git ssb

0+

cel / sslh



Tree: aa06261d70509eb5a571937d5e3d5c41e11f193d

Files: aa06261d70509eb5a571937d5e3d5c41e11f193d / sslh.pod

7560 bytesRaw
1# I'm just not gonna write troff :-)
2
3=head1 NAME
4
5 sslh - protocol demultiplexer
6
7=head1 SYNOPSIS
8
9sslh [B<-F>I<config file>] [ B<-t> I<num> ] [B<--transparent>] [B<-p> I<listening address> [B<-p> I<listening address> ...] [B<--ssl> I<target address for SSL>] [B<--tls> I<target address for TLS>] [B<--ssh> I<target address for SSH>] [B<--openvpn> I<target address for OpenVPN>] [B<--http> I<target address for HTTP>] [B<--xmpp> I<target address for XMPP>] [B<--tinc> I<target address for TINC>] [B<--anyprot> I<default target address>] [B<--on-timeout> I<protocol name>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-i] [-V] [-f] [-n]
10
11=head1 DESCRIPTION
12
13B<sslh> accepts connections on specified ports, and forwards
14them further based on tests performed on the first data
15packet sent by the remote client.
16
17Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are
18implemented, and any other protocol that can be tested using
19a regular expression, can be recognised. A typical use case
20is to allow serving several services on port 443 (e.g. to
21connect to ssh from inside a corporate firewall, which
22almost never block port 443) while still serving HTTPS on
23that port.
24
25Hence B<sslh> acts as a protocol demultiplexer, or a
26switchboard. Its name comes from its original function to
27serve SSH and HTTPS on the same port.
28
29=head2 Libwrap support
30
31One drawback of B<sslh> is that the servers do not see the
32original IP address of the client anymore, as the connection
33is forwarded through B<sslh>.
34
35For this reason, B<sslh> can be compiled with B<libwrap> to
36check accesses defined in F</etc/hosts.allow> and
37F</etc/hosts.deny>. Libwrap services can be defined using
38the configuration file.
39
40=head2 Configuration file
41
42A configuration file can be supplied to B<sslh>. Command
43line arguments override file settings. B<sslh> uses
44B<libconfig> to parse the configuration file, so the general
45file format is indicated in
46L<http://www.hyperrealm.com/libconfig/libconfig_manual.html>.
47Please refer to the example configuration file provided with
48B<sslh> for the specific format (Options have the same names
49as on the command line, except for the list of listen ports
50and the list of protocols).
51
52The configuration file makes it possible to specify
53protocols using regular expressions: a list of regular
54expressions is given as the I<regex_patterns> parameter, and if the
55first packet received from the client matches any of these
56expressions, B<sslh> connects to that protocol.
57
58=head2 Probing protocols
59
60When receiving an incoming connection, B<sslh> will read the
61first bytes sent by the connecting client. It will then
62probe for the protocol in the order specified on the command
63line (or the configuration file). Therefore B<--anyprot>
64should alway be used last, as it always succeeds and further
65protocols will never be tried.
66
67If no data is sent by the client, B<sslh> will eventually
68time out and connect to the protocol specified with
69B<--on-timeout>, or I<ssh> if none is specified.
70
71=head2 Logging
72
73As a security/authorization program, B<sslh> logs to the
74LOG_AUTH facility, with priority LOG_INFO for normal
75connections and LOG_ERR for failures.
76
77=head1 OPTIONS
78
79=over 4
80
81=item B<-F>I<filename>, B<--config> I<filename>
82
83Uses I<filename> as configuration file. If other
84command-line options are specified, they will override the
85configuration file's settings.
86
87When using the shorthand version, make sure there should be
88no space between B<-F> and the I<filename>.
89
90=item B<-t> I<num>, B<--timeout> I<num>
91
92Timeout before forwarding the connection to the timeout
93protocol (which should usually be SSH). Default is 2s.
94
95=item B<--on-timeout> I<protocol name>
96
97Name of the protocol to connect to after the timeout period
98is over. Default is 'ssh'.
99
100=item B<--transparent>
101
102Makes B<sslh> behave as a transparent proxy, i.e. the
103receiving service sees the original client's IP address.
104This works on Linux only and involves B<iptables> settings.
105Refer to the README for more information.
106
107=item B<-p> I<listening address>, B<--listen> I<listening address>
108
109Interface and port on which to listen, e.g. I<foobar:443>,
110where I<foobar> is the name of an interface (typically the
111IP address on which the Internet connection ends up).
112
113This can be specified several times to bind B<sslh> to
114several addresses.
115
116=item B<--ssl> I<target address>
117
118=item B<--tls> I<target address>
119
120Interface and port on which to forward SSL connection,
121typically I<localhost:443>.
122
123Note that you can set B<sslh> to listen on I<ext_ip:443> and
124B<httpd> to listen on I<localhost:443>: this allows clients
125inside your network to just connect directly to B<httpd>.
126
127Also, B<sslh> probes for SSLv3 (or TLSv1) handshake and will
128reject connections from clients requesting SSLv2. This is
129compliant with RFC6176 which prohibits the usage of SSLv2. If
130you wish to accept SSLv2, use B<--default> instead.
131
132=item B<--ssh> I<target address>
133
134Interface and port on which to forward SSH connections,
135typically I<localhost:22>.
136
137=item B<--openvpn> I<target address>
138
139Interface and port on which to forward OpenVPN connections,
140typically I<localhost:1194>.
141
142=item B<--xmpp> I<target address>
143
144Interface and port on which to forward XMPP connections,
145typically I<localhost:5222>.
146
147=item B<--http> I<target address>
148
149Interface and port on which to forward HTTP connections,
150typically I<localhost:80>.
151
152=item B<--tinc> I<target address>
153
154Interface and port on which to forward tinc connections,
155typically I<localhost:655>.
156
157This is experimental. If you use this feature, please report
158the results (even if it works!)
159
160=item B<--anyprot> I<target address>
161
162Interface and port on which to forward if no other protocol
163has been found. Because B<sslh> tries protocols in the order
164specified on the command line, this should be specified
165last. If no default is specified, B<sslh> will forward
166unknown protocols to the first protocol specified.
167
168=item B<-v>, B<--verbose>
169
170Increase verboseness.
171
172=item B<-n>, B<--numeric>
173
174Do not attempt to resolve hostnames: logs will contain IP
175addresses. This is mostly useful if the system's DNS is slow
176and running the I<sslh-select> variant, as DNS requests will
177hang all connections.
178
179=item B<-V>
180
181Prints B<sslh> version.
182
183=item B<-u> I<username>, B<--user> I<username>
184
185Requires to run under the specified username.
186
187=item B<-P> I<pidfile>, B<--pidfile> I<pidfile>
188
189Specifies a file in which to write the PID of the main
190server.
191
192=item B<-i>, B<--inetd>
193
194Runs as an I<inetd> server. Options B<-P> (PID file), B<-p>
195(listen address), B<-u> (user) are ignored.
196
197=item B<-f>, B<--foreground>
198
199Runs in foreground. The server will not fork and will remain connected
200to the terminal. Messages normally sent to B<syslog> will also be sent
201to I<stderr>.
202
203=item B<--background>
204
205Runs in background. This overrides B<foreground> if set in
206the configuration file (or on the command line, but there is
207no point setting both on the command line unless you have a
208personality disorder).
209
210=back
211
212=head1 FILES
213
214=over 4
215
216=item F</etc/init.d/sslh>
217
218Start-up script. The standard actions B<start>, B<stop> and
219B<restart> are supported.
220
221=item F</etc/default/sslh>
222
223Server configuration. These are environment variables
224loaded by the start-up script and passed to B<sslh> as
225command-line arguments. Refer to the OPTIONS section for a
226detailed explanation of the variables used by B<sslh>.
227
228=back
229
230=head1 SEE ALSO
231
232The latest version is available from
233L<http://www.rutschle.net/tech/sslh>, and can be tracked
234from L<http://freecode.com/projects/sslh>.
235
236=head1 AUTHOR
237
238Written by Yves Rutschle.
239

Built with git-ssb-web