Files: 7c35ef8528d47b97894a6495275b57dc1ae3f8c7 / sslh.pod
7461 bytesRaw
| 1 | # I'm just not gonna write troff :-) |
| 2 | |
| 3 | =head1 NAME |
| 4 | |
| 5 | sslh - protocol demultiplexer |
| 6 | |
| 7 | =head1 SYNOPSIS |
| 8 | |
| 9 | sslh [B<-F> I<config file>] [ B<-t> I<num> ] [B<--transparent>] [B<-p> I<listening address> [B<-p> I<listening address> ...] [B<--ssl> I<target address for SSL>] [B<--ssh> I<target address for SSH>] [B<--openvpn> I<target address for OpenVPN>] [B<--http> I<target address for HTTP>] [B<--anyprot> I<default target address>] [B<--on-timeout> I<protocol name>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-i] [-V] [-f] [-n] |
| 10 | |
| 11 | =head1 DESCRIPTION |
| 12 | |
| 13 | B<sslh> accepts connections on specified ports, and forwards |
| 14 | them further based on tests performed on the first data |
| 15 | packet sent by the remote client. |
| 16 | |
| 17 | Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are |
| 18 | implemented, and any other protocol that can be tested using |
| 19 | a regular expression, can be recognised. A typical use case |
| 20 | is to allow serving several services on port 443 (e.g. to |
| 21 | connect to ssh from inside a corporate firewall, which |
| 22 | almost never block port 443) while still serving HTTPS on |
| 23 | that port. |
| 24 | |
| 25 | Hence B<sslh> acts as a protocol demultiplexer, or a |
| 26 | switchboard. Its name comes from its original function to |
| 27 | serve SSH and HTTPS on the same port. |
| 28 | |
| 29 | =head2 Libwrap support |
| 30 | |
| 31 | One drawback of B<sslh> is that the servers do not see the |
| 32 | original IP address of the client anymore, as the connection |
| 33 | is forwarded through B<sslh>. |
| 34 | |
| 35 | For this reason, B<sslh> can be compiled with B<libwrap> to |
| 36 | check accesses defined in F</etc/hosts.allow> and |
| 37 | F</etc/hosts.deny>. Libwrap services can be defined using |
| 38 | the configuration file. |
| 39 | |
| 40 | =head2 Configuration file |
| 41 | |
| 42 | A configuration file can be supplied to B<sslh>. Command |
| 43 | line arguments override file settings. B<sslh> uses |
| 44 | B<libconfig> to parse the configuration file, so the general |
| 45 | file format is indicated in |
| 46 | L<http://www.hyperrealm.com/libconfig/libconfig_manual.html>. |
| 47 | Please refer to the example configuration file provided with |
| 48 | B<sslh> for the specific format (Options have the same names |
| 49 | as on the command line, except for the list of listen ports |
| 50 | and the list of protocols). |
| 51 | |
| 52 | The configuration file makes it possible to specify |
| 53 | protocols using regular expressions: a list of regular |
| 54 | expressions is given as the I<probe> parameter, and if the |
| 55 | first packet received from the client matches any of these |
| 56 | expressions, B<sslh> connects to that protocol. |
| 57 | |
| 58 | Alternatively, the I<probe> parameter can be set to |
| 59 | "builtin", to use the compiled probes which are much faster |
| 60 | than regular expressions. |
| 61 | |
| 62 | =head2 Probing protocols |
| 63 | |
| 64 | When receiving an incoming connection, B<sslh> will read the |
| 65 | first bytes sent be the connecting client. It will then |
| 66 | probe for the protocol in the order specified on the command |
| 67 | line (or the configuration file). Therefore B<--anyprot> |
| 68 | should alway be used last, as it always succeeds and further |
| 69 | protocols will never be tried. |
| 70 | |
| 71 | If no data is sent by the client, B<sslh> will eventually |
| 72 | time out and connect to the protocol specified with |
| 73 | B<--on-timeout>, or I<ssh> if none is specified. |
| 74 | |
| 75 | =head2 Logging |
| 76 | |
| 77 | As a security/authorization program, B<sslh> logs to the |
| 78 | LOG_AUTH facility, with priority LOG_INFO for normal |
| 79 | connections and LOG_ERR for failures. |
| 80 | |
| 81 | =head1 OPTIONS |
| 82 | |
| 83 | =over 4 |
| 84 | |
| 85 | =item B<-F> I<filename>, B<--config> I<filename> |
| 86 | |
| 87 | Uses I<filename> has configuration file. If other |
| 88 | command-line options are specified, they will override the |
| 89 | configuration file's settings. |
| 90 | |
| 91 | =item B<-t> I<num>, B<--timeout> I<num> |
| 92 | |
| 93 | Timeout before forwarding the connection to the timeout |
| 94 | protocol (which should usually be SSH). Default is 2s. |
| 95 | |
| 96 | =item B<--on-timeout> I<protocol name> |
| 97 | |
| 98 | Name of the protocol to connect to after the timeout period |
| 99 | is over. Default is 'ssh'. |
| 100 | |
| 101 | =item B<--transparent> |
| 102 | |
| 103 | Makes B<sslh> behave as a transparent proxy, i.e. the |
| 104 | receiving service sees the original client's IP address. |
| 105 | This works on Linux only and involves B<iptables> settings. |
| 106 | Refer to the README for more information. |
| 107 | |
| 108 | =item B<-p> I<listening address>, B<--listen> I<listening address> |
| 109 | |
| 110 | Interface and port on which to listen, e.g. I<foobar:443>, |
| 111 | where I<foobar> is the name of an interface (typically the |
| 112 | IP address on which the Internet connection ends up). |
| 113 | |
| 114 | This can be specified several times to bind B<sslh> to |
| 115 | several addresses. |
| 116 | |
| 117 | =item B<--ssl> I<target address> |
| 118 | |
| 119 | =item B<--tls> I<target address> |
| 120 | |
| 121 | Interface and port on which to forward SSL connection, |
| 122 | typically I<localhost:443>. |
| 123 | |
| 124 | Note that you can set B<sslh> to listen on I<ext_ip:443> and |
| 125 | B<httpd> to listen on I<localhost:443>: this allows clients |
| 126 | inside your network to just connect directly to B<httpd>. |
| 127 | |
| 128 | Also, B<sslh> probes for SSLv3 (or TLSv1) handshake and will |
| 129 | reject connections from clients requesting SSLv2. This is |
| 130 | compliant to RFC6176 which prohibits the usage of SSLv2. If |
| 131 | you wish to accept SSLv2, use B<--default> instead. |
| 132 | |
| 133 | =item B<--ssh> I<target address> |
| 134 | |
| 135 | Interface and port on which to forward SSH connections, |
| 136 | typically I<localhost:22>. |
| 137 | |
| 138 | =item B<--openvpn> I<target address> |
| 139 | |
| 140 | Interface and port on which to forward OpenVPN connections, |
| 141 | typically I<localhost:1194>. |
| 142 | |
| 143 | =item B<--xmpp> I<target address> |
| 144 | |
| 145 | Interface and port on which to forward XMPP connections, |
| 146 | typically I<localhost:5222>. |
| 147 | |
| 148 | =item B<--http> I<target address> |
| 149 | |
| 150 | Interface and port on which to forward HTTP connections, |
| 151 | typically I<localhost:80>. |
| 152 | |
| 153 | =item B<--tinc> I<target address> |
| 154 | |
| 155 | Interface and port on which to forward tinc connections, |
| 156 | typically I<localhost:655>. |
| 157 | |
| 158 | This is experimental. If you use this feature, please report |
| 159 | the results (even if it works!) |
| 160 | |
| 161 | =item B<--anyprot> I<target address> |
| 162 | |
| 163 | Interface and port on which to forward if no other protocol |
| 164 | has been found. Because B<sslh> tries protocols in the order |
| 165 | specified on the command line, this should be specified |
| 166 | last. If no default is specified, B<sslh> will forward |
| 167 | unknown protocols to the first protocol specified. |
| 168 | |
| 169 | =item B<-v>, B<--verbose> |
| 170 | |
| 171 | Increase verboseness. |
| 172 | |
| 173 | =item B<-n>, B<--numeric> |
| 174 | |
| 175 | Do not attempt to resolve hostnames: logs will contain IP |
| 176 | addresses. This is mostly useful if the system's DNS is slow |
| 177 | and running the I<sslh-select> variant, as DNS requests will |
| 178 | hang all connections. |
| 179 | |
| 180 | =item B<-V> |
| 181 | |
| 182 | Prints B<sslh> version. |
| 183 | |
| 184 | =item B<-u> I<username>, B<--user> I<username> |
| 185 | |
| 186 | Requires to run under the specified username. |
| 187 | |
| 188 | =item B<-P> I<pidfile>, B<--pidfile> I<pidfile> |
| 189 | |
| 190 | Specifies a file in which to write the PID of the main |
| 191 | server. |
| 192 | |
| 193 | =item B<-i>, B<--inetd> |
| 194 | |
| 195 | Runs as an I<inetd> server. Options B<-P> (PID file), B<-p> |
| 196 | (listen address), B<-u> (user) are ignored. |
| 197 | |
| 198 | =item B<-f>, B<--foreground> |
| 199 | |
| 200 | Runs in foreground. The server will not fork and will remain connected |
| 201 | to the terminal. Messages normally sent to B<syslog> will also be sent |
| 202 | to I<stderr>. |
| 203 | |
| 204 | =item B<--background> |
| 205 | |
| 206 | Runs in background. This overrides B<foreground> if set in |
| 207 | the configuration file (or on the command line, but there is |
| 208 | no point setting both on the command line unless you have a |
| 209 | personality disorder). |
| 210 | |
| 211 | =back |
| 212 | |
| 213 | =head1 FILES |
| 214 | |
| 215 | =over 4 |
| 216 | |
| 217 | =item F</etc/init.d/sslh> |
| 218 | |
| 219 | Start-up script. The standard actions B<start>, B<stop> and |
| 220 | B<restart> are supported. |
| 221 | |
| 222 | =item F</etc/default/sslh> |
| 223 | |
| 224 | Server configuration. These are environment variables |
| 225 | loaded by the start-up script and passed to B<sslh> as |
| 226 | command-line arguments. Refer to the OPTIONS section for a |
| 227 | detailed explanation of the variables used by B<sslh>. |
| 228 | |
| 229 | =back |
| 230 | |
| 231 | =head1 SEE ALSO |
| 232 | |
| 233 | Last version available from |
| 234 | L<http://www.rutschle.net/tech/sslh>, and can be tracked |
| 235 | from L<http://freecode.com/projects/sslh>. |
| 236 | |
| 237 | =head1 AUTHOR |
| 238 | |
| 239 | Written by Yves Rutschle |
| 240 |
Built with git-ssb-web