git ssb

Files: c02e2d7aeeba25cb53d8a81acad55318ce63a4c4 / sslh.pod

6847 bytesRaw

1 # I'm just not gonna write troff :-)
2 
3 =head1 NAME
4 
5  sslh - protocol demultiplexer
6 
7 =head1 SYNOPSIS
8 
9 sslh [B<-F> I<config file>] [ B<-t> I<num> ] [B<-p> I<listening address> [B<-p> I<listening address> ...] [B<--ssl> I<target address for SSL>] [B<--ssh> I<target address for SSH>] [B<--openvpn> I<target address for OpenVPN>] [B<--http> I<target address for HTTP>] [B<--anyprot> I<default target address>] [B<--on-timeout> I<protocol name>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-i] [-V] [-f] [-n]
10 
11 =head1 DESCRIPTION
12 
13 B<sslh> accepts connections on specified ports, and forwards
14 them further based on tests performed on the first data
15 packet sent by the remote client.
16 
17 Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are
18 implemented, and any other protocol that can be tested using
19 a regular expression, can be recognised. A typical use case
20 is to allow serving several services on port 443 (e.g. to
21 connect to ssh from inside a corporate firewall, which
22 almost never block port 443) while still serving HTTPS on
23 that port. 
24 
25 Hence B<sslh> acts as a protocol demultiplexer, or a
26 switchboard. Its name comes from its original function to
27 serve SSH and HTTPS on the same port.
28 
29 =head2 Libwrap support
30 
31 One drawback of B<sslh> is that the servers do not see the
32 original IP address of the client anymore, as the connection
33 is forwarded through B<sslh>.
34 
35 For this reason, B<sslh> can be compiled with B<libwrap> to
36 check accesses defined in F</etc/hosts.allow> and
37 F</etc/hosts.deny>.  Libwrap services can be defined using
38 the configuration file.
39 
40 =head2 Configuration file
41 
42 A configuration file can be supplied to B<sslh>. Command
43 line arguments override file settings. B<sslh> uses
44 B<libconfig> to parse the configuration file, so the general
45 file format is indicated in
46 L<http://www.hyperrealm.com/libconfig/libconfig_manual.html>.
47 Please refer to the example configuration file provided with
48 B<sslh> for the specific format (Options have the same names
49 as on the command line, except for the list of listen ports
50 and the list of protocols).
51 
52 The configuration file makes it possible to specify
53 protocols using regular expressions: a list of regular
54 expressions is given as the I<probe> parameter, and if the
55 first packet received from the client matches any of these
56 expressions, B<sslh> connects to that protocol.
57 
58 Alternatively, the I<probe> parameter can be set to
59 "builtin", to use the compiled probes which are much faster
60 than regular expressions.
61 
62 =head2 Probing protocols
63 
64 When receiving an incoming connection, B<sslh> will read the
65 first bytes sent be the connecting client. It will then
66 probe for the protocol in the order specified on the command
67 line (or the configuration file). Therefore B<--anyprot>
68 should alway be used last, as it always succeeds and further
69 protocols will never be tried.
70 
71 If no data is sent by the client, B<sslh> will eventually
72 time out and connect to the protocol specified with
73 B<--on-timeout>, or I<ssh> if none is specified.
74 
75 =head1 OPTIONS
76 
77 =over 4
78 
79 =item B<-t> I<num>, B<--timeout> I<num>
80 
81 Timeout before forwarding the connection to the timeout
82 protocol (which should usually be SSH). Default is 2s.
83 
84 =item B<--on-timeout> I<protocol name>
85 
86 Name of the protocol to connect to after the timeout period
87 is over. Default is 'ssh'.
88 
89 =item B<-p> I<listening address>, B<--listen> I<listening address>
90 
91 Interface and port on which to listen, e.g. I<foobar:443>,
92 where I<foobar> is the name of an interface (typically the
93 IP address on which the Internet connection ends up).
94 
95 This can be specified several times to bind B<sslh> to
96 several addresses.
97 
98 =item B<--ssl> I<target address>
99 =item B<--tls> I<target address>
100 
101 Interface and port on which to forward SSL connection,
102 typically I<localhost:443>.
103 
104 Note that you can set B<sslh> to listen on I<ext_ip:443> and
105 B<httpd> to listen on I<localhost:443>: this allows clients
106 inside your network to just connect directly to B<httpd>.
107 
108 Also, B<sslh> probes for SSLv3 (or TLSv1) handshake and will
109 reject connections from clients requesting SSLv2. This is
110 compliant to RFC6176 which prohibits the usage of SSLv2. If
111 you wish to accept SSLv2, use B<--default> instead.
112 
113 =item B<--ssh> I<target address>
114 
115 Interface and port on which to forward SSH connections,
116 typically I<localhost:22>.
117 
118 =item B<--openvpn> I<target address>
119 
120 Interface and port on which to forward OpenVPN connections,
121 typically I<localhost:1194>.
122 
123 =item B<--xmpp> I<target address>
124 
125 Interface and port on which to forward XMPP connections,
126 typically I<localhost:5222>.
127 
128 =item B<--http> I<target address>
129 
130 Interface and port on which to forward HTTP connections,
131 typically I<localhost:80>.
132 
133 =item B<--tinc> I<target address>
134 
135 Interface and port on which to forward tinc connections,
136 typically I<localhost:655>.
137 
138 This is experimental. If you use this feature, please report
139 the results (even if it works!)
140 
141 =item B<--anyprot> I<target address>
142 
143 Interface and port on which to forward if no other protocol
144 has been found. Because B<sslh> tries protocols in the order
145 specified on the command line, this should be specified
146 last. If no default is specified, B<sslh> will forward
147 unknown protocols to the first protocol specified.
148 
149 =item B<-v>, B<--verbose>
150 
151 Increase verboseness.
152 
153 =item B<-n>, B<--numeric>
154 
155 Do not attempt to resolve hostnames: logs will contain IP
156 addresses. This is mostly useful if the system's DNS is slow
157 and running the I<sslh-select> variant, as DNS requests will
158 hang all connections.
159 
160 =item B<-V>
161 
162 Prints B<sslh> version.
163 
164 =item B<-u> I<username>, B<--user> I<username>
165 
166 Requires to run under the specified username. 
167 
168 =item B<-P> I<pidfile>, B<--pidfile> I<pidfile>
169 
170 Specifies a file in which to write the PID of the main
171 server.
172 
173 =item B<-i>, B<--inetd>
174 
175 Runs as an I<inetd> server. Options B<-P> (PID file), B<-p>
176 (listen address), B<-u> (user) are ignored.
177 
178 =item B<-f>, B<--foreground>
179 
180 Runs in foreground. The server will not fork and will remain connected
181 to the terminal. Messages normally sent to B<syslog> will also be sent
182 to I<stderr>.
183 
184 =item B<--background>
185 
186 Runs in background. This overrides B<foreground> if set in
187 the configuration file (or on the command line, but there is
188 no point setting both on the command line unless you have a
189 personality disorder).
190 
191 =back
192 
193 =head1 FILES
194 
195 =over 4
196 
197 =item F</etc/init.d/sslh>
198 
199 Start-up script. The standard actions B<start>, B<stop> and
200 B<restart> are supported.
201 
202 =item F</etc/default/sslh>
203 
204 Server configuration. These are environment variables
205 loaded by the start-up script and passed to B<sslh> as
206 command-line arguments. Refer to the OPTIONS section for a
207 detailed explanation of the variables used by B<sslh>.
208 
209 =back
210 
211 =head1 SEE ALSO
212 
213 Last version available from
214 L<http://www.rutschle.net/tech/sslh>, and can be tracked
215 from L<http://freecode.com/projects/sslh>.
216 
217 =head1 AUTHOR
218 
219 Written by Yves Rutschle
220

Built with git-ssb-web

cel / sslh

Tree: c02e2d7aeeba25cb53d8a81acad55318ce63a4c4

Files: c02e2d7aeeba25cb53d8a81acad55318ce63a4c4 / sslh.pod

1	# I'm just not gonna write troff :-)
2
3	=head1 NAME
4
5	sslh - protocol demultiplexer
6
7	=head1 SYNOPSIS
8
9	sslh [B<-F> I<config file>] [ B<-t> I<num> ] [B<-p> I<listening address> [B<-p> I<listening address> ...] [B<--ssl> I<target address for SSL>] [B<--ssh> I<target address for SSH>] [B<--openvpn> I<target address for OpenVPN>] [B<--http> I<target address for HTTP>] [B<--anyprot> I<default target address>] [B<--on-timeout> I<protocol name>] [B<-u> I<username>] [B<-P> I<pidfile>] [-v] [-i] [-V] [-f] [-n]
10
11	=head1 DESCRIPTION
12
13	B<sslh> accepts connections on specified ports, and forwards
14	them further based on tests performed on the first data
15	packet sent by the remote client.
16
17	Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are
18	implemented, and any other protocol that can be tested using
19	a regular expression, can be recognised. A typical use case
20	is to allow serving several services on port 443 (e.g. to
21	connect to ssh from inside a corporate firewall, which
22	almost never block port 443) while still serving HTTPS on
23	that port.
24
25	Hence B<sslh> acts as a protocol demultiplexer, or a
26	switchboard. Its name comes from its original function to
27	serve SSH and HTTPS on the same port.
28
29	=head2 Libwrap support
30
31	One drawback of B<sslh> is that the servers do not see the
32	original IP address of the client anymore, as the connection
33	is forwarded through B<sslh>.
34
35	For this reason, B<sslh> can be compiled with B<libwrap> to
36	check accesses defined in F</etc/hosts.allow> and
37	F</etc/hosts.deny>. Libwrap services can be defined using
38	the configuration file.
39
40	=head2 Configuration file
41
42	A configuration file can be supplied to B<sslh>. Command
43	line arguments override file settings. B<sslh> uses
44	B<libconfig> to parse the configuration file, so the general
45	file format is indicated in
46	L<http://www.hyperrealm.com/libconfig/libconfig_manual.html>.
47	Please refer to the example configuration file provided with
48	B<sslh> for the specific format (Options have the same names
49	as on the command line, except for the list of listen ports
50	and the list of protocols).
51
52	The configuration file makes it possible to specify
53	protocols using regular expressions: a list of regular
54	expressions is given as the I<probe> parameter, and if the
55	first packet received from the client matches any of these
56	expressions, B<sslh> connects to that protocol.
57
58	Alternatively, the I<probe> parameter can be set to
59	"builtin", to use the compiled probes which are much faster
60	than regular expressions.
61
62	=head2 Probing protocols
63
64	When receiving an incoming connection, B<sslh> will read the
65	first bytes sent be the connecting client. It will then
66	probe for the protocol in the order specified on the command
67	line (or the configuration file). Therefore B<--anyprot>
68	should alway be used last, as it always succeeds and further
69	protocols will never be tried.
70
71	If no data is sent by the client, B<sslh> will eventually
72	time out and connect to the protocol specified with
73	B<--on-timeout>, or I<ssh> if none is specified.
74
75	=head1 OPTIONS
76
77	=over 4
78
79	=item B<-t> I<num>, B<--timeout> I<num>
80
81	Timeout before forwarding the connection to the timeout
82	protocol (which should usually be SSH). Default is 2s.
83
84	=item B<--on-timeout> I<protocol name>
85
86	Name of the protocol to connect to after the timeout period
87	is over. Default is 'ssh'.
88
89	=item B<-p> I<listening address>, B<--listen> I<listening address>
90
91	Interface and port on which to listen, e.g. I<foobar:443>,
92	where I<foobar> is the name of an interface (typically the
93	IP address on which the Internet connection ends up).
94
95	This can be specified several times to bind B<sslh> to
96	several addresses.
97
98	=item B<--ssl> I<target address>
99	=item B<--tls> I<target address>
100
101	Interface and port on which to forward SSL connection,
102	typically I<localhost:443>.
103
104	Note that you can set B<sslh> to listen on I<ext_ip:443> and
105	B<httpd> to listen on I<localhost:443>: this allows clients
106	inside your network to just connect directly to B<httpd>.
107
108	Also, B<sslh> probes for SSLv3 (or TLSv1) handshake and will
109	reject connections from clients requesting SSLv2. This is
110	compliant to RFC6176 which prohibits the usage of SSLv2. If
111	you wish to accept SSLv2, use B<--default> instead.
112
113	=item B<--ssh> I<target address>
114
115	Interface and port on which to forward SSH connections,
116	typically I<localhost:22>.
117
118	=item B<--openvpn> I<target address>
119
120	Interface and port on which to forward OpenVPN connections,
121	typically I<localhost:1194>.
122
123	=item B<--xmpp> I<target address>
124
125	Interface and port on which to forward XMPP connections,
126	typically I<localhost:5222>.
127
128	=item B<--http> I<target address>
129
130	Interface and port on which to forward HTTP connections,
131	typically I<localhost:80>.
132
133	=item B<--tinc> I<target address>
134
135	Interface and port on which to forward tinc connections,
136	typically I<localhost:655>.
137
138	This is experimental. If you use this feature, please report
139	the results (even if it works!)
140
141	=item B<--anyprot> I<target address>
142
143	Interface and port on which to forward if no other protocol
144	has been found. Because B<sslh> tries protocols in the order
145	specified on the command line, this should be specified
146	last. If no default is specified, B<sslh> will forward
147	unknown protocols to the first protocol specified.
148
149	=item B<-v>, B<--verbose>
150
151	Increase verboseness.
152
153	=item B<-n>, B<--numeric>
154
155	Do not attempt to resolve hostnames: logs will contain IP
156	addresses. This is mostly useful if the system's DNS is slow
157	and running the I<sslh-select> variant, as DNS requests will
158	hang all connections.
159
160	=item B<-V>
161
162	Prints B<sslh> version.
163
164	=item B<-u> I<username>, B<--user> I<username>
165
166	Requires to run under the specified username.
167
168	=item B<-P> I<pidfile>, B<--pidfile> I<pidfile>
169
170	Specifies a file in which to write the PID of the main
171	server.
172
173	=item B<-i>, B<--inetd>
174
175	Runs as an I<inetd> server. Options B<-P> (PID file), B<-p>
176	(listen address), B<-u> (user) are ignored.
177
178	=item B<-f>, B<--foreground>
179
180	Runs in foreground. The server will not fork and will remain connected
181	to the terminal. Messages normally sent to B<syslog> will also be sent
182	to I<stderr>.
183
184	=item B<--background>
185
186	Runs in background. This overrides B<foreground> if set in
187	the configuration file (or on the command line, but there is
188	no point setting both on the command line unless you have a
189	personality disorder).
190
191	=back
192
193	=head1 FILES
194
195	=over 4
196
197	=item F</etc/init.d/sslh>
198
199	Start-up script. The standard actions B<start>, B<stop> and
200	B<restart> are supported.
201
202	=item F</etc/default/sslh>
203
204	Server configuration. These are environment variables
205	loaded by the start-up script and passed to B<sslh> as
206	command-line arguments. Refer to the OPTIONS section for a
207	detailed explanation of the variables used by B<sslh>.
208
209	=back
210
211	=head1 SEE ALSO
212
213	Last version available from
214	L<http://www.rutschle.net/tech/sslh>, and can be tracked
215	from L<http://freecode.com/projects/sslh>.
216
217	=head1 AUTHOR
218
219	Written by Yves Rutschle
220

cel / sslh

Tree: c02e2d7aeeba25cb53d8a81acad55318ce63a4c4 shsmasterv1.9v1.8v1.7v1.6v1.5v1.3v1.2v1.18v1.17v1.16v1.15v1.14v1.13v1.12v1.11v1.10v1.1v1.0 <input type="submit" value="Go"/>

Files: c02e2d7aeeba25cb53d8a81acad55318ce63a4c4 / sslh.pod

Tree: c02e2d7aeeba25cb53d8a81acad55318ce63a4c4