Commit 0b6cc0d9091ffe0a8709a47fbf88cac71e54e976
Added a note on configuring transparent proxying for both IPv4 and IPv6
Yves Rutschle committed on 1/22/2016, 10:25:53 AMParent: 8758a298ba730832838ef982fa8a2e07d3ca6f69
Files changed
README.md | changed |
README.md | ||
---|---|---|
@@ -303,8 +303,26 @@ | ||
303 | 303 | This will not work: |
304 | 304 | |
305 | 305 | sslh --listen 192.168.0.1:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:4443 |
306 | 306 | |
307 | +Transparent proxying means the target server sees the real | |
308 | +origin address, so it means if the client connects using | |
309 | +IPv6, the server must also support IPv6. It is easy to | |
310 | +support both IPv4 and IPv6 by configuring the server | |
311 | +accordingly, and setting `sslh` to connect to a name that | |
312 | +resolves to both IPv4 and IPv6, e.g.: | |
313 | + | |
314 | + sslh --transparent --listen <extaddr>:443 --ssh insideaddr:22 | |
315 | + | |
316 | + /etc/hosts: | |
317 | + 192.168.0.1 insideaddr | |
318 | + 201::::2 insideaddr | |
319 | + | |
320 | +Upon incoming IPv6 connection, `sslh` will first try to | |
321 | +connect to the IPv4 address (which will fail), then connect | |
322 | +to the IPv6 address. | |
323 | + | |
324 | + | |
307 | 325 | Fail2ban |
308 | 326 | -------- |
309 | 327 | |
310 | 328 | If using transparent proxying, just use the standard ssh |
Built with git-ssb-web