third-party-mirrors/sslh
1
0
Fork 0
mirror of https://github.com/yrutschle/sslh.git synced 2025-04-14 08:07:14 +03:00
Code Issues Packages Projects Releases Wiki Activity

Update tproxy.md

Browse Source 
Minor formatting changes. Could also update tproxy.jpg to the svg version.
This commit is contained in:
FlexMcMurphy 2019-06-30 12:28:53 +01:00 committed by GitHub
parent fde86a778d
commit 08a64e99b4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 36 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
doc/tproxy.md
View File

@ -2,22 +2,21 @@
==============================
Tutorial by Sean Warner. 19 June 2019 20:35
 
Aim
---
* Here is my guide… the solution here only works for my very specific use-case but hopefully others can adapt it to suits their needs.
* Show that SSLH can transparently proxy requests from the internet to services on two separate hosts that are both on the same LAN.
* Show that `sslh` can transparently proxy requests from the internet to services on two separate hosts that are both on the same LAN.
* The IP address of the client initiating the request is what the destination should see… and not the IP address of the host that `sslh` is running on, which is what happens when `sslh` is not running in transparent mode.
 
* The solution here only works for my very specific use-case but hopefully others can adapt it to suits their needs.
Overview of my Network
----------------------
Two Raspberry Pis on my home LAN:
* Pi A: 192.168.1.124 `sslh` (Port 4433), Apache2 web server for https (port 443), `stunnel` (port 4480) to decrypt ssh traffic and forward to SSH server (also on Pi A at Port 1022)
* Pi B: 192.168.1.123 - HTTP server (port 8000), SSH server (port 1022 on PiB).
 
I send traffic from the internet to my router's external port 443 then use a port forward rule in my router to map that to internal port 4433 where sslh is listening.
* I send traffic from the internet to my router's external port 443 then use a port forward rule in my router to map that to internal port 4433 where sslh is listening.
![Architecture](tproxy.jpg)
@ -34,15 +33,15 @@ I compiled sslh from sources giving the binary pretty much all possible options
VERSION=$(shell ./genver.sh -r)
ENABLE_REGEX=1         # Enable regex probes
USELIBCONFIG=1         # Use libconfig? (necessary to use configuration files)
USELIBPCRE=1         # Use libpcre? (needed for regex on musl)
USELIBWRAP=1         # Use libwrap?
USELIBCAP=1         # Use libcap?
USESYSTEMD=1         # Make use of systemd socket activation
COV_TEST=         # Perform test coverage?
USELIBPCRE=1 # Use libpcre? (needed for regex on musl)
USELIBWRAP=1         # Use libwrap?
USELIBCAP=1         # Use libcap?
USESYSTEMD=1         # Make use of systemd socket activation
COV_TEST=         # Perform test coverage?
PREFIX=/usr/local
BINDIR=$(PREFIX)/sbin
MANDIR=$(PREFIX)/share/man/man8
MAN=sslh.8.gz         # man page name
MAN=sslh.8.gz         # man page name
# End of configuration -- the rest should take care of
# itself
@ -152,33 +151,33 @@ connect = 192.168.1.124:1022
TIMEOUTclose = 0
```
 
Configure iptables for piA
Configure iptables for Pi A
--------------------------
The `_add.sh` script creates the rules, the `_rm.sh` script removes the rules.
They will be lost if you reboot but there are ways to make them load again on start-up..
```
# nano /usr/local/sbin/[filename.sh]
# nano /usr/local/sbin/piA_tproxy_add.sh
```
`piA_tproxy_add.sh`:
``` piA_tproxy_add.sh
iptables -w -t mangle -N SSLH
iptables -w -t mangle -A PREROUTING -p tcp -m socket --transparent -j SSLH
iptables -w -t mangle -A OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 443,4480 --jump SSLH
iptables -w -t mangle -A SSLH --jump MARK --set-mark 0x1
iptables -w -t mangle -A SSLH --jump ACCEPT
iptables -t mangle -N SSLH
iptables -t mangle -A PREROUTING -p tcp -m socket --transparent -j SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 443,4480 --jump SSLH
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
iptables -t mangle -A SSLH --jump ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
```
`piA_tproxy_rm.sh`:
```
# nano /usr/local/sbin/piA_tproxy_rm.sh
```
``` piA_tproxy_rm.sh
iptables -w -t mangle -D PREROUTING -p tcp -m socket --transparent -j SSLH
iptables -w -t mangle -D OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 443,4480 --jump SSLH
iptables -w -t mangle -D SSLH --jump MARK --set-mark 0x1
iptables -w -t mangle -D SSLH --jump ACCEPT
iptables -w -t mangle -X SSLH
iptables -t mangle -D PREROUTING -p tcp -m socket --transparent -j SSLH
iptables -t mangle -D OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 443,4480 --jump SSLH
iptables -t mangle -D SSLH --jump MARK --set-mark 0x1
iptables -t mangle -D SSLH --jump ACCEPT
iptables -t mangle -X SSLH
ip rule del fwmark 0x1 lookup 100
ip route del local 0.0.0.0/0 dev lo table 100
```
@ -195,15 +194,13 @@ Now run the "add" script on Pi A!
# piA_tproxy_rm.sh
```
Configure iptables for piB
Configure iptables for Pi B
--------------------------
```
# nano /usr/local/sbin/[filename.sh]
```
piB_tproxy_add.sh
# nano /usr/local/sbin/piB_tproxy_add.sh
```
``` piB_tproxy_add.sh
iptables -t mangle -N SSLHSSL
iptables -t mangle -A OUTPUT -o eth0 -p tcp -m multiport --sport 1022,8000 -j SSLHSSL
iptables -t mangle -A SSLHSSL --jump MARK --set-mark 0x1
@ -213,7 +210,9 @@ ip route add default via 192.168.1.124 table 100
ip route flush cache
```
piB_tproxy_add.sh
```
# nano /usr/local/sbin/piB_tproxy_rm.sh
```
```
iptables -t mangle -D OUTPUT -o eth0 -p tcp -m multiport --sport 1022,8000 -j SSLHSSL
iptables -t mangle -D SSLHSSL --jump MARK --set-mark 0x1
@ -238,7 +237,6 @@ Now run the "add" script on Pi B!
 
Testing
-------
 
* Getting to sshd on PiA
I did this test using 4G from my phone (outside the LAN)
@ -251,25 +249,24 @@ I execute this command from a terminal window..
```
# proxytunnel -v -e -C root.pem -p 78.141.192.198:8080 -d ssh.example.com:443
```
 
* Getting to sshd on PiB
I did this test using 4G from my phone (outside the LAN)
My smartphone telecom provider blocks ssh over port 443 so I need to use `proxytunnel` to encrypt.
Use the Proxytunnel `-X` switch to encrypt from local proxy to destination only so by the time we get to the destination it is unencrypted and `sslh` will see the ssh protocol and demultiplex to PiB as per `sslh.cfg`.
```
# proxytunnel -v -X -C root.pem -p 78.141.192.198:8080 -d ssh.example.com:443
```
 
Now when you test it all look at the output in daemon.log like this:
```
# grep -i 'ssl' /var/log/daemon.log
```
 
You should see that the IP address and port from the “connection from” and “forwarded from” fields are the same.
 
Special thanks and appreciation to Michael Yelsukov without whom I would never have got this working.
 
Any feedback or corrections very welcome!