1SSLH(8)                                                                SSLH(8)
2
3
4

NAME

6        sslh - protocol demultiplexer
7

SYNOPSIS

9       sslh [-Fconfig file] [-t num] [--transparent] [-p listening address [-p
10       listening address ...] [--ssl target address for SSL] [--tls target
11       address for TLS] [--ssh target address for SSH] [--openvpn target
12       address for OpenVPN] [--http target address for HTTP] [--xmpp target
13       address for XMPP] [--tinc target address for TINC] [--anyprot default
14       target address] [--on-timeout protocol name] [-u username] [-C chroot]
15       [-P pidfile] [-v] [-i] [-V] [-f] [-n]
16

DESCRIPTION

18       sslh accepts connections on specified ports, and forwards them further
19       based on tests performed on the first data packet sent by the remote
20       client.
21
22       Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any
23       other protocol that can be tested using a regular expression, can be
24       recognised. A typical use case is to allow serving several services on
25       port 443 (e.g. to connect to ssh from inside a corporate firewall,
26       which almost never block port 443) while still serving HTTPS on that
27       port.
28
29       Hence sslh acts as a protocol demultiplexer, or a switchboard. Its name
30       comes from its original function to serve SSH and HTTPS on the same
31       port.
32
33   Libwrap support
34       One drawback of sslh is that the servers do not see the original IP
35       address of the client anymore, as the connection is forwarded through
36       sslh.
37
38       For this reason, sslh can be compiled with libwrap to check accesses
39       defined in /etc/hosts.allow and /etc/hosts.deny.  Libwrap services can
40       be defined using the configuration file.
41
42   Configuration file
43       A configuration file can be supplied to sslh. Command line arguments
44       override file settings. sslh uses libconfig to parse the configuration
45       file, so the general file format is indicated in
46       <http://www.hyperrealm.com/libconfig/libconfig_manual.html>.  Please
47       refer to the example configuration file provided with sslh for the
48       specific format (Options have the same names as on the command line,
49       except for the list of listen ports and the list of protocols).
50
51       The configuration file makes it possible to specify protocols using
52       regular expressions: a list of regular expressions is given as the
53       regex_patterns parameter, and if the first packet received from the
54       client matches any of these expressions, sslh connects to that
55       protocol.
56
57   Probing protocols
58       When receiving an incoming connection, sslh will read the first bytes
59       sent by the connecting client. It will then probe for the protocol in
60       the order specified on the command line (or the configuration file).
61       Therefore --anyprot should alway be used last, as it always succeeds
62       and further protocols will never be tried.
63
64       If no data is sent by the client, sslh will eventually time out and
65       connect to the protocol specified with --on-timeout, or ssh if none is
66       specified.
67
68   Logging
69       As a security/authorization program, sslh logs to the LOG_AUTH
70       facility, with priority LOG_INFO for normal connections and LOG_ERR for
71       failures.
72

OPTIONS

74       -Ffilename, --config filename
75           Uses filename as configuration file. If other command-line options
76           are specified, they will override the configuration file's
77           settings.
78
79           When using the shorthand version, make sure there should be no
80           space between -F and the filename.
81
82       -t num, --timeout num
83           Timeout before forwarding the connection to the timeout protocol
84           (which should usually be SSH). Default is 2s.
85
86       --on-timeout protocol name
87           Name of the protocol to connect to after the timeout period is
88           over. Default is to forward to the first specified protocol. It
89           usually makes sense to specify 'ssh' as the timeout protocol, as
90           the SSH specification does not tell who is supposed to speak first
91           and a large number of SSH clients wait for the server to send its
92           banner.
93
94       --transparent
95           Makes sslh behave as a transparent proxy, i.e. the receiving
96           service sees the original client's IP address.  This works on Linux
97           only and involves iptables settings.  Refer to the README for more
98           information.
99
100       -p listening address, --listen listening address
101           Interface and port on which to listen, e.g. foobar:443, where
102           foobar is the name of an interface (typically the IP address on
103           which the Internet connection ends up).
104
105           This can be specified several times to bind sslh to several
106           addresses.
107
108       --ssl target address
109       --tls target address
110           Interface and port on which to forward SSL connection, typically
111           localhost:443.
112
113           Note that you can set sslh to listen on ext_ip:443 and httpd to
114           listen on localhost:443: this allows clients inside your network to
115           just connect directly to httpd.
116
117           Also, sslh probes for SSLv3 (or TLSv1) handshake and will reject
118           connections from clients requesting SSLv2. This is compliant with
119           RFC6176 which prohibits the usage of SSLv2. If you wish to accept
120           SSLv2, use --default instead.
121
122       --ssh target address
123           Interface and port on which to forward SSH connections, typically
124           localhost:22.
125
126       --openvpn target address
127           Interface and port on which to forward OpenVPN connections,
128           typically localhost:1194.
129
130       --xmpp target address
131           Interface and port on which to forward XMPP connections, typically
132           localhost:5222.
133
134       --http target address
135           Interface and port on which to forward HTTP connections, typically
136           localhost:80.
137
138       --tinc target address
139           Interface and port on which to forward tinc connections, typically
140           localhost:655.
141
142           This is experimental. If you use this feature, please report the
143           results (even if it works!)
144
145       --anyprot target address
146           Interface and port on which to forward if no other protocol has
147           been found. Because sslh tries protocols in the order specified on
148           the command line, this should be specified last. If no default is
149           specified, sslh will forward unknown protocols to the first
150           protocol specified.
151
152       -v, --verbose
153           Increase verboseness.
154
155       -n, --numeric
156           Do not attempt to resolve hostnames: logs will contain IP
157           addresses. This is mostly useful if the system's DNS is slow and
158           running the sslh-select variant, as DNS requests will hang all
159           connections.
160
161       -V  Prints sslh version.
162
163       -u username, --user username
164           Requires to run under the specified username.
165
166       -C chroot, --chroot chroot
167           Requires to run under the specified chroot.
168
169       -P pidfile, --pidfile pidfile
170           Specifies a file in which to write the PID of the main server.
171
172       -i, --inetd
173           Runs as an inetd server. Options -P (PID file), -p (listen
174           address), -u (user) are ignored.
175
176       -f, --foreground
177           Runs in foreground. The server will not fork and will remain
178           connected to the terminal. Messages normally sent to syslog will
179           also be sent to stderr.
180
181       --background
182           Runs in background. This overrides foreground if set in the
183           configuration file (or on the command line, but there is no point
184           setting both on the command line unless you have a personality
185           disorder).
186

FILES

188       /usr/lib/systemd/system/sslh.service
189           Systemd unit to control the daemon.
190
191       /etc/sysconfig/sslh
192           Server configuration. These are environment variables loaded by the
193           start-up script and passed to sslh as command-line arguments. Refer
194           to the OPTIONS section for a detailed explanation of the variables
195           used by sslh.
196

SEE ALSO

198       The latest version is available from
199       <http://www.rutschle.net/tech/sslh>, and can be tracked from
200       <http://freecode.com/projects/sslh>.
201

AUTHOR

203       Written by Yves Rutschle.
204
205
206
2071.20                              2019-08-12                           SSLH(8)
Impressum