Commit 0b6cc0d9091ffe0a8709a47fbf88cac71e54e976
Added a note on configuring transparent proxying for both IPv4 and IPv6
Yves Rutschle committed on 1/22/2016, 10:25:53 AMParent: 8758a298ba730832838ef982fa8a2e07d3ca6f69
Files changed
| README.md | changed |
| README.md | ||
|---|---|---|
| @@ -303,8 +303,26 @@ | ||
| 303 | 303 | This will not work: |
| 304 | 304 | |
| 305 | 305 | sslh --listen 192.168.0.1:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:4443 |
| 306 | 306 | |
| 307 | +Transparent proxying means the target server sees the real | |
| 308 | +origin address, so it means if the client connects using | |
| 309 | +IPv6, the server must also support IPv6. It is easy to | |
| 310 | +support both IPv4 and IPv6 by configuring the server | |
| 311 | +accordingly, and setting `sslh` to connect to a name that | |
| 312 | +resolves to both IPv4 and IPv6, e.g.: | |
| 313 | + | |
| 314 | + sslh --transparent --listen <extaddr>:443 --ssh insideaddr:22 | |
| 315 | + | |
| 316 | + /etc/hosts: | |
| 317 | + 192.168.0.1 insideaddr | |
| 318 | + 201::::2 insideaddr | |
| 319 | + | |
| 320 | +Upon incoming IPv6 connection, `sslh` will first try to | |
| 321 | +connect to the IPv4 address (which will fail), then connect | |
| 322 | +to the IPv6 address. | |
| 323 | + | |
| 324 | + | |
| 307 | 325 | Fail2ban |
| 308 | 326 | -------- |
| 309 | 327 | |
| 310 | 328 | If using transparent proxying, just use the standard ssh |
Built with git-ssb-web