible to
5connect to any of these servers on port 443 (e.g. from
6inside a corporate firewall, which almost never block port
7443) while still serving HTTPS on that port.
8
9==== Compile and install ====
10
11If you're lucky, the Makefile will work for you:
12
13make install
14
15The Makefile produces two different executables: sslh-fork
16and sslh-select.
17
18sslh-fork forks a new process for each incoming connection.
19It is well-tested and very reliable, but incurs the overhead
20of many processes. sslh-select uses only one thread, which
21monitors all connections at once. It is more recent and less
22tested, but only incurs a 16 byte overhead per connection.
23Also, if it stops, you'll lose all connections, which means
24you can't upgrade it remotely.
25
26If you are going to use sslh for a "small" setup (less than
27a dozen ssh connections and a low-traffic https server) then
28sslh-fork is probably more suited for you. If you are going
29to use sslh on a "medium" setup (a few thousand ssh
30connections, and another few thousand sslh connections),
31sslh-select will be better. If you have a very large site
32(tens of thousands of connections), you'll need a vapourware
33version that would use libevent or something like that.
34
35
36To install:
37
38make
39cp sslh-fork /usr/local/sbin/sslh
40cp scripts/etc.default.sslh /etc/default/sslh
41
42For Debian:
43cp scripts/etc.init.d.sslh /etc/init.d/sslh
44For CentOS:
45cp scripts/etc.rc.d.init.d.sslh /etc/rc.d/init.d/sslh
46
47and probably create links in /etc/rc<x>.d so that the server
48start automatically at boot-up, e.g. under Debian:
49update-rc.d sslh defaults
50
51
52
53==== Configuration ====
54
55You can edit settings in /etc/default/sslh:
56
57LISTEN=ifname:443
58SSH=localhost:22
59SSL=localhost:443
60
61A good scheme is to use the external name of the machine in
62$LISTEN, and bind httpd to localhost:443 (instead of all
63binding to all interfaces): that way, https connections
64coming from inside your network don't need to go through
65sslh, and sslh is only there as a frontal for connections
66coming from the internet.
67
68Note that 'external name' in this context refers to the
69actual IP address of the machine as seen from your network,
70i.e. that that is not 127.0.0.1 in the output of
71ifconfig(8).
72
73==== Libwrap support ====
74
75Sslh can optionnaly perform libwrap checks for the sshd
76service: because the connection to sshd will be coming
77locally from sslh, sshd cannot determine the IP of the
78client.
79
80==== OpenVPN support ====
81
82OpenVPN clients connecting to OpenVPN running with
83-port-share reportedly take more than one second between
84the time the TCP connexion is established and the time they
85send the first data packet. This results in sslh with
86default settings timing out and assuming an SSH connexion.
87To support OpenVPN connexions reliably, it is necessary to
88increase sslh's timeout to 5 seconds.
89
90Instead of using OpenVPN's port sharing, it is more reliable
91to use sslh's -o option to get sslh to do the port sharing.
92
93==== Using proxytunnel with sslh ====
94
95If you are connecting through a proxy that checks that the
96outgoing connection really is SSL and rejects SSH, you can
97encapsulate all your traffic in SSL using proxytunnel (this
98should work with corkscrew as well). On the server side you
99receive the traffic with stunnel to decapsulate SSL, then
100pipe through sslh to switch HTTP on one side and SSL on the
101other.
102
103In that case, you end up with something like this:
104
105ssh -> proxytunnel -e --------ssh/ssl------> stunnel ---ssh---> sslh --> sshd
106
107Web browser --------http/ssl------> stunnel ---http---> sslh --> http:80
108
109Configuration goes like this:
110
111On the server side, using stunnel3:
112stunnel -f -p mycert.pem -d thelonious:443 -l /usr/local/sbin/sslh -- sslh -i --ssl localhost:80 --ssh localhost:22
113
114stunnel options: -f for foreground/debugging, -p specifies
115the key + certificate, -d specifies which interface and port
116we're listening to for incoming connexions, -l summons sslh
117in inetd mode.
118
119sslh options: -i for inetd mode, --ssl to forward SSL
120connexions (in fact normal HTTP at that stage) to port 80,
121and SSH connexions to port 22. This works because sslh
122considers that any protocol it doesn't recognise is SSL.
123
124==== IP_TPROXY support ====
125
126There is a netfilter patch that adds an option to the Linux
127TCP/IP stack to allow a program to set the source address
128of an IP packet that it sends. This could let sslh set the
129address of packets to that of the actual client, so that
130sshd would see and log the IP address of the client, making
131sslh transparent.
132
133This is not, and won't be, implemented in sslh for the
134following reasons (in increasing order of importance):
135
136 * It's not vital: the real connecting IP address can be
137 found in logs. Little gain.
138 * It's Linux only: it means increased complexity for no
139 gain to some users.
140 * It's a patch: it means it'd only be useful to Linux
141 users who compile their own kernel.
142 * Only root can use the feature: that's a definite no-no.
143 Sslh should not, must not, will never run as root.
144
145This isn't to mean that it won't eventually get implemented,
146when/if the feature finds its way into the main kernel and
147it becomes usuable by non-root processes.
148
149
150==== Comments? Questions? ====
151
152You can subscribe to the sslh mailing list here:
153http://rutschle.net/cgi-bin/mailman/listinfo/sslh
154
155This mailing list should be used for discussion, feature
156requests, and will be the prefered channel for
157announcements.
158
159

Built with git-ssb-web