git ssb

0+

cel / sslh



Tree: 63a83cf0416ab89720b15a4a649786812b630b79

Files: 63a83cf0416ab89720b15a4a649786812b630b79 / sslh.pod

7331 bytesRaw
1# I'm just not gonna write troff :-)
2
3=head1 NAME
4
5 sslh - protocol demultiplexer
6
7=head1 SYNOPSIS
8
9sslh [B<-F> I<config file>] [ B<-t> I<num> ] [B<--transparent>] [B<-p> I<listening address> [B<-p> I<listening address> ...] [B<--ssl> I<target address for SSL>] [B<--ssh> I<target address for SSH>] [B<--openvpn> I<target address for OpenVPN>] [B<--http> I<target address for HTTP>] [B<--anyprot> I<default target address>] [B<--on-timeout> I<protocol name>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-i] [-V] [-f] [-n]
10
11=head1 DESCRIPTION
12
13B<sslh> accepts connections on specified ports, and forwards
14them further based on tests performed on the first data
15packet sent by the remote client.
16
17Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are
18implemented, and any other protocol that can be tested using
19a regular expression, can be recognised. A typical use case
20is to allow serving several services on port 443 (e.g. to
21connect to ssh from inside a corporate firewall, which
22almost never block port 443) while still serving HTTPS on
23that port.
24
25Hence B<sslh> acts as a protocol demultiplexer, or a
26switchboard. Its name comes from its original function to
27serve SSH and HTTPS on the same port.
28
29=head2 Libwrap support
30
31One drawback of B<sslh> is that the servers do not see the
32original IP address of the client anymore, as the connection
33is forwarded through B<sslh>.
34
35For this reason, B<sslh> can be compiled with B<libwrap> to
36check accesses defined in F</etc/hosts.allow> and
37F</etc/hosts.deny>. Libwrap services can be defined using
38the configuration file.
39
40=head2 Configuration file
41
42A configuration file can be supplied to B<sslh>. Command
43line arguments override file settings. B<sslh> uses
44B<libconfig> to parse the configuration file, so the general
45file format is indicated in
46L<http://www.hyperrealm.com/libconfig/libconfig_manual.html>.
47Please refer to the example configuration file provided with
48B<sslh> for the specific format (Options have the same names
49as on the command line, except for the list of listen ports
50and the list of protocols).
51
52The configuration file makes it possible to specify
53protocols using regular expressions: a list of regular
54expressions is given as the I<regex_patterns> parameter, and if the
55first packet received from the client matches any of these
56expressions, B<sslh> connects to that protocol.
57
58=head2 Probing protocols
59
60When receiving an incoming connection, B<sslh> will read the
61first bytes sent be the connecting client. It will then
62probe for the protocol in the order specified on the command
63line (or the configuration file). Therefore B<--anyprot>
64should alway be used last, as it always succeeds and further
65protocols will never be tried.
66
67If no data is sent by the client, B<sslh> will eventually
68time out and connect to the protocol specified with
69B<--on-timeout>, or I<ssh> if none is specified.
70
71=head2 Logging
72
73As a security/authorization program, B<sslh> logs to the
74LOG_AUTH facility, with priority LOG_INFO for normal
75connections and LOG_ERR for failures.
76
77=head1 OPTIONS
78
79=over 4
80
81=item B<-F> I<filename>, B<--config> I<filename>
82
83Uses I<filename> has configuration file. If other
84command-line options are specified, they will override the
85configuration file's settings.
86
87=item B<-t> I<num>, B<--timeout> I<num>
88
89Timeout before forwarding the connection to the timeout
90protocol (which should usually be SSH). Default is 2s.
91
92=item B<--on-timeout> I<protocol name>
93
94Name of the protocol to connect to after the timeout period
95is over. Default is 'ssh'.
96
97=item B<--transparent>
98
99Makes B<sslh> behave as a transparent proxy, i.e. the
100receiving service sees the original client's IP address.
101This works on Linux only and involves B<iptables> settings.
102Refer to the README for more information.
103
104=item B<-p> I<listening address>, B<--listen> I<listening address>
105
106Interface and port on which to listen, e.g. I<foobar:443>,
107where I<foobar> is the name of an interface (typically the
108IP address on which the Internet connection ends up).
109
110This can be specified several times to bind B<sslh> to
111several addresses.
112
113=item B<--ssl> I<target address>
114
115=item B<--tls> I<target address>
116
117Interface and port on which to forward SSL connection,
118typically I<localhost:443>.
119
120Note that you can set B<sslh> to listen on I<ext_ip:443> and
121B<httpd> to listen on I<localhost:443>: this allows clients
122inside your network to just connect directly to B<httpd>.
123
124Also, B<sslh> probes for SSLv3 (or TLSv1) handshake and will
125reject connections from clients requesting SSLv2. This is
126compliant to RFC6176 which prohibits the usage of SSLv2. If
127you wish to accept SSLv2, use B<--default> instead.
128
129=item B<--ssh> I<target address>
130
131Interface and port on which to forward SSH connections,
132typically I<localhost:22>.
133
134=item B<--openvpn> I<target address>
135
136Interface and port on which to forward OpenVPN connections,
137typically I<localhost:1194>.
138
139=item B<--xmpp> I<target address>
140
141Interface and port on which to forward XMPP connections,
142typically I<localhost:5222>.
143
144=item B<--http> I<target address>
145
146Interface and port on which to forward HTTP connections,
147typically I<localhost:80>.
148
149=item B<--tinc> I<target address>
150
151Interface and port on which to forward tinc connections,
152typically I<localhost:655>.
153
154This is experimental. If you use this feature, please report
155the results (even if it works!)
156
157=item B<--anyprot> I<target address>
158
159Interface and port on which to forward if no other protocol
160has been found. Because B<sslh> tries protocols in the order
161specified on the command line, this should be specified
162last. If no default is specified, B<sslh> will forward
163unknown protocols to the first protocol specified.
164
165=item B<-v>, B<--verbose>
166
167Increase verboseness.
168
169=item B<-n>, B<--numeric>
170
171Do not attempt to resolve hostnames: logs will contain IP
172addresses. This is mostly useful if the system's DNS is slow
173and running the I<sslh-select> variant, as DNS requests will
174hang all connections.
175
176=item B<-V>
177
178Prints B<sslh> version.
179
180=item B<-u> I<username>, B<--user> I<username>
181
182Requires to run under the specified username.
183
184=item B<-P> I<pidfile>, B<--pidfile> I<pidfile>
185
186Specifies a file in which to write the PID of the main
187server.
188
189=item B<-i>, B<--inetd>
190
191Runs as an I<inetd> server. Options B<-P> (PID file), B<-p>
192(listen address), B<-u> (user) are ignored.
193
194=item B<-f>, B<--foreground>
195
196Runs in foreground. The server will not fork and will remain connected
197to the terminal. Messages normally sent to B<syslog> will also be sent
198to I<stderr>.
199
200=item B<--background>
201
202Runs in background. This overrides B<foreground> if set in
203the configuration file (or on the command line, but there is
204no point setting both on the command line unless you have a
205personality disorder).
206
207=back
208
209=head1 FILES
210
211=over 4
212
213=item F</etc/init.d/sslh>
214
215Start-up script. The standard actions B<start>, B<stop> and
216B<restart> are supported.
217
218=item F</etc/default/sslh>
219
220Server configuration. These are environment variables
221loaded by the start-up script and passed to B<sslh> as
222command-line arguments. Refer to the OPTIONS section for a
223detailed explanation of the variables used by B<sslh>.
224
225=back
226
227=head1 SEE ALSO
228
229Last version available from
230L<http://www.rutschle.net/tech/sslh>, and can be tracked
231from L<http://freecode.com/projects/sslh>.
232
233=head1 AUTHOR
234
235Written by Yves Rutschle
236

Built with git-ssb-web