{"id":13499422,"url":"https://github.com/stealth/sshttp","last_synced_at":"2025-04-13T02:19:41.024Z","repository":{"id":142556640,"uuid":"2946575","full_name":"stealth/sshttp","owner":"stealth","description":"SSH/HTTP(S) multiplexer. Run a webserver and a sshd on the same port w/o changes.","archived":false,"fork":false,"pushed_at":"2023-06-22T13:49:06.000Z","size":114,"stargazers_count":875,"open_issues_count":2,"forks_count":90,"subscribers_count":40,"default_branch":"master","last_synced_at":"2025-04-04T04:11:33.853Z","etag":null,"topics":["http","https","ipv6","ssh","ssh-traffic","sshttp","tls"],"latest_commit_sha":null,"homepage":"http://c-skills.blogspot.com","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stealth.png","metadata":{"files":{"readme":"README.md","changelog":"Changelog","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2011-12-09T10:20:31.000Z","updated_at":"2025-04-01T17:51:07.000Z","dependencies_parsed_at":"2024-01-06T22:57:19.444Z","dependency_job_id":"e34ef812-ce23-43d1-b7b3-5600920979a6","html_url":"https://github.com/stealth/sshttp","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealth%2Fsshttp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealth%2Fsshttp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealth%2Fsshttp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealth%2Fsshttp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stealth","download_url":"https://codeload.github.com/stealth/sshttp/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248654399,"owners_count":21140291,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["http","https","ipv6","ssh","ssh-traffic","sshttp","tls"],"created_at":"2024-07-31T22:00:33.029Z","updated_at":"2025-04-13T02:19:41.002Z","avatar_url":"https://github.com/stealth.png","language":"C++","readme":"sshttp - hiding SSH servers behind HTTP\n=======================================\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://github.com/stealth/sshttp/blob/master/sshttp.jpg\" /\u003e\n\u003c/p\u003e\n\n## 0. Intro\n\nIn case your FW policy forbids __SSH__ access to the DMZ or internal\nnetwork from outside, but you still want to use ssh on machines\nwhich only have one open port, e.g. __HTTP__, you can use `sshttpd`.\n\n_sshttpd_ can multiplex the following protocol pairs:\n\n* SSH/HTTP\n* SSH/HTTPS\n* SSH/SMTP (without SMTP multiline banners)\n* HTTPS SNI multiplexing\n* SSH/HTTPS with SNI multiplexing\n\n\n## 1. Build\n\nBe sure you run recent Linux kernel and install `nf-conntrack` as well\nas `libcap` and `libcap-devel` if you want to use the capability feature.\nOn older systems the nf-conntrack module is named nf-conntrack-ipv4.\n\nInside `src` dir:\n```\n$ make\n```\n\nThere is a new `splice` branch inside the git. `git checkout splice`\nbefore `make`, if you want to test this new branch. It implements\nzero-copy in terms of the __splice(2)__ system call which has a performance\nbenefit since it avoids copying the network data between user and kernel\nland back and forth (__read()/write()__), which could also just be spliced kernel-internally\nat the \"extra cost\" of two additional pipe descriptors per connection.\n\n*proudly sponsored by:*\n\u003cp align=\"center\"\u003e\n\u003ca href=\"https://github.com/c-skills/welcome\"\u003e\n\u003cimg src=\"https://github.com/c-skills/welcome/blob/master/logo.jpg\"/\u003e\n\u003c/a\u003e\n\u003c/p\u003e\n\n## 2. Setup for single host\n\nThis paragraph describes the setup where all services run on the same host\nas _sshttpd_ itself. The muxing happens to the same IP/IP6 address that\nthe outside connects arrive to, so basically just the ports are changing per\ndetected service.\n\n_sshttpd_ is an easy to use OSI-Layer5 switching daemon. It runs\ntransparently on __HTTP(S)__ port (`-L` switch, default 80) and decides\non incoming connections whether this is __SSH__ or __HTTP(S)__ traffic.\nIf its __HTTP(S)__ traffic, it switches the traffic to the `HTTP_PORT`\n(`-H`, default 8080) and if its __SSH__ traffic to `SSH_PORT` (`-S`, default\n22) respectively.\n\nAfter the build it is time to pick the right netfilter script for setting up the fw rules.\nIn `iptables` directory you will find the old style *iptables* version and in `nft`\nthe new version for *nft* (but currently only using the compat layer).\n\nYou need to edit `nf-setup` script (`nf6-setup`if using IPv6) to match your network device and `$PORTS` (`22` and `8080`\nare just fine for the SSH/HTTP case) and run it to install the proxy rules.\nYour _sshd_ has to run on `$SSH_PORT` and your webserver on `$HTTP_PORT`.\nThats basically it. Go ahead and run _sshttpd_ (as root) and it will layer5-switch\nyour traffic destinated to TCP port 80:\n\n**_Take care when running nf-setup on a remote host in an SSH session - it will firewall port 22_**\n\n```\n# ./nf-setup\nUsing network device eth0\nSetting up port 22 ...\nSetting up port 8080 ...\n# ./sshttpd -S 22 -L 80 -H 8080 -U nobody -R /var/empty\nsshttpd: Using HTTP_PORT=8080 SSH_PORT=22 and local port=80. Going background. Using caps/chroot.\n#\n```\n\nIf you want to mux __SMTP__ with _sshttpd_, just give `25` as `-L` parameter, `2525`\nas `-H` parameter, and setup your smtp daemon to listen on 2525. Then\nedit the `nf-setup` script to match these ports. In the `Makefile`, change the\n`SMTP_DOMAIN` and `SSH_BANNER` to your needs (`SSH_BANNER` must match exactly\nyours of the running _sshd_).\nSMTP/SSH muxing was tested with OpenSSH client and Postfix client and server.\n\nWhen muxing IPv6 connections, the setup is basically the same; just use the `nf6-setup`\nscript and invoke _sshttpd_ with `-6`.\n\n\n## 3. Transparent proxy setup\n\nYou can run _sshttpd_ also on your gateway machine and transparently proxy/mux\nall of your __HTTP(S)/SSH__ traffic to your internal LAN. To do so, run _sshttpd_ with\n`-T` and use `nf-tproxy` rather than `nf-setup` as a template for your FW setup.\nCarefully read `nf-tproxy` so you don't lock yourself out of the network and all\nthe network devices and IP addresses match your setup.\n\n## 4. SNI Mux\n\nWith _sshttpd_ you can also mux based on the HTTPS SNI. Just set up your\n`nf-setup` to contain the SNI ports (there are already samples) and invoke\n_sshttpd_ with `-N name:port` e.g. `sshttpd -S 22 -H 4433 -L 443 -N drops.v2:7350`\nto hide a sshd on 22 and a [drops setup](https://github.com/stealth/drops) on port 7350 behind port 443, and at the same time serving\nyour webserver from port 4433 to be visible to outside on port 443.\nThis works because _drops_ sets the SNI of `drops.v2` in outgoing connects.\nMultiple `-N` switches are allowed so you could mux a lot of services\nvia SNI. The ports/services must run all on the same machine where the original request\nwas destinated to. If you just want to mux based on SNI, you can set the SSH port to 0 via `-S 0`.\n\n## 5. Misc\n\nYou don't need to patch any of your ssh/web/smtp client or server software. It\nworks as is. _sshttpd_ runs only on Linux and needs `IP_TRANSPARENT` support.\nIt would work without, but by using `IP_TRANSPARENT` it is possible to even\nhave unmodified syslogs, e.g. the original source IP/port of incoming connections\nis passed as-is to the SSH/HTTP/SMTP servers.\n\nMake sure the `nf_conntrack` and `nf_conntrack_ipv4` or `nf_conntrack_ipv6` modules are loaded.\n_sshttpd_ is also a tricky anti-SSH0day (if ever:) and anti SSH-scanning/bruteforcing\nmeasurement.\n_sshttpd_ has small footprint and was optimized for speed so it also runs\non heavily loaded web servers.\n\n\nSince version 0.24, _sshttpd_ also supports multiple CPU cores. Unless\n`-n 1` is used as switch, _sshttpd_ binds one thread per CPU core,\nto better exploit the hardware if running on heavily used web servers.\nIt still runs this fixed number of threads no matter how many 1000s connection\nit handles at the same time.\n_sshttpd_ runs as `nobody` user inside a `chroot()` (configurable via `-U` and `-R` switch)\nif compiled with `USE_CAPS`. It can also distinguish between __SSH__ and __SSL__\nsessions, you just have to use an `LOCAL_PORT (-L)` of 443 or 4433 and change\nthe `HTTP_PORT` in the `nf-setup` script to match your webservers __HTTPS__ port.\nYou cannot mix HTTP/SSH and HTTPS/SSH in one _sshttpd_ instance but you can\nrun two sshttpd's to reach that goal: one on `LOCAL_PORT 80` and one on\n`LOCAL_PORT 443`.\n\n\n## 6. Alternative docu\n\nAs per 2017 it seems you have to provide alternative facts for everything,\nso here are some good writeups from other people for better understanding or in case my\ndescription was too brief:\n\n* [by stalkr](http://blog.stalkr.net/2012/02/sshhttps-multiplexing-with-sshttp.html)\n* [by Will Rouesnel](http://blog.wrouesnel.com/articles/Setting%20up%20sshttp/)\n* [by Yves](http://yalis.fr/cms/index.php/post/2014/02/22/Multiplex-SSH-and-HTTPS-on-a-single-port)\n\n","funding_links":[],"categories":["Apps","C++ (70)","C++","\u003ca id=\"dd2b52e59921ad730fceac252d99dd77\"\u003e\u003c/a\u003eMultiplexer"],"sub_categories":["Network"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstealth%2Fsshttp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstealth%2Fsshttp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstealth%2Fsshttp/lists"}