git ssb

Files: 5cd1fa18753c479f7eaef26b893016a37646364f / sslh.pod

6329 bytesRaw

1 # I'm just not gonna write troff :-)
2 
3 =head1 NAME
4 
5  sslh - ssl/ssh multiplexer
6 
7 =head1 SYNOPSIS
8 
9 sslh [B<-F> I<config file>] [ B<-t> I<num> ] [B<-p> I<listening address> [B<-p> I<listening address> ...] [B<--ssl> I<target address for SSL>] [B<--ssh> I<target address for SSH>] [B<--openvpn> I<target address for OpenVPN>] [B<--http> I<target address for HTTP>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-i] [-V] [-f] [-n]
10 
11 =head1 DESCRIPTION
12 
13 B<sslh> accepts connections in HTTP, HTTPS, SSH, OpenVPN,
14 tinc, XMPP, or any other protocol that can be tested using a
15 regular expression, on the same port. This makes it possible
16 to connect to any of these servers on port 443 (e.g. from
17 inside a corporate firewall, which almost never block port
18 443) while still serving HTTPS on that port. 
19 
20 
21 The idea is to have B<sslh> listen to the external 443 port,
22 accept the incoming connections, work out what type of
23 connection it is, and then fordward to the appropriate
24 server.
25 
26 =head2 Protocol detection
27 
28 The protocol detection is made based on the first bytes sent
29 by the client: SSH connections start by identifying each
30 other's versions using clear text "SSH-2.0" strings (or
31 equivalent version strings). This is defined in RFC4253,
32 4.2. Meanwhile, OpenVPN clients start with 0x00 0x0D 0x38,
33 tinc clients start with "0 ", and XMPP client start with a
34 packet containing "jabber".
35 
36 Additionally, two kind of SSH clients exist: the client
37 waits for the server to send its version string ("Shy"
38 client, which is the case of OpenSSH and Putty), or the
39 client sends its version first ("Bold" client, which is the
40 case of Bitvise Tunnelier and ConnectBot). 
41 
42 If the client stays quiet after the timeout period, B<sslh>
43 will connect to the first protocol defined (in the
44 configuration file, or on the command line), so SSH should
45 be defined first in B<sslh> configuration to accomodate for
46 shy SSH clients.
47 
48 =head2 Libwrap support
49 
50 One drawback of B<sslh> is that the B<ssh> and B<httpd>
51 servers do not see the original IP address of the client
52 anymore, as the connection is forwarded through B<sslh>.
53 B<sslh> provides enough logging to circumvent that problem.
54 However it is common to limit access to B<ssh> using
55 B<libwrap> or B<tcpd>. For this reason, B<sslh> can be
56 compiled to check SSH accesses against SSH access lists as
57 defined in F</etc/hosts.allow> and F</etc/hosts.deny>.
58 
59 =head2 Configuration file
60 
61 A configuration file can be supplied to B<sslh>. Command
62 line arguments override file settings. B<sslh> uses
63 B<libconfig> to parse the configuration file, so the general
64 file format is indicated in
65 L<http://www.hyperrealm.com/libconfig/libconfig_manual.html>.
66 Please refer to the example configuration file provided with
67 B<sslh> for the specific format (Options have the same names
68 as on the command line, except for the list of listen ports
69 and the list of protocols).
70 
71 The configuration file makes it possible to specify
72 protocols using regular expressions: a list of regular
73 expressions is given as the I<probe> parameter, and if the
74 first packet received from the client matches any of these
75 expressions, B<sslh> connects to that protocol.
76 
77 Alternatively, the I<probe> parameter can be set to
78 "builtin", to use the compiled probes which are much faster
79 than regular expressions.
80 
81 
82 =head1 OPTIONS
83 
84 =over 4
85 
86 =item B<-t> I<num>, B<--timeout> I<num>
87 
88 Timeout before forwarding the connection to the first
89 configured protocol (which should usually be SSH). Default
90 is 2s.
91 
92 =item B<-p> I<listening address>, B<--listen> I<listening address>
93 
94 Interface and port on which to listen, e.g. I<foobar:443>,
95 where I<foobar> is the name of an interface (typically the
96 IP address on which the Internet connection ends up).
97 
98 This can be specified several times to bind B<sslh> to
99 several addresses.
100 
101 =item B<--ssl> I<target address>
102 
103 Interface and port on which to forward SSL connection,
104 typically I<localhost:443>.
105 
106 Note that you can set B<sslh> to listen on I<ext_ip:443> and
107 B<httpd> to listen on I<localhost:443>: this allows clients
108 inside your network to just connect directly to B<httpd>.
109 
110 =item B<--ssh> I<target address>
111 
112 Interface and port on which to forward SSH connections,
113 typically I<localhost:22>.
114 
115 =item B<--openvpn> I<target address>
116 
117 Interface and port on which to forward OpenVPN connections,
118 typically I<localhost:1194>.
119 
120 =item B<--xmpp> I<target address>
121 
122 Interface and port on which to forward XMPP connections,
123 typically I<localhost:5222>.
124 
125 =item B<--tinc> I<target address>
126 
127 Interface and port on which to forward tinc connections,
128 typically I<localhost:655>.
129 
130 This is experimental. If you use this feature, please report
131 the results (even if it works!)
132 
133 =item B<-v>, B<--verbose>
134 
135 Increase verboseness.
136 
137 =item B<-n>, B<--numeric>
138 
139 Do not attempt to resolve hostnames: logs will contain IP
140 addresses. This is mostly useful if the system's DNS is slow
141 and running the I<sslh-select> variant, as DNS requests will
142 hang all connections.
143 
144 =item B<-V>
145 
146 Prints B<sslh> version.
147 
148 =item B<-u> I<username>, B<--user> I<username>
149 
150 Requires to run under the specified username. 
151 
152 =item B<-P> I<pidfile>, B<--pidfile> I<pidfile>
153 
154 Specifies a file in which to write the PID of the main
155 server.
156 
157 =item B<-i>, B<--inetd>
158 
159 Runs as an I<inetd> server. Options B<-P> (PID file), B<-p>
160 (listen address), B<-u> (user) are ignored.
161 
162 =item B<-f>, B<--foreground>
163 
164 Runs in foreground. The server will not fork and will remain connected
165 to the terminal. Messages normally sent to B<syslog> will also be sent
166 to I<stderr>.
167 
168 =item B<--background>
169 
170 Runs in background. This overrides B<foreground> if set in
171 the configuration file (or on the command line, but there is
172 no point setting both on the command line unless you have a
173 personality disorder).
174 
175 =back
176 
177 =head1 FILES
178 
179 =over 4
180 
181 =item F</etc/init.d/sslh>
182 
183 Start-up script. The standard actions B<start>, B<stop> and
184 B<restart> are supported.
185 
186 =item F</etc/default/sslh>
187 
188 Server configuration. These are environment variables
189 loaded by the start-up script and passed to B<sslh> as
190 command-line arguments. Refer to the OPTIONS section for a
191 detailed explanation of the variables used by B<sslh>.
192 
193 =back
194 
195 =head1 SEE ALSO
196 
197 Last version available from
198 L<http://www.rutschle.net/tech/sslh>, and can be tracked
199 from L<http://freecode.com/projects/sslh>.
200 
201 =head1 AUTHOR
202 
203 Written by Yves Rutschle
204

Built with git-ssb-web

cel / sslh

Tree: 5cd1fa18753c479f7eaef26b893016a37646364f

Files: 5cd1fa18753c479f7eaef26b893016a37646364f / sslh.pod

1	# I'm just not gonna write troff :-)
2
3	=head1 NAME
4
5	sslh - ssl/ssh multiplexer
6
7	=head1 SYNOPSIS
8
9	sslh [B<-F> I<config file>] [ B<-t> I<num> ] [B<-p> I<listening address> [B<-p> I<listening address> ...] [B<--ssl> I<target address for SSL>] [B<--ssh> I<target address for SSH>] [B<--openvpn> I<target address for OpenVPN>] [B<--http> I<target address for HTTP>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-i] [-V] [-f] [-n]
10
11	=head1 DESCRIPTION
12
13	B<sslh> accepts connections in HTTP, HTTPS, SSH, OpenVPN,
14	tinc, XMPP, or any other protocol that can be tested using a
15	regular expression, on the same port. This makes it possible
16	to connect to any of these servers on port 443 (e.g. from
17	inside a corporate firewall, which almost never block port
18	443) while still serving HTTPS on that port.
19
20
21	The idea is to have B<sslh> listen to the external 443 port,
22	accept the incoming connections, work out what type of
23	connection it is, and then fordward to the appropriate
24	server.
25
26	=head2 Protocol detection
27
28	The protocol detection is made based on the first bytes sent
29	by the client: SSH connections start by identifying each
30	other's versions using clear text "SSH-2.0" strings (or
31	equivalent version strings). This is defined in RFC4253,
32	4.2. Meanwhile, OpenVPN clients start with 0x00 0x0D 0x38,
33	tinc clients start with "0 ", and XMPP client start with a
34	packet containing "jabber".
35
36	Additionally, two kind of SSH clients exist: the client
37	waits for the server to send its version string ("Shy"
38	client, which is the case of OpenSSH and Putty), or the
39	client sends its version first ("Bold" client, which is the
40	case of Bitvise Tunnelier and ConnectBot).
41
42	If the client stays quiet after the timeout period, B<sslh>
43	will connect to the first protocol defined (in the
44	configuration file, or on the command line), so SSH should
45	be defined first in B<sslh> configuration to accomodate for
46	shy SSH clients.
47
48	=head2 Libwrap support
49
50	One drawback of B<sslh> is that the B<ssh> and B<httpd>
51	servers do not see the original IP address of the client
52	anymore, as the connection is forwarded through B<sslh>.
53	B<sslh> provides enough logging to circumvent that problem.
54	However it is common to limit access to B<ssh> using
55	B<libwrap> or B<tcpd>. For this reason, B<sslh> can be
56	compiled to check SSH accesses against SSH access lists as
57	defined in F</etc/hosts.allow> and F</etc/hosts.deny>.
58
59	=head2 Configuration file
60
61	A configuration file can be supplied to B<sslh>. Command
62	line arguments override file settings. B<sslh> uses
63	B<libconfig> to parse the configuration file, so the general
64	file format is indicated in
65	L<http://www.hyperrealm.com/libconfig/libconfig_manual.html>.
66	Please refer to the example configuration file provided with
67	B<sslh> for the specific format (Options have the same names
68	as on the command line, except for the list of listen ports
69	and the list of protocols).
70
71	The configuration file makes it possible to specify
72	protocols using regular expressions: a list of regular
73	expressions is given as the I<probe> parameter, and if the
74	first packet received from the client matches any of these
75	expressions, B<sslh> connects to that protocol.
76
77	Alternatively, the I<probe> parameter can be set to
78	"builtin", to use the compiled probes which are much faster
79	than regular expressions.
80
81
82	=head1 OPTIONS
83
84	=over 4
85
86	=item B<-t> I<num>, B<--timeout> I<num>
87
88	Timeout before forwarding the connection to the first
89	configured protocol (which should usually be SSH). Default
90	is 2s.
91
92	=item B<-p> I<listening address>, B<--listen> I<listening address>
93
94	Interface and port on which to listen, e.g. I<foobar:443>,
95	where I<foobar> is the name of an interface (typically the
96	IP address on which the Internet connection ends up).
97
98	This can be specified several times to bind B<sslh> to
99	several addresses.
100
101	=item B<--ssl> I<target address>
102
103	Interface and port on which to forward SSL connection,
104	typically I<localhost:443>.
105
106	Note that you can set B<sslh> to listen on I<ext_ip:443> and
107	B<httpd> to listen on I<localhost:443>: this allows clients
108	inside your network to just connect directly to B<httpd>.
109
110	=item B<--ssh> I<target address>
111
112	Interface and port on which to forward SSH connections,
113	typically I<localhost:22>.
114
115	=item B<--openvpn> I<target address>
116
117	Interface and port on which to forward OpenVPN connections,
118	typically I<localhost:1194>.
119
120	=item B<--xmpp> I<target address>
121
122	Interface and port on which to forward XMPP connections,
123	typically I<localhost:5222>.
124
125	=item B<--tinc> I<target address>
126
127	Interface and port on which to forward tinc connections,
128	typically I<localhost:655>.
129
130	This is experimental. If you use this feature, please report
131	the results (even if it works!)
132
133	=item B<-v>, B<--verbose>
134
135	Increase verboseness.
136
137	=item B<-n>, B<--numeric>
138
139	Do not attempt to resolve hostnames: logs will contain IP
140	addresses. This is mostly useful if the system's DNS is slow
141	and running the I<sslh-select> variant, as DNS requests will
142	hang all connections.
143
144	=item B<-V>
145
146	Prints B<sslh> version.
147
148	=item B<-u> I<username>, B<--user> I<username>
149
150	Requires to run under the specified username.
151
152	=item B<-P> I<pidfile>, B<--pidfile> I<pidfile>
153
154	Specifies a file in which to write the PID of the main
155	server.
156
157	=item B<-i>, B<--inetd>
158
159	Runs as an I<inetd> server. Options B<-P> (PID file), B<-p>
160	(listen address), B<-u> (user) are ignored.
161
162	=item B<-f>, B<--foreground>
163
164	Runs in foreground. The server will not fork and will remain connected
165	to the terminal. Messages normally sent to B<syslog> will also be sent
166	to I<stderr>.
167
168	=item B<--background>
169
170	Runs in background. This overrides B<foreground> if set in
171	the configuration file (or on the command line, but there is
172	no point setting both on the command line unless you have a
173	personality disorder).
174
175	=back
176
177	=head1 FILES
178
179	=over 4
180
181	=item F</etc/init.d/sslh>
182
183	Start-up script. The standard actions B<start>, B<stop> and
184	B<restart> are supported.
185
186	=item F</etc/default/sslh>
187
188	Server configuration. These are environment variables
189	loaded by the start-up script and passed to B<sslh> as
190	command-line arguments. Refer to the OPTIONS section for a
191	detailed explanation of the variables used by B<sslh>.
192
193	=back
194
195	=head1 SEE ALSO
196
197	Last version available from
198	L<http://www.rutschle.net/tech/sslh>, and can be tracked
199	from L<http://freecode.com/projects/sslh>.
200
201	=head1 AUTHOR
202
203	Written by Yves Rutschle
204

cel / sslh

Tree: 5cd1fa18753c479f7eaef26b893016a37646364f shsmasterv1.9v1.8v1.7v1.6v1.5v1.3v1.2v1.18v1.17v1.16v1.15v1.14v1.13v1.12v1.11v1.10v1.1v1.0 <input type="submit" value="Go"/>

Files: 5cd1fa18753c479f7eaef26b893016a37646364f / sslh.pod

Tree: 5cd1fa18753c479f7eaef26b893016a37646364f