1SSLH(8) SSLH(8)
2
3
4
6 sslh - protocol demultiplexer
7
9 sslh [-Fconfig file] [-t num] [--transparent] [-p listening address [-p
10 listening address ...] [--ssl target address for SSL] [--tls target
11 address for TLS] [--ssh target address for SSH] [--openvpn target
12 address for OpenVPN] [--http target address for HTTP] [--xmpp target
13 address for XMPP] [--tinc target address for TINC] [--anyprot default
14 target address] [--on-timeout protocol name] [-u username] [-C chroot]
15 [-P pidfile] [-v] [-i] [-V] [-f] [-n]
16
18 sslh accepts connections on specified ports, and forwards them further
19 based on tests performed on the first data packet sent by the remote
20 client.
21
22 Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any
23 other protocol that can be tested using a regular expression, can be
24 recognised. A typical use case is to allow serving several services on
25 port 443 (e.g. to connect to ssh from inside a corporate firewall,
26 which almost never block port 443) while still serving HTTPS on that
27 port.
28
29 Hence sslh acts as a protocol demultiplexer, or a switchboard. Its name
30 comes from its original function to serve SSH and HTTPS on the same
31 port.
32
33 Libwrap support
34 One drawback of sslh is that the servers do not see the original IP
35 address of the client anymore, as the connection is forwarded through
36 sslh.
37
38 For this reason, sslh can be compiled with libwrap to check accesses
39 defined in /etc/hosts.allow and /etc/hosts.deny. Libwrap services can
40 be defined using the configuration file.
41
42 Configuration file
43 A configuration file can be supplied to sslh. Command line arguments
44 override file settings. sslh uses libconfig to parse the configuration
45 file, so the general file format is indicated in
46 <http://www.hyperrealm.com/libconfig/libconfig_manual.html>. Please
47 refer to the example configuration file provided with sslh for the
48 specific format (Options have the same names as on the command line,
49 except for the list of listen ports and the list of protocols).
50
51 The configuration file makes it possible to specify protocols using
52 regular expressions: a list of regular expressions is given as the
53 regex_patterns parameter, and if the first packet received from the
54 client matches any of these expressions, sslh connects to that
55 protocol.
56
57 Probing protocols
58 When receiving an incoming connection, sslh will read the first bytes
59 sent by the connecting client. It will then probe for the protocol in
60 the order specified on the command line (or the configuration file).
61 Therefore --anyprot should alway be used last, as it always succeeds
62 and further protocols will never be tried.
63
64 If no data is sent by the client, sslh will eventually time out and
65 connect to the protocol specified with --on-timeout, or ssh if none is
66 specified.
67
68 Logging
69 As a security/authorization program, sslh logs to the LOG_AUTH
70 facility, with priority LOG_INFO for normal connections and LOG_ERR for
71 failures.
72
74 -Ffilename, --config filename
75 Uses filename as configuration file. If other command-line options
76 are specified, they will override the configuration file's
77 settings.
78
79 When using the shorthand version, make sure there should be no
80 space between -F and the filename.
81
82 -t num, --timeout num
83 Timeout before forwarding the connection to the timeout protocol
84 (which should usually be SSH). Default is 2s.
85
86 --on-timeout protocol name
87 Name of the protocol to connect to after the timeout period is
88 over. Default is to forward to the first specified protocol. It
89 usually makes sense to specify 'ssh' as the timeout protocol, as
90 the SSH specification does not tell who is supposed to speak first
91 and a large number of SSH clients wait for the server to send its
92 banner.
93
94 --transparent
95 Makes sslh behave as a transparent proxy, i.e. the receiving
96 service sees the original client's IP address. This works on Linux
97 only and involves iptables settings. Refer to the README for more
98 information.
99
100 -p listening address, --listen listening address
101 Interface and port on which to listen, e.g. foobar:443, where
102 foobar is the name of an interface (typically the IP address on
103 which the Internet connection ends up).
104
105 This can be specified several times to bind sslh to several
106 addresses.
107
108 --ssl target address
109 --tls target address
110 Interface and port on which to forward SSL connection, typically
111 localhost:443.
112
113 Note that you can set sslh to listen on ext_ip:443 and httpd to
114 listen on localhost:443: this allows clients inside your network to
115 just connect directly to httpd.
116
117 Also, sslh probes for SSLv3 (or TLSv1) handshake and will reject
118 connections from clients requesting SSLv2. This is compliant with
119 RFC6176 which prohibits the usage of SSLv2. If you wish to accept
120 SSLv2, use --default instead.
121
122 --ssh target address
123 Interface and port on which to forward SSH connections, typically
124 localhost:22.
125
126 --openvpn target address
127 Interface and port on which to forward OpenVPN connections,
128 typically localhost:1194.
129
130 --xmpp target address
131 Interface and port on which to forward XMPP connections, typically
132 localhost:5222.
133
134 --http target address
135 Interface and port on which to forward HTTP connections, typically
136 localhost:80.
137
138 --tinc target address
139 Interface and port on which to forward tinc connections, typically
140 localhost:655.
141
142 This is experimental. If you use this feature, please report the
143 results (even if it works!)
144
145 --anyprot target address
146 Interface and port on which to forward if no other protocol has
147 been found. Because sslh tries protocols in the order specified on
148 the command line, this should be specified last. If no default is
149 specified, sslh will forward unknown protocols to the first
150 protocol specified.
151
152 -v, --verbose
153 Increase verboseness.
154
155 -n, --numeric
156 Do not attempt to resolve hostnames: logs will contain IP
157 addresses. This is mostly useful if the system's DNS is slow and
158 running the sslh-select variant, as DNS requests will hang all
159 connections.
160
161 -V Prints sslh version.
162
163 -u username, --user username
164 Requires to run under the specified username.
165
166 -C chroot, --chroot chroot
167 Requires to run under the specified chroot.
168
169 -P pidfile, --pidfile pidfile
170 Specifies a file in which to write the PID of the main server.
171
172 -i, --inetd
173 Runs as an inetd server. Options -P (PID file), -p (listen
174 address), -u (user) are ignored.
175
176 -f, --foreground
177 Runs in foreground. The server will not fork and will remain
178 connected to the terminal. Messages normally sent to syslog will
179 also be sent to stderr.
180
181 --background
182 Runs in background. This overrides foreground if set in the
183 configuration file (or on the command line, but there is no point
184 setting both on the command line unless you have a personality
185 disorder).
186
188 /usr/lib/systemd/system/sslh.service
189 Systemd unit to control the daemon.
190
191 /etc/sysconfig/sslh
192 Server configuration. These are environment variables loaded by the
193 start-up script and passed to sslh as command-line arguments. Refer
194 to the OPTIONS section for a detailed explanation of the variables
195 used by sslh.
196
198 The latest version is available from
199 <http://www.rutschle.net/tech/sslh>, and can be tracked from
200 <http://freecode.com/projects/sslh>.
201
203 Written by Yves Rutschle.
204
205
206
2071.20 2019-08-12 SSLH(8)