{"id":13452925,"url":"https://github.com/yrutschle/sslh","last_synced_at":"2025-04-29T14:38:09.051Z","repository":{"id":9447034,"uuid":"11324991","full_name":"yrutschle/sslh","owner":"yrutschle","description":"Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)","archived":false,"fork":false,"pushed_at":"2025-04-08T19:42:13.000Z","size":2253,"stargazers_count":4735,"open_issues_count":45,"forks_count":375,"subscribers_count":92,"default_branch":"master","last_synced_at":"2025-04-10T00:07:05.277Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://www.rutschle.net/tech/sslh/README.html","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yrutschle.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-07-10T21:25:31.000Z","updated_at":"2025-04-08T19:42:16.000Z","dependencies_parsed_at":"2023-09-24T09:42:31.567Z","dependency_job_id":"7dcce3bf-833a-495a-bdd6-db23f0b448f3","html_url":"https://github.com/yrutschle/sslh","commit_stats":null,"previous_names":[],"tags_count":42,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yrutschle%2Fsslh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yrutschle%2Fsslh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yrutschle%2Fsslh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yrutschle%2Fsslh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yrutschle","download_url":"https://codeload.github.com/yrutschle/sslh/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251520212,"owners_count":21602447,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T08:00:28.142Z","updated_at":"2025-04-29T14:38:09.019Z","avatar_url":"https://github.com/yrutschle.png","language":"C","funding_links":[],"categories":["C","\u003ca id=\"1a9934198e37d6d06b881705b863afc8\"\u003e\u003c/a\u003e通信\u0026\u0026代理\u0026\u0026反向代理\u0026\u0026隧道","Apps","\u003ca id=\"dd2b52e59921ad730fceac252d99dd77\"\u003e\u003c/a\u003eMultiplexer","HarmonyOS","others","\u003ca name=\"networking\"\u003e\u003c/a\u003eNetworking"],"sub_categories":["\u003ca id=\"56acb7c49c828d4715dce57410d490d1\"\u003e\u003c/a\u003e未分类-Proxy","Network","Windows Manager"],"readme":"sslh -- A ssl/ssh multiplexer\n=============================\n\n`sslh` accepts connections on specified ports, and forwards\nthem further based on tests performed on the first data\npacket sent by the remote client.\n\nProbes for HTTP, TLS/SSL (including SNI and ALPN), SSH,\nOpenVPN, tinc, XMPP, SOCKS5, are implemented, and any other\nprotocol that can be tested using a regular expression, can\nbe recognised. A typical use case is to allow serving\nseveral services on port 443 (e.g. to connect to SSH from\ninside a corporate firewall, which almost never block port\n443) while still serving HTTPS on that port.\n\nHence `sslh` acts as a protocol demultiplexer, or a\nswitchboard. With the SNI and ALPN probe, it makes a good\nfront-end to a virtual host farm hosted behind a single IP\naddress.\n\n`sslh` has the bells and whistles expected from a mature\ndaemon: privilege and capabilities dropping, inetd support,\nsystemd support, transparent proxying, support for HAProxy's\nproxyprotocol, chroot, logging, IPv4 and IPv6, TCP and UDP,\na fork-based, a select-based model, and yet another based on\nlibev for larger installations.\n\nInstall\n=======\n\nPlease refer to the [install guide](doc/INSTALL.md).\n\n\nConfiguration\n=============\n\nPlease refer to the [configuration guide](doc/config.md).\n\nTransparent proxying\n--------------------\n\nTransparent proxying allows the target server to see the\noriginal client IP address, i.e. `sslh` becomes invisible.\n\nThe same result can be achieved more easily by using\n`proxyprotocol` if the backend server supports it. This is a\nsimple setting to add to the `sslh` protocol configuration,\nusually with an equivalently simple setting to add in\nthe backend server configuration, so try that first.\n\nThis means services behind `sslh` (Apache, `sshd` and so on)\nwill see the external IP and ports as if the external world\nconnected directly to them. This simplifies IP-based access\ncontrol (or makes it possible at all), and makes it possible\nto use IP-based banning tools such as `fail2ban`.\n\nThere are two methods. One uses additional virtual network\ninterfaces. The principle and basic setup is described\n[here](doc/simple_transparent_proxy.md), with further\nscenarios described [there](doc/scenarios-for-simple-transparent-proxy.md).\n\n\nAnother method uses iptable packet marking features, and is\nhighly dependent on your network environment and\ninfrastructure setup. There is no known generic approach,\nand if you do not find directions for your exact setup, you\nwill probably need an extensive knowledge of network\nmanagement and iptables setup\".\n\nIt is described in its own [document](doc/tproxy.md).\nIn most cases, you will be better off following the first\nmethod.\n\n\nDocker image\n------------\n\nHow to use\n\n---\n\n\n```bash\ndocker run \\\n  --cap-add CAP_NET_RAW \\\n  --cap-add CAP_NET_BIND_SERVICE \\\n  --rm \\\n  -it \\\n  ghcr.io/yrutschle/sslh:latest \\\n  --foreground \\\n  --listen=0.0.0.0:443 \\\n  --ssh=hostname:22 \\\n  --tls=hostname:443\n```\n\ndocker-compose example\n\n```yaml\nversion: \"3\"\n\nservices:\n  sslh:\n    image: ghcr.io/yrutschle/sslh:latest\n    hostname: sslh\n    ports:\n      - 443:443\n    command: --foreground --listen=0.0.0.0:443 --tls=nginx:443 --openvpn=openvpn:1194\n    depends_on:\n      - nginx\n      - openvpn\n\n  nginx:\n    image: nginx\n\n  openvpn:\n    image: openvpn\n```\n\nTransparent mode 1: using sslh container for networking\n\n_Note: For transparent mode to work, the sslh container must be able to reach your services via **localhost**_\n```yaml\nversion: \"3\"\n\nservices:\n  sslh:\n    build: https://github.com/yrutschle/sslh.git\n    container_name: sslh\n    environment:\n      - TZ=${TZ}\n    cap_add:\n      - NET_ADMIN\n      - NET_RAW\n      - NET_BIND_SERVICE\n    sysctls:\n      - net.ipv4.conf.default.route_localnet=1\n      - net.ipv4.conf.all.route_localnet=1\n    command: --transparent --foreground --listen=0.0.0.0:443 --tls=localhost:8443 --openvpn=localhost:1194\n    ports:\n      - 443:443 #sslh\n\n      - 80:80 #nginx\n      - 8443:8443 #nginx\n\n      - 1194:1194 #openvpn\n    extra_hosts:\n      - localbox:host-gateway\n    restart: unless-stopped\n\n  nginx:\n    image: nginx:latest\n    .....\n    network_mode: service:sslh #set nginx container to use sslh networking.\n    # ^^^ This is required. This makes nginx reachable by sslh via localhost\n  \n  openvpn:\n    image: openvpn:latest\n    .....\n    network_mode: service:sslh #set openvpn container to use sslh networking\n```\n\nTransparent mode 2: using host networking\n\n```yaml\nversion: \"3\"\n\nservices:\n  sslh:\n    build: https://github.com/yrutschle/sslh.git\n    container_name: sslh\n    environment:\n      - TZ=${TZ}\n    cap_add:\n      - NET_ADMIN\n      - NET_RAW\n      - NET_BIND_SERVICE\n    # must be set manually\n    #sysctls:\n    #  - net.ipv4.conf.default.route_localnet=1\n    #  - net.ipv4.conf.all.route_localnet=1\n    command: --transparent --foreground --listen=0.0.0.0:443 --tls=localhost:8443 --openvpn=localhost:1194\n    network_mode: host\n    restart: unless-stopped\n  \n  nginx:\n    image: nginx:latest\n    .....\n    ports:\n      - 8443:8443 # bind to docker host on port 8443\n\n  openvpn:\n    image: openvpn:latest\n    .....\n    ports:\n      - 1194:1194 # bind to docker host on port 1194\n```\n\nComments? Questions?\n====================\n\nYou can subscribe to the `sslh` mailing list here:\n\u003chttps://lists.rutschle.net/mailman/listinfo/sslh\u003e\n\nThis mailing list should be used for discussion, feature\nrequests, and will be the preferred channel for announcements.\n\nOf course, check the [FAQ](doc/FAQ.md) first!\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyrutschle%2Fsslh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyrutschle%2Fsslh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyrutschle%2Fsslh/lists"}