third-party-mirrors/sslh
1
0
Fork 0
mirror of https://github.com/yrutschle/sslh.git synced 2025-04-08 13:20:04 +03:00
Code Issues Packages Projects Releases Wiki Activity

document proxyprotocol

Browse Source
This commit is contained in:
Yves Rutschle 2025-04-03 21:30:34 +02:00
parent 416a82fcc6
commit ef6f698d86
9 changed files with 26 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@ -5,6 +5,8 @@ vNEXT:
(listening or connecting) will be performed on Unix (listening or connecting) will be performed on Unix
socket instead of Internet sockets. socket instead of Internet sockets.
Support proxyprotocol on the backend server side.
v2.1.3: v2.1.3:
Fix Landlock access to /etc/hosts.deny and Fix Landlock access to /etc/hosts.deny and
/etc/hosts.allow. /etc/hosts.allow.

6
README.md
View File

@ -42,6 +42,12 @@ Transparent proxying
Transparent proxying allows the target server to see the Transparent proxying allows the target server to see the
original client IP address, i.e. `sslh` becomes invisible. original client IP address, i.e. `sslh` becomes invisible.
The same result can be achieved more easily by using
`proxyprotocol` if the backend server supports it. This is a
simple setting to add to the `sslh` protocol configuration,
usually with an equivalently simple setting to add in
the backend server configuration, so try that first.
This means services behind `sslh` (Apache, `sshd` and so on) This means services behind `sslh` (Apache, `sshd` and so on)
will see the external IP and ports as if the external world will see the external IP and ports as if the external world
connected directly to them. This simplifies IP-based access connected directly to them. This simplifies IP-based access

5
common.c
View File

@ -413,8 +413,9 @@ static int connect_inet(struct connection *cnx, int fd_from, connect_blocking bl
cnx->proto->port); cnx->proto->port);
} }
for (a = cnx->proto->saddr; a; a = a->ai_next) { for (a = cnx->proto->saddr; a; a = a->ai_next) {
/* When transparent, make sure both connections use the same address family */ /* When transparent or using proxyprotocol, make sure both
if (transparent && a->ai_family != from.ai_addr->sa_family) * connections use the same address family (e.g. IP4 on both sides) */
if ((transparent || cnx->proto->proxyprotocol_is_present) && (a->ai_family != from.ai_addr->sa_family))
continue; continue;
print_message(msg_connections_try, "trying to connect to %s family %d len %d\n", print_message(msg_connections_try, "trying to connect to %s family %d len %d\n",
sprintaddr(buf, sizeof(buf), a), sprintaddr(buf, sizeof(buf), a),

5
doc/INSTALL.md
View File

@ -46,11 +46,12 @@ Dependencies
* [libproxyprotocol](https://github.com/kosmas-valianos/libproxyprotocol.git) * [libproxyprotocol](https://github.com/kosmas-valianos/libproxyprotocol.git)
to support HAProxy's [ProxyProtocol](https://www.haproxy.org/download/2.3/doc/proxy-protocol.txt). to support HAProxy's [ProxyProtocol](https://www.haproxy.org/download/2.3/doc/proxy-protocol.txt).
As this is not part of the distribution packages, set As this is not part of the distribution packages, set
C_INCLUDE_PATH and LD_LIBRARY_PATH to the appropriate C_INCLUDE_PATH, LD_LIBRARY_PATH, and LIBRARY_PATH to the appropriate
values: values:
``` ```
export C_INCLUDE_PATH=/home/user/src/libproxyprotocol/src export C_INCLUDE_PATH=/home/user/src/libproxyprotocol/src
export LD_LIBRARY_PATH=/home/user/src/libproxyprotocol/src export LD_LIBRARY_PATH=/home/user/src/libproxyprotocol/libs
export LIBRARY_PATH=/home/user/src/libproxyprotocol/libs
``` ```
For OpenSUSE, these are contained in packages libconfig9 and For OpenSUSE, these are contained in packages libconfig9 and

3
doc/config.md
View File

@ -102,6 +102,9 @@ Transparent proxy support
Transparent proxying is described in its own Transparent proxying is described in its own
[document](tproxy.md). [document](tproxy.md).
It might be easier to configure `sslh` to use Proxyprotocol
if the backend server supports it.
Systemd Socket Activation Systemd Socket Activation
------------------------- -------------------------
If compiled with `USESYSTEMD` then it is possible to activate If compiled with `USESYSTEMD` then it is possible to activate

8
example.cfg
View File

@ -78,8 +78,12 @@ listen:
# transparently (server sees the remote client IP # transparently (server sees the remote client IP
# address). Same as the global option, but per-protocol # address). Same as the global option, but per-protocol
# is_unix: [true|false] connect to a UNIX socket. The host # is_unix: [true|false] connect to a UNIX socket. The host
# field becomes the pathname to the socket, and the port # field becomes the pathname to the socket, and the port
# field is unused (but necessary). # field is unused (but necessary).
# proxyprotocol: <1|2>; When connecting to the backend
# server, a proxyprotocol header of the specified
# version will be added, containing the client's
# connection information.
# #
# Probe-specific options: # Probe-specific options:
# (sslh will try each probe in order they are declared, and # (sslh will try each probe in order they are declared, and

2
proxyprotocol.c
View File

@ -44,7 +44,7 @@ static int family_to_pp(int af_family)
} }
} }
typedef char libpp_addr[108]; typedef char libpp_addr[108]; /* This is hardcoded in libproxyprotocol/proxy_protocol.h */
/* Fills *addr, *host and *serv with the connection information corresponding /* Fills *addr, *host and *serv with the connection information corresponding
* to fd. *host is the IP address as string and *serv is the service (port) * to fd. *host is the IP address as string and *serv is the service (port)

2
test.cfg
View File

@ -45,7 +45,7 @@ protocols:
( (
{ name: "ssh"; host: "localhost"; port: "9000"; fork: true; transparent: true; resolve_on_forward: true; }, { name: "ssh"; host: "localhost"; port: "9000"; fork: true; transparent: true; resolve_on_forward: true; },
{ name: "socks5"; host: "localhost"; port: "9001"; }, { name: "socks5"; host: "localhost"; port: "9001"; },
{ name: "http"; host: "localhost"; port: "80"; proxyprotocol: 1; }, { name: "http"; host: "localhost"; port: "80"; proxyprotocol: 2; },
{ name: "tinc"; host: "localhost"; port: "9003"; }, { name: "tinc"; host: "localhost"; port: "9003"; },
{ name: "openvpn"; host: "localhost"; port: "9004"; }, { name: "openvpn"; host: "localhost"; port: "9004"; },
{ name: "xmpp"; host: "localhost"; port: "9009"; }, { name: "xmpp"; host: "localhost"; port: "9009"; },

2
version.h
View File

@ -1,5 +1,5 @@
#ifndef VERSION_H #ifndef VERSION_H
#define VERSION_H #define VERSION_H
#define VERSION "v2.1.4-39-g2f111b6-dirty" #define VERSION "v2.1.4-40-g416a82f-dirty"
#endif #endif