1SSLH(8) SSLH(8)
2
6 sslh - protocol demultiplexer
7
9 sslh [-Fconfig file] [-t num] [--transparent] [-p listening address [-p
10 listening address ...] [--ssl target address for SSL] [--tls target
11 address for TLS] [--ssh target address for SSH] [--openvpn target
12 address for OpenVPN] [--http target address for HTTP] [--xmpp target
13 address for XMPP] [--tinc target address for TINC] [--anyprot default
14 target address] [--on-timeout protocol name] [-u username] [-C chroot]
15 [-P pidfile] [-v] [-i] [-V] [-f] [-n]
16
18 sslh accepts connections on specified ports, and forwards them further
19 based on tests performed on the first data packet sent by the remote
20 client.
21 Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any
23 other protocol that can be tested using a regular expression, can be
24 recognised. A typical use case is to allow serving several services on
25 port 443 (e.g. to connect to ssh from inside a corporate firewall,
26 which almost never block port 443) while still serving HTTPS on that
27 port.
28 Hence sslh acts as a protocol demultiplexer, or a switchboard. Its name
30 comes from its original function to serve SSH and HTTPS on the same
31 port.
32 Libwrap support
34 One drawback of sslh is that the servers do not see the original IP
35 address of the client anymore, as the connection is forwarded through
36 sslh.
37 For this reason, sslh can be compiled with libwrap to check accesses
39 defined in /etc/hosts.allow and /etc/hosts.deny. Libwrap services can
40 be defined using the configuration file.
41 Configuration file
43 A configuration file can be supplied to sslh. Command line arguments
44 override file settings. sslh uses libconfig to parse the configuration
45 file, so the general file format is indicated in
46 <http://www.hyperrealm.com/libconfig/libconfig_manual.html>. Please
47 refer to the example configuration file provided with sslh for the
48 specific format (Options have the same names as on the command line,
49 except for the list of listen ports and the list of protocols).
50 The configuration file makes it possible to specify protocols using
52 regular expressions: a list of regular expressions is given as the
53 regex_patterns parameter, and if the first packet received from the
54 client matches any of these expressions, sslh connects to that
55 protocol.
56 Probing protocols
58 When receiving an incoming connection, sslh will read the first bytes
59 sent by the connecting client. It will then probe for the protocol in
60 the order specified on the command line (or the configuration file).
61 Therefore --anyprot should alway be used last, as it always succeeds
62 and further protocols will never be tried.
63 If no data is sent by the client, sslh will eventually time out and
65 connect to the protocol specified with --on-timeout, or ssh if none is
66 specified.
67 Logging
69 As a security/authorization program, sslh logs to the LOG_AUTH
70 facility, with priority LOG_INFO for normal connections and LOG_ERR for
71 failures.
72
74 -Ffilename, --config filename
75 Uses filename as configuration file. If other command-line options
76 are specified, they will override the configuration file's
77 settings.
78 -t num, --timeout num
80 Timeout before forwarding the connection to the timeout protocol
81 (which should usually be SSH). Default is 2s.
82 --on-timeout protocol name
84 Name of the protocol to connect to after the timeout period is
85 over. Default is to forward to the first specified protocol. It
86 usually makes sense to specify 'ssh' as the timeout protocol, as
87 the SSH specification does not tell who is supposed to speak first
88 and a large number of SSH clients wait for the server to send its
89 banner.
90 --transparent
92 Makes sslh behave as a transparent proxy, i.e. the receiving
93 service sees the original client's IP address. This works on Linux
94 only and involves iptables settings. Refer to the README for more
95 information.
96 -p listening address, --listen listening address
98 Interface and port on which to listen, e.g. foobar:443, where
99 foobar is the name of an interface (typically the IP address on
100 which the Internet connection ends up).
101 This can be specified several times to bind sslh to several
103 addresses.
104 --ssl target address
106 --tls target address
107 Interface and port on which to forward SSL connection, typically
108 localhost:443.
109 Note that you can set sslh to listen on ext_ip:443 and httpd to
111 listen on localhost:443: this allows clients inside your network to
112 just connect directly to httpd.
113 Also, sslh probes for SSLv3 (or TLSv1) handshake and will reject
115 connections from clients requesting SSLv2. This is compliant with
116 RFC6176 which prohibits the usage of SSLv2. If you wish to accept
117 SSLv2, use --anyprot instead.
118 --ssh target address
120 Interface and port on which to forward SSH connections, typically
121 localhost:22.
122 --openvpn target address
124 Interface and port on which to forward OpenVPN connections,
125 typically localhost:1194.
126 --xmpp target address
128 Interface and port on which to forward XMPP connections, typically
129 localhost:5222.
130 --http target address
132 Interface and port on which to forward HTTP connections, typically
133 localhost:80.
134 --tinc target address
136 Interface and port on which to forward tinc connections, typically
137 localhost:655.
138 This is experimental. If you use this feature, please report the
140 results (even if it works!)
141 --anyprot target address
143 Interface and port on which to forward if no other protocol has
144 been found. Because sslh tries protocols in the order specified on
145 the command line, this should be specified last. If no default is
146 specified, sslh will forward unknown protocols to the first
147 protocol specified.
148 -v, --verbose
150 Increase verboseness.
151 -n, --numeric
153 Do not attempt to resolve hostnames: logs will contain IP
154 addresses. This is mostly useful if the system's DNS is slow and
155 running the sslh-select variant, as DNS requests will hang all
156 connections.
157 -V Prints sslh version.
159 -u username, --user username
161 Requires to run under the specified username.
162 -C chroot, --chroot chroot
164 Requires to run under the specified chroot.
165 -P pidfile, --pidfile pidfile
167 Specifies a file in which to write the PID of the main server.
168 -i, --inetd
170 Runs as an inetd server. Options -P (PID file), -p (listen
171 address), -u (user) are ignored.
172 -f, --foreground
174 Runs in foreground. The server will not fork and will remain
175 connected to the terminal. Messages normally sent to syslog will
176 also be sent to stderr.
177 --background
179 Runs in background. This overrides foreground if set in the
180 configuration file (or on the command line, but there is no point
181 setting both on the command line unless you have a personality
182 disorder).
183
185 /usr/lib/systemd/system/sslh.service
186 Systemd unit to control the daemon.
187 /etc/sysconfig/sslh
189 Server configuration. These are environment variables loaded by the
190 start-up script and passed to sslh as command-line arguments. Refer
191 to the OPTIONS section for a detailed explanation of the variables
192 used by sslh.
193
195 The latest version is available from
196 <http://www.rutschle.net/tech/sslh>, and can be tracked from
197 <http://freecode.com/projects/sslh>.
198
200 Written by Yves Rutschle.
2011.21c 2022-01-22 SSLH(8)