1SSLH(8) SSLH(8)
2
3
4
6 sslh - protocol demultiplexer
7
9 sslh [-Fconfig file] [-t num] [--transparent] [-p listening address [-p
10 listening address ...] [--ssl target address for SSL] [--tls target
11 address for TLS] [--ssh target address for SSH] [--openvpn target
12 address for OpenVPN] [--http target address for HTTP] [--xmpp target
13 address for XMPP] [--tinc target address for TINC] [--anyprot default
14 target address] [--on-timeout protocol name] [-u username] [-C chroot]
15 [-P pidfile] [-v] [-i] [-V] [-f] [-n]
16
18 sslh accepts connections on specified ports, and forwards them further
19 based on tests performed on the first data packet sent by the remote
20 client.
21
22 Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any
23 other protocol that can be tested using a regular expression, can be
24 recognised. A typical use case is to allow serving several services on
25 port 443 (e.g. to connect to ssh from inside a corporate firewall,
26 which almost never block port 443) while still serving HTTPS on that
27 port.
28
29 Hence sslh acts as a protocol demultiplexer, or a switchboard. Its name
30 comes from its original function to serve SSH and HTTPS on the same
31 port.
32
33 Libwrap support
34 One drawback of sslh is that the servers do not see the original IP
35 address of the client anymore, as the connection is forwarded through
36 sslh.
37
38 For this reason, sslh can be compiled with libwrap to check accesses
39 defined in /etc/hosts.allow and /etc/hosts.deny. Libwrap services can
40 be defined using the configuration file.
41
42 Configuration file
43 A configuration file can be supplied to sslh. Command line arguments
44 override file settings. sslh uses libconfig to parse the configuration
45 file, so the general file format is indicated in
46 <http://www.hyperrealm.com/libconfig/libconfig_manual.html>. Please
47 refer to the example configuration file provided with sslh for the
48 specific format (Options have the same names as on the command line,
49 except for the list of listen ports and the list of protocols).
50
51 The configuration file makes it possible to specify protocols using
52 regular expressions: a list of regular expressions is given as the
53 regex_patterns parameter, and if the first packet received from the
54 client matches any of these expressions, sslh connects to that
55 protocol.
56
57 Probing protocols
58 When receiving an incoming connection, sslh will read the first bytes
59 sent by the connecting client. It will then probe for the protocol in
60 the order specified on the command line (or the configuration file).
61 Therefore --anyprot should alway be used last, as it always succeeds
62 and further protocols will never be tried.
63
64 If no data is sent by the client, sslh will eventually time out and
65 connect to the protocol specified with --on-timeout, or ssh if none is
66 specified.
67
68 Logging
69 As a security/authorization program, sslh logs to the LOG_AUTH
70 facility, with priority LOG_INFO for normal connections and LOG_ERR for
71 failures.
72
74 -Ffilename, --config filename
75 Uses filename as configuration file. If other command-line options
76 are specified, they will override the configuration file's
77 settings.
78
79 When using the shorthand version, make sure there should be no
80 space between -F and the filename.
81
82 -t num, --timeout num
83 Timeout before forwarding the connection to the timeout protocol
84 (which should usually be SSH). Default is 2s.
85
86 --on-timeout protocol name
87 Name of the protocol to connect to after the timeout period is
88 over. Default is 'ssh'.
89
90 --transparent
91 Makes sslh behave as a transparent proxy, i.e. the receiving
92 service sees the original client's IP address. This works on Linux
93 only and involves iptables settings. Refer to the README for more
94 information.
95
96 -p listening address, --listen listening address
97 Interface and port on which to listen, e.g. foobar:443, where
98 foobar is the name of an interface (typically the IP address on
99 which the Internet connection ends up).
100
101 This can be specified several times to bind sslh to several
102 addresses.
103
104 --ssl target address
105 --tls target address
106 Interface and port on which to forward SSL connection, typically
107 localhost:443.
108
109 Note that you can set sslh to listen on ext_ip:443 and httpd to
110 listen on localhost:443: this allows clients inside your network to
111 just connect directly to httpd.
112
113 Also, sslh probes for SSLv3 (or TLSv1) handshake and will reject
114 connections from clients requesting SSLv2. This is compliant with
115 RFC6176 which prohibits the usage of SSLv2. If you wish to accept
116 SSLv2, use --default instead.
117
118 --ssh target address
119 Interface and port on which to forward SSH connections, typically
120 localhost:22.
121
122 --openvpn target address
123 Interface and port on which to forward OpenVPN connections,
124 typically localhost:1194.
125
126 --xmpp target address
127 Interface and port on which to forward XMPP connections, typically
128 localhost:5222.
129
130 --http target address
131 Interface and port on which to forward HTTP connections, typically
132 localhost:80.
133
134 --tinc target address
135 Interface and port on which to forward tinc connections, typically
136 localhost:655.
137
138 This is experimental. If you use this feature, please report the
139 results (even if it works!)
140
141 --anyprot target address
142 Interface and port on which to forward if no other protocol has
143 been found. Because sslh tries protocols in the order specified on
144 the command line, this should be specified last. If no default is
145 specified, sslh will forward unknown protocols to the first
146 protocol specified.
147
148 -v, --verbose
149 Increase verboseness.
150
151 -n, --numeric
152 Do not attempt to resolve hostnames: logs will contain IP
153 addresses. This is mostly useful if the system's DNS is slow and
154 running the sslh-select variant, as DNS requests will hang all
155 connections.
156
157 -V Prints sslh version.
158
159 -u username, --user username
160 Requires to run under the specified username.
161
162 -C chroot, --chroot chroot
163 Requires to run under the specified chroot.
164
165 -P pidfile, --pidfile pidfile
166 Specifies a file in which to write the PID of the main server.
167
168 -i, --inetd
169 Runs as an inetd server. Options -P (PID file), -p (listen
170 address), -u (user) are ignored.
171
172 -f, --foreground
173 Runs in foreground. The server will not fork and will remain
174 connected to the terminal. Messages normally sent to syslog will
175 also be sent to stderr.
176
177 --background
178 Runs in background. This overrides foreground if set in the
179 configuration file (or on the command line, but there is no point
180 setting both on the command line unless you have a personality
181 disorder).
182
184 /usr/lib/systemd/system/sslh.service
185 Systemd unit to control the daemon.
186
187 /etc/sysconfig/sslh
188 Server configuration. These are environment variables loaded by the
189 start-up script and passed to sslh as command-line arguments. Refer
190 to the OPTIONS section for a detailed explanation of the variables
191 used by sslh.
192
194 The latest version is available from
195 <http://www.rutschle.net/tech/sslh>, and can be tracked from
196 <http://freecode.com/projects/sslh>.
197
199 Written by Yves Rutschle.
200
201
202
2031.19c 2019-02-03 SSLH(8)