git ssb

1
# This file is provided as documentation to show what is
2
# possible. It should not be used as-is, and probably should
3
# not be used as a starting point for a working
4
# configuration. Instead use basic.cfg.
5
6
verbose: true;
7
foreground: true;
8
inetd: false;
9
numeric: false;
10
transparent: false;
11
timeout: 2;
12
user: "nobody";
13
pidfile: "/var/run/sslh.pid";
14
15
# Specify which syslog facility to use (names for your
16
# system are usually defined in /usr/include/*/sys/syslog.h
17
# or equivalent)
18
# Default is "auth"
19
syslog_facility: "auth"; 
20
21
# List of interfaces on which we should listen
22
# Options:
23
listen:
24
(
25
    { host: "thelonious"; port: "443"; },
26
    { host: "thelonious"; port: "8080"; keepalive: true; }
27
);
28
29
# List of protocols
30
#
31
# Each protocol entry consists of:
32
#   name: name of the probe. These are listed on the command
33
#   line (ssh -?), plus 'regex' and 'timeout'.
34
35
#   service: (optional) libwrap service name (see hosts_access(5))
36
#   host, port: where to connect when this probe succeeds
37
#   log_level:  0 to turn off logging
38
#               1 to log each incoming connection
39
#   keepalive:  Should TCP keepalive be on or off for that
40
#               connection (default is off)
41
#
42
#  Probe-specific options:
43
#       tls:
44
#               sni_hostnames:  list of FQDN for that target
45
#               alpn_protocols: list of ALPN protocols for that target, see:
46
#               https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
47
#
48
#               if both sni_hostnames AND alpn_protocols are specified, both must match
49
#               if neither are set, it is just checked whether this is the TLS protocol or not
50
#       regex:
51
#               regex_patterns: list of patterns to match for
52
#               that target.
53
#   
54
# sslh will try each probe in order they are declared, and
55
# connect to the first that matches.
56
#
57
# You can specify several of 'regex' and 'tls'.
58
 
59
protocols:
60
(
61
     { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; keepalive: true; },
62
     { name: "http"; host: "localhost"; port: "80"; },
63
64
# match BOTH ALPN/SNI
65
     { name: "tls"; host: "localhost"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; sni_hostnames: [ "im.somethingelse.net" ]; log_level: 0;},
66
67
# just match ALPN
68
     { name: "tls"; host: "localhost"; port: "443"; alpn_protocols: [ "h2", "http/1.1", "spdy/1", "spdy/2", "spdy/3" ]; log_level: 0; },
69
     { name: "tls"; host: "localhost"; port: "xmpp-client"; alpn_protocols: [ "xmpp-client" ];  log_level: 0;},
70
71
# just match SNI
72
     { name: "tls"; host: "localhost"; port: "993"; sni_hostnames: [ "mail.rutschle.net", "mail.englishintoulouse.com" ]; log_level: 0; },
73
     { name: "tls"; host: "localhost"; port: "xmpp-client"; sni_hostnames: [ "im.rutschle.net", "im.englishintoulouse.com" ];  log_level: 0;},
74
75
# catch anything else TLS
76
     { name: "tls"; host: "localhost"; port: "443"; },
77
78
# OpenVPN
79
     { name: "regex"; host: "localhost"; port: "1194"; regex_patterns: [ "^\x00[\x0D-\xFF]$", "^\x00[\x0D-\xFF]\x38" ]; },
80
# Jabber
81
     { name: "regex"; host: "localhost"; port: "5222"; regex_patterns: [ "jabber" ]; },
82
    
83
# Let's Encrypt (tls-sni-* challenges)
84
     { name: "tls"; host: "localhost"; port: "letsencrypt-client"; sni_hostnames: [ "*.*.acme.invalid" ];  log_level: 0;},
85
86
# Catch-all
87
     { name: "regex"; host: "localhost"; port: "443"; regex_patterns: [ "" ]; },
88
89
# Where to connect in case of timeout (defaults to ssh)
90
     { name: "timeout"; service: "daytime"; host: "localhost"; port: "daytime"; }
91
);
92
93
# Optionally, specify to which protocol to connect in case
94
# of timeout (defaults to "ssh").
95
# You can timeout to any arbitrary address by setting an
96
# entry in 'protocols' named "timeout".
97
# This enables you to set a tcpd service name for this
98
# protocol too.
99
on-timeout: "timeout";
100
101