git ssb

Files: 5cd1fa18753c479f7eaef26b893016a37646364f / README

6537 bytesRaw

1 ===== sslh -- A ssl/ssh multiplexer. =====
2 
3 sslh accepts connections in HTTP, HTTPS, SSH, OpenVPN,
4 tinc, XMPP, or any other protocol that can be tested using a
5 regular expression, on the same port. This makes it possible
6 to connect to any of these servers on port 443 (e.g. from
7 inside a corporate firewall, which almost never block port
8 443) while still serving HTTPS on that port. 
9 
10 
11 ==== Compile and install ====
12 
13 sslh uses libconfig (http://www.hyperrealm.com/libconfig/)
14 and libwrap.
15 
16 For Debian, these are contained in packages libwrap0-dev and
17 libconfig8-dev.  
18 
19 For OpenSUSE, these are contained in packages libconfig9 and
20 libconfig-dev in repository
21 http://download.opensuse.org/repositories/multimedia:/libs/openSUSE_12.1/
22 
23 For Fedora, this package should work:
24 https://admin.fedoraproject.org/pkgdb/acls/name/libconfig
25 (feedback from Fedorans appreciated).
26 
27 If you can't find libconfig, or just don't want a
28 configuration file, set 'USELIBCONFIG=' in the Makefile.
29 
30 After this, the Makefile should work:
31 
32 make install
33 
34 There are a couple of configuration options at the beginning
35 of the Makefile: 
36 
37     USELIBWRAP compiles support for host access control (see
38     hosts_access(3)), you will need libwrap headers and
39     library to compile (libwrap0-dev in Debian).
40 
41     USELIBCONFIG compiles support for the configuration
42     file. You will need libconfig headers to compile
43     (libconfig8-dev in Debian).
44 
45 The Makefile produces two different executables: sslh-fork
46 and sslh-select. 
47 
48 sslh-fork forks a new process for each incoming connection.
49 It is well-tested and very reliable, but incurs the overhead
50 of many processes.  sslh-select uses only one thread, which
51 monitors all connections at once. It is more recent and less
52 tested, but only incurs a 16 byte overhead per connection.
53 Also, if it stops, you'll lose all connections, which means
54 you can't upgrade it remotely.
55 
56 If you are going to use sslh for a "small" setup (less than
57 a dozen ssh connections and a low-traffic https server) then
58 sslh-fork is probably more suited for you. If you are going
59 to use sslh on a "medium" setup (a few thousand ssh
60 connections, and another few thousand sslh connections),
61 sslh-select will be better. If you have a very large site
62 (tens of thousands of connections), you'll need a vapourware
63 version that would use libevent or something like that.
64 
65 
66 To install:
67 
68 make
69 cp sslh-fork /usr/local/sbin/sslh
70 cp scripts/etc.default.sslh /etc/default/sslh
71 
72 For Debian:
73 cp scripts/etc.init.d.sslh /etc/init.d/sslh
74 For CentOS:
75 cp scripts/etc.rc.d.init.d.sslh /etc/rc.d/init.d/sslh
76 
77 and probably create links in /etc/rc<x>.d so that the server
78 start automatically at boot-up, e.g. under Debian:
79 update-rc.d sslh defaults
80 
81 
82 
83 ==== Configuration ====
84 
85 You can edit settings in /etc/default/sslh:
86 
87 LISTEN=ifname:443
88 SSH=localhost:22
89 SSL=localhost:443
90 
91 A good scheme is to use the external name of the machine in
92 $LISTEN, and bind httpd to localhost:443 (instead of all
93 binding to all interfaces): that way, https connections
94 coming from inside your network don't need to go through
95 sslh, and sslh is only there as a frontal for connections
96 coming from the internet.
97 
98 Note that 'external name' in this context refers to the
99 actual IP address of the machine as seen from your network,
100 i.e. that that is not 127.0.0.1 in the output of
101 ifconfig(8).
102 
103 ==== Libwrap support ====
104 
105 Sslh can optionnaly perform libwrap checks for the sshd
106 service: because the connection to sshd will be coming
107 locally from sslh, sshd cannot determine the IP of the
108 client.
109 
110 ==== OpenVPN support ====
111 
112 OpenVPN clients connecting to OpenVPN running with
113 -port-share reportedly take more than one second between
114 the time the TCP connexion is established and the time they
115 send the first data packet. This results in sslh with
116 default settings timing out and assuming an SSH connexion.
117 To support OpenVPN connexions reliably, it is necessary to
118 increase sslh's timeout to 5 seconds.
119 
120 Instead of using OpenVPN's port sharing, it is more reliable
121 to use sslh's -o option to get sslh to do the port sharing.
122 
123 ==== Using proxytunnel with sslh ====
124 
125 If you are connecting through a proxy that checks that the
126 outgoing connection really is SSL and rejects SSH, you can
127 encapsulate all your traffic in SSL using proxytunnel (this
128 should work with corkscrew as well). On the server side you
129 receive the traffic with stunnel to decapsulate SSL, then
130 pipe through sslh to switch HTTP on one side and SSL on the
131 other.
132 
133 In that case, you end up with something like this:
134 
135 ssh -> proxytunnel -e --------ssh/ssl------> stunnel ---ssh---> sslh --> sshd
136 
137 Web browser --------http/ssl------> stunnel ---http---> sslh --> http:80
138 
139 Configuration goes like this:
140 
141 On the server side, using stunnel3:
142 stunnel -f -p mycert.pem  -d thelonious:443 -l /usr/local/sbin/sslh -- sslh -i  --ssl localhost:80 --ssh localhost:22
143 
144 stunnel options: -f for foreground/debugging, -p specifies
145 the key + certificate, -d specifies which interface and port
146 we're listening to for incoming connexions, -l summons sslh
147 in inetd mode.
148 
149 sslh options: -i for inetd mode, --ssl to forward SSL
150 connexions (in fact normal HTTP at that stage) to port 80,
151 and SSH connexions to port 22. This works because sslh
152 considers that any protocol it doesn't recognise is SSL.
153 
154 ==== IP_TPROXY support ====
155 
156 There is a netfilter patch that adds an option to the Linux
157 TCP/IP stack to allow a program to set the source address
158 of an IP packet that it sends. This could let sslh set the
159 address of packets to that of the actual client, so that
160 sshd would see and log the IP address of the client, making
161 sslh transparent.
162 
163 This is not, and won't be, implemented in sslh for the
164 following reasons (in increasing order of importance):
165 
166   * It's not vital: the real connecting IP address can be
167     found in logs. Little gain.
168   * It's Linux only: it means increased complexity for no
169     gain to some users.
170   * It's a patch: it means it'd only be useful to Linux
171     users who compile their own kernel.
172   * Only root can use the feature: that's a definite no-no.
173     Sslh should not, must not, will never run as root.
174 
175 This isn't to mean that it won't eventually get implemented,
176 when/if the feature finds its way into the main kernel and
177 it becomes usuable by non-root processes.
178 
179 
180 ==== Comments? Questions? ====
181 
182 You can subscribe to the sslh mailing list here:
183 http://rutschle.net/cgi-bin/mailman/listinfo/sslh
184 
185 This mailing list should be used for discussion, feature
186 requests, and will be the prefered channel for
187 announcements.
188 
189

Built with git-ssb-web

cel / sslh

Tree: 5cd1fa18753c479f7eaef26b893016a37646364f

Files: 5cd1fa18753c479f7eaef26b893016a37646364f / README

1	===== sslh -- A ssl/ssh multiplexer. =====
2
3	sslh accepts connections in HTTP, HTTPS, SSH, OpenVPN,
4	tinc, XMPP, or any other protocol that can be tested using a
5	regular expression, on the same port. This makes it possible
6	to connect to any of these servers on port 443 (e.g. from
7	inside a corporate firewall, which almost never block port
8	443) while still serving HTTPS on that port.
9
10
11	==== Compile and install ====
12
13	sslh uses libconfig (http://www.hyperrealm.com/libconfig/)
14	and libwrap.
15
16	For Debian, these are contained in packages libwrap0-dev and
17	libconfig8-dev.
18
19	For OpenSUSE, these are contained in packages libconfig9 and
20	libconfig-dev in repository
21	http://download.opensuse.org/repositories/multimedia:/libs/openSUSE_12.1/
22
23	For Fedora, this package should work:
24	https://admin.fedoraproject.org/pkgdb/acls/name/libconfig
25	(feedback from Fedorans appreciated).
26
27	If you can't find libconfig, or just don't want a
28	configuration file, set 'USELIBCONFIG=' in the Makefile.
29
30	After this, the Makefile should work:
31
32	make install
33
34	There are a couple of configuration options at the beginning
35	of the Makefile:
36
37	USELIBWRAP compiles support for host access control (see
38	hosts_access(3)), you will need libwrap headers and
39	library to compile (libwrap0-dev in Debian).
40
41	USELIBCONFIG compiles support for the configuration
42	file. You will need libconfig headers to compile
43	(libconfig8-dev in Debian).
44
45	The Makefile produces two different executables: sslh-fork
46	and sslh-select.
47
48	sslh-fork forks a new process for each incoming connection.
49	It is well-tested and very reliable, but incurs the overhead
50	of many processes. sslh-select uses only one thread, which
51	monitors all connections at once. It is more recent and less
52	tested, but only incurs a 16 byte overhead per connection.
53	Also, if it stops, you'll lose all connections, which means
54	you can't upgrade it remotely.
55
56	If you are going to use sslh for a "small" setup (less than
57	a dozen ssh connections and a low-traffic https server) then
58	sslh-fork is probably more suited for you. If you are going
59	to use sslh on a "medium" setup (a few thousand ssh
60	connections, and another few thousand sslh connections),
61	sslh-select will be better. If you have a very large site
62	(tens of thousands of connections), you'll need a vapourware
63	version that would use libevent or something like that.
64
65
66	To install:
67
68	make
69	cp sslh-fork /usr/local/sbin/sslh
70	cp scripts/etc.default.sslh /etc/default/sslh
71
72	For Debian:
73	cp scripts/etc.init.d.sslh /etc/init.d/sslh
74	For CentOS:
75	cp scripts/etc.rc.d.init.d.sslh /etc/rc.d/init.d/sslh
76
77	and probably create links in /etc/rc<x>.d so that the server
78	start automatically at boot-up, e.g. under Debian:
79	update-rc.d sslh defaults
80
81
82
83	==== Configuration ====
84
85	You can edit settings in /etc/default/sslh:
86
87	LISTEN=ifname:443
88	SSH=localhost:22
89	SSL=localhost:443
90
91	A good scheme is to use the external name of the machine in
92	$LISTEN, and bind httpd to localhost:443 (instead of all
93	binding to all interfaces): that way, https connections
94	coming from inside your network don't need to go through
95	sslh, and sslh is only there as a frontal for connections
96	coming from the internet.
97
98	Note that 'external name' in this context refers to the
99	actual IP address of the machine as seen from your network,
100	i.e. that that is not 127.0.0.1 in the output of
101	ifconfig(8).
102
103	==== Libwrap support ====
104
105	Sslh can optionnaly perform libwrap checks for the sshd
106	service: because the connection to sshd will be coming
107	locally from sslh, sshd cannot determine the IP of the
108	client.
109
110	==== OpenVPN support ====
111
112	OpenVPN clients connecting to OpenVPN running with
113	-port-share reportedly take more than one second between
114	the time the TCP connexion is established and the time they
115	send the first data packet. This results in sslh with
116	default settings timing out and assuming an SSH connexion.
117	To support OpenVPN connexions reliably, it is necessary to
118	increase sslh's timeout to 5 seconds.
119
120	Instead of using OpenVPN's port sharing, it is more reliable
121	to use sslh's -o option to get sslh to do the port sharing.
122
123	==== Using proxytunnel with sslh ====
124
125	If you are connecting through a proxy that checks that the
126	outgoing connection really is SSL and rejects SSH, you can
127	encapsulate all your traffic in SSL using proxytunnel (this
128	should work with corkscrew as well). On the server side you
129	receive the traffic with stunnel to decapsulate SSL, then
130	pipe through sslh to switch HTTP on one side and SSL on the
131	other.
132
133	In that case, you end up with something like this:
134
135	ssh -> proxytunnel -e --------ssh/ssl------> stunnel ---ssh---> sslh --> sshd
136
137	Web browser --------http/ssl------> stunnel ---http---> sslh --> http:80
138
139	Configuration goes like this:
140
141	On the server side, using stunnel3:
142	stunnel -f -p mycert.pem -d thelonious:443 -l /usr/local/sbin/sslh -- sslh -i --ssl localhost:80 --ssh localhost:22
143
144	stunnel options: -f for foreground/debugging, -p specifies
145	the key + certificate, -d specifies which interface and port
146	we're listening to for incoming connexions, -l summons sslh
147	in inetd mode.
148
149	sslh options: -i for inetd mode, --ssl to forward SSL
150	connexions (in fact normal HTTP at that stage) to port 80,
151	and SSH connexions to port 22. This works because sslh
152	considers that any protocol it doesn't recognise is SSL.
153
154	==== IP_TPROXY support ====
155
156	There is a netfilter patch that adds an option to the Linux
157	TCP/IP stack to allow a program to set the source address
158	of an IP packet that it sends. This could let sslh set the
159	address of packets to that of the actual client, so that
160	sshd would see and log the IP address of the client, making
161	sslh transparent.
162
163	This is not, and won't be, implemented in sslh for the
164	following reasons (in increasing order of importance):
165
166	* It's not vital: the real connecting IP address can be
167	found in logs. Little gain.
168	* It's Linux only: it means increased complexity for no
169	gain to some users.
170	* It's a patch: it means it'd only be useful to Linux
171	users who compile their own kernel.
172	* Only root can use the feature: that's a definite no-no.
173	Sslh should not, must not, will never run as root.
174
175	This isn't to mean that it won't eventually get implemented,
176	when/if the feature finds its way into the main kernel and
177	it becomes usuable by non-root processes.
178
179
180	==== Comments? Questions? ====
181
182	You can subscribe to the sslh mailing list here:
183	http://rutschle.net/cgi-bin/mailman/listinfo/sslh
184
185	This mailing list should be used for discussion, feature
186	requests, and will be the prefered channel for
187	announcements.
188
189

cel / sslh

Tree: 5cd1fa18753c479f7eaef26b893016a37646364f shsmasterv1.9v1.8v1.7v1.6v1.5v1.3v1.2v1.18v1.17v1.16v1.15v1.14v1.13v1.12v1.11v1.10v1.1v1.0 <input type="submit" value="Go"/>

Files: 5cd1fa18753c479f7eaef26b893016a37646364f / README

Tree: 5cd1fa18753c479f7eaef26b893016a37646364f