1SSLH(8)                                                                SSLH(8)
2
3
4

NAME

6        sslh - protocol demultiplexer
7

SYNOPSIS

9       sslh [-Fconfig file] [-t num] [--transparent] [-p listening address [-p
10       listening address ...] [--ssl target address for SSL] [--tls target
11       address for TLS] [--ssh target address for SSH] [--openvpn target
12       address for OpenVPN] [--http target address for HTTP] [--xmpp target
13       address for XMPP] [--tinc target address for TINC] [--anyprot default
14       target address] [--on-timeout protocol name] [-u username] [-C chroot]
15       [-P pidfile] [-v] [-i] [-V] [-f] [-n]
16

DESCRIPTION

18       sslh accepts connections on specified ports, and forwards them further
19       based on tests performed on the first data packet sent by the remote
20       client.
21
22       Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any
23       other protocol that can be tested using a regular expression, can be
24       recognised. A typical use case is to allow serving several services on
25       port 443 (e.g. to connect to ssh from inside a corporate firewall,
26       which almost never block port 443) while still serving HTTPS on that
27       port.
28
29       Hence sslh acts as a protocol demultiplexer, or a switchboard. Its name
30       comes from its original function to serve SSH and HTTPS on the same
31       port.
32
33   Libwrap support
34       One drawback of sslh is that the servers do not see the original IP
35       address of the client anymore, as the connection is forwarded through
36       sslh.
37
38       For this reason, sslh can be compiled with libwrap to check accesses
39       defined in /etc/hosts.allow and /etc/hosts.deny.  Libwrap services can
40       be defined using the configuration file.
41
42   Configuration file
43       A configuration file can be supplied to sslh. Command line arguments
44       override file settings. sslh uses libconfig to parse the configuration
45       file, so the general file format is indicated in
46       <http://www.hyperrealm.com/libconfig/libconfig_manual.html>.  Please
47       refer to the example configuration file provided with sslh for the
48       specific format (Options have the same names as on the command line,
49       except for the list of listen ports and the list of protocols).
50
51       The configuration file makes it possible to specify protocols using
52       regular expressions: a list of regular expressions is given as the
53       regex_patterns parameter, and if the first packet received from the
54       client matches any of these expressions, sslh connects to that
55       protocol.
56
57   Probing protocols
58       When receiving an incoming connection, sslh will read the first bytes
59       sent by the connecting client. It will then probe for the protocol in
60       the order specified on the command line (or the configuration file).
61       Therefore --anyprot should alway be used last, as it always succeeds
62       and further protocols will never be tried.
63
64       If no data is sent by the client, sslh will eventually time out and
65       connect to the protocol specified with --on-timeout, or ssh if none is
66       specified.
67
68   Logging
69       As a security/authorization program, sslh logs to the LOG_AUTH
70       facility, with priority LOG_INFO for normal connections and LOG_ERR for
71       failures.
72

OPTIONS

74       -Ffilename, --config filename
75           Uses filename as configuration file. If other command-line options
76           are specified, they will override the configuration file's
77           settings.
78
79       -t num, --timeout num
80           Timeout before forwarding the connection to the timeout protocol
81           (which should usually be SSH). Default is 2s.
82
83       --on-timeout protocol name
84           Name of the protocol to connect to after the timeout period is
85           over. Default is to forward to the first specified protocol. It
86           usually makes sense to specify 'ssh' as the timeout protocol, as
87           the SSH specification does not tell who is supposed to speak first
88           and a large number of SSH clients wait for the server to send its
89           banner.
90
91       --transparent
92           Makes sslh behave as a transparent proxy, i.e. the receiving
93           service sees the original client's IP address.  This works on Linux
94           only and involves iptables settings.  Refer to the README for more
95           information.
96
97       -p listening address, --listen listening address
98           Interface and port on which to listen, e.g. foobar:443, where
99           foobar is the name of an interface (typically the IP address on
100           which the Internet connection ends up).
101
102           This can be specified several times to bind sslh to several
103           addresses.
104
105       --ssl target address
106       --tls target address
107           Interface and port on which to forward SSL connection, typically
108           localhost:443.
109
110           Note that you can set sslh to listen on ext_ip:443 and httpd to
111           listen on localhost:443: this allows clients inside your network to
112           just connect directly to httpd.
113
114           Also, sslh probes for SSLv3 (or TLSv1) handshake and will reject
115           connections from clients requesting SSLv2. This is compliant with
116           RFC6176 which prohibits the usage of SSLv2. If you wish to accept
117           SSLv2, use --anyprot instead.
118
119       --ssh target address
120           Interface and port on which to forward SSH connections, typically
121           localhost:22.
122
123       --openvpn target address
124           Interface and port on which to forward OpenVPN connections,
125           typically localhost:1194.
126
127       --xmpp target address
128           Interface and port on which to forward XMPP connections, typically
129           localhost:5222.
130
131       --http target address
132           Interface and port on which to forward HTTP connections, typically
133           localhost:80.
134
135       --tinc target address
136           Interface and port on which to forward tinc connections, typically
137           localhost:655.
138
139           This is experimental. If you use this feature, please report the
140           results (even if it works!)
141
142       --anyprot target address
143           Interface and port on which to forward if no other protocol has
144           been found. Because sslh tries protocols in the order specified on
145           the command line, this should be specified last. If no default is
146           specified, sslh will forward unknown protocols to the first
147           protocol specified.
148
149       -v, --verbose
150           Increase verboseness.
151
152       -n, --numeric
153           Do not attempt to resolve hostnames: logs will contain IP
154           addresses. This is mostly useful if the system's DNS is slow and
155           running the sslh-select variant, as DNS requests will hang all
156           connections.
157
158       -V  Prints sslh version.
159
160       -u username, --user username
161           Requires to run under the specified username.
162
163       -C chroot, --chroot chroot
164           Requires to run under the specified chroot.
165
166       -P pidfile, --pidfile pidfile
167           Specifies a file in which to write the PID of the main server.
168
169       -i, --inetd
170           Runs as an inetd server. Options -P (PID file), -p (listen
171           address), -u (user) are ignored.
172
173       -f, --foreground
174           Runs in foreground. The server will not fork and will remain
175           connected to the terminal. Messages normally sent to syslog will
176           also be sent to stderr.
177
178       --background
179           Runs in background. This overrides foreground if set in the
180           configuration file (or on the command line, but there is no point
181           setting both on the command line unless you have a personality
182           disorder).
183

FILES

185       /usr/lib/systemd/system/sslh.service
186           Systemd unit to control the daemon.
187
188       /etc/sysconfig/sslh
189           Server configuration. These are environment variables loaded by the
190           start-up script and passed to sslh as command-line arguments. Refer
191           to the OPTIONS section for a detailed explanation of the variables
192           used by sslh.
193

SEE ALSO

195       The latest version is available from
196       <http://www.rutschle.net/tech/sslh>, and can be tracked from
197       <http://freecode.com/projects/sslh>.
198

AUTHOR

200       Written by Yves Rutschle.
201
202
203
2041.21c                             2021-02-08                           SSLH(8)
Impressum