clean up inline define

Fixes: https://github.com/yrutschle/sslh/issues/492

.gitignore

@@ -3,8 +3,14 @@
 *.o
 cscope.*
 echosrv
+libsslh.a
 sslh-fork
 sslh-select
+sslh-ev
+systemd-sslh-generator
 sslh.8.gz
 tags
-version.h
+/config.status
+/config.log
+/config.h
+/Makefile

ChangeLog

@@ -1,3 +1,45 @@
+v2.2.1:
+	Added a boolean setting "is_unix" for listen and
+	protocol entries. This will use the 'host' setting
+	as a path name to a socket file, and connections
+	(listening or connecting) will be performed on Unix
+	socket instead of Internet sockets.
+
+	Support HAProxy's proxyprotocol on the backend
+	server side.
+
+	Lots of documentation about a new, simpler way to
+	perform transparent proxying.
+
+	New "verbose" option that overrides all other
+	verbose settings.
+
+v2.1.3:
+	Fix Landlock access to /etc/hosts.deny and
+	/etc/hosts.allow.
+
+v2.1.2:
+	Fix inetd mode.
+
+v2.1.1:
+	Various minor fixes.
+
+v2.1.0:
+	Support for the Landlock LSM. After initial setup,
+	sslh gives up all local file access rights.
+
+	Reintroduced --ssl as an alias to --tls.
+
+	Introduce autoconf to adapt to landlock presence.
+
+	Close connexion without error message if remote
+	client forcefully closes connexion, for Windows.
+
+v2.0.1:	
+	Fix resolve_on_forward setting, which would crash
+	sslh reliably.
+
+v2.0.0:
 v2.0:
 	New sslh-ev: this is functionally equivalent to
 	sslh-select (mono-process, only forks for specified

Dockerfile

@@ -16,7 +16,7 @@ RUN apk add --no-cache \
 
 COPY . /sslh
 
-RUN make sslh-select && strip sslh-select
+RUN ./configure && make sslh-select && strip sslh-select
 
 FROM docker.io/${TARGET_ARCH}/alpine:${ALPINE_VERSION}
 

Makefile.in

@@ -3,13 +3,14 @@ VERSION=$(shell ./genver.sh -r)
 
 # Configuration -- you probably need to `make clean` if you
 # change any of these
+
+# uncomment the following line to disable landlock
+# override undefine HAVE_LANDLOCK
 ENABLE_SANITIZER= # Enable ASAN/LSAN/UBSAN
 ENABLE_REGEX=1  # Enable regex probes
 USELIBCONFIG=1	# Use libconfig? (necessary to use configuration files)
-USELIBWRAP?=	# Use libwrap?
-USELIBCAP=	# Use libcap?
+USELIBEV=1	# Use libev?
 USESYSTEMD=     # Make use of systemd socket activation
-USELIBBSD?=     # Use libbsd (needed to update process name in `ps`)
 COV_TEST= 	# Perform test coverage?
 PREFIX?=/usr
 BINDIR?=$(PREFIX)/sbin
@@ -33,8 +34,8 @@ AR ?= ar
 CFLAGS +=-Wall -O2 -DLIBPCRE -g $(CFLAGS_COV) $(CFLAGS_SAN)
 
 
-LIBS=-lm -lpcre2-8
-OBJS=sslh-conf.o common.o log.o sslh-main.o probe.o tls.o argtable3.o collection.o gap.o tcp-probe.o
+LIBS=-lm -lpcre2-8 @LIBS@
+OBJS=sslh-conf.o common.o log.o sslh-main.o probe.o tls.o argtable3.o collection.o gap.o tcp-probe.o landlock.o proxyprotocol.o
 OBJS_A=libsslh.a
 FORK_OBJS=sslh-fork.o $(OBJS_A)
 SELECT_OBJS=processes.o udp-listener.o sslh-select.o hash.o tcp-listener.o $(OBJS_A)
@@ -42,11 +43,6 @@ EV_OBJS=processes.o udp-listener.o sslh-ev.o hash.o tcp-listener.o $(OBJS_A)
 
 CONDITIONAL_TARGETS=
 
-ifneq ($(strip $(USELIBWRAP)),)
-	LIBS:=$(LIBS) -lwrap
-	CPPFLAGS+=-DLIBWRAP
-endif
-
 ifneq ($(strip $(ENABLE_REGEX)),)
 	CPPFLAGS+=-DENABLE_REGEX
 endif
@@ -56,24 +52,17 @@ ifneq ($(strip $(USELIBCONFIG)),)
 	CPPFLAGS+=-DLIBCONFIG
 endif
 
-ifneq ($(strip $(USELIBCAP)),)
-	LIBS:=$(LIBS) -lcap
-	CPPFLAGS+=-DLIBCAP
-endif
-
 ifneq ($(strip $(USESYSTEMD)),)
         LIBS:=$(LIBS) -lsystemd
         CPPFLAGS+=-DSYSTEMD
 	CONDITIONAL_TARGETS+=systemd-sslh-generator
 endif
 
-ifneq ($(strip $(USELIBBSD)),)
-        LIBS:=$(LIBS) -lbsd
-        CPPFLAGS+=-DLIBBSD
+ifneq ($(strip $(USELIBEV)),)
+        CONDITIONAL_TARGETS+=sslh-ev
 endif
 
-
-all: sslh $(MAN) echosrv $(CONDITIONAL_TARGETS)
+all: sslh-fork sslh-select $(MAN) echosrv $(CONDITIONAL_TARGETS)
 
 %.o: %.c %.h version.h
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
@@ -81,10 +70,9 @@ all: sslh $(MAN) echosrv $(CONDITIONAL_TARGETS)
 $(OBJS_A): $(OBJS)
 	$(AR) rcs $(OBJS_A) $(OBJS)
 
-version.h:
+version.h: .FORCE
 	./genver.sh >version.h
-
-sslh: sslh-fork sslh-select sslh-ev
+.FORCE:	
 
 $(OBJS) $(FORK_OBJS) $(SELECT_OBJS) $(EV_OBJS): argtable3.h collection.h common.h gap.h hash.h log.h probe.h processes.h sslh-conf.h tcp-listener.h tcp-probe.h tls.h udp-listener.h version.h
 
@@ -114,13 +102,16 @@ echosrv-conf.c echosrv-conf.h: echosrv.cfg
 echosrv: version.h echosrv-conf.c echosrv.o echosrv-conf.o argtable3.o
 	$(CC) $(CFLAGS) $(LDFLAGS) -o echosrv echosrv.o echosrv-conf.o argtable3.o $(LIBS)
 
+
+landlock.o: config.h
+
 $(MAN): sslh.pod Makefile
 	pod2man --section=8 --release=$(VERSION) --center=" " sslh.pod | gzip -9 - > $(MAN)
 
 # Create release: export clean tree and tag current
 # configuration
 release:
-	git archive master --prefix="sslh-$(VERSION)/" | gzip > /tmp/sslh-$(VERSION).tar.gz
+	git archive $(VERSION) --prefix="sslh-$(VERSION)/" | gzip > /tmp/sslh-$(VERSION).tar.gz
 	gpg --detach-sign --armor /tmp/sslh-$(VERSION).tar.gz
 
 # Build docker image
@@ -133,7 +124,7 @@ docker-clean:
 	yes | docker image prune
 
 # generic install: install binary and man page
-install: sslh $(MAN)
+install: sslh-fork $(MAN)
 	mkdir -p $(DESTDIR)/$(BINDIR)
 	mkdir -p $(DESTDIR)/$(MANDIR)
 	install -p sslh-fork $(DESTDIR)/$(BINDIR)/sslh
@@ -153,7 +144,8 @@ distclean: clean
 	rm -f tags sslh-conf.[ch] echosrv-conf.[ch] cscope.*
 
 clean:
-	rm -f sslh-fork sslh-select sslh-ev echosrv version.h $(MAN) systemd-sslh-generator *.o *.gcov *.gcno *.gcda *.png *.html *.css *.info
+	rm -f sslh-fork sslh-select $(CONDITIONAL_TARGETS) echosrv version.h $(MAN) systemd-sslh-generator *.o *.gcov *.gcno *.gcda *.png *.html *.css *.info
+	echo "// this is a placeholder for version.h, to make code-checking editors happy" > version.h
 
 tags:
 	ctags --globals -T *.[ch]

README.md

@@ -20,9 +20,10 @@ address.
 
 `sslh` has the bells and whistles expected from a mature
 daemon: privilege and capabilities dropping, inetd support,
-systemd support, transparent proxying, chroot, logging,
-IPv4 and IPv6, TCP and UDP, a fork-based and a select-based
-model, and more.
+systemd support, transparent proxying, support for HAProxy's
+proxyprotocol, chroot, logging, IPv4 and IPv6, TCP and UDP,
+a fork-based, a select-based model, and yet another based on
+libev for larger installations.
 
 Install
 =======
@@ -35,6 +36,40 @@ Configuration
 
 Please refer to the [configuration guide](doc/config.md).
 
+Transparent proxying
+--------------------
+
+Transparent proxying allows the target server to see the
+original client IP address, i.e. `sslh` becomes invisible.
+
+The same result can be achieved more easily by using
+`proxyprotocol` if the backend server supports it. This is a
+simple setting to add to the `sslh` protocol configuration,
+usually with an equivalently simple setting to add in
+the backend server configuration, so try that first.
+
+This means services behind `sslh` (Apache, `sshd` and so on)
+will see the external IP and ports as if the external world
+connected directly to them. This simplifies IP-based access
+control (or makes it possible at all), and makes it possible
+to use IP-based banning tools such as `fail2ban`.
+
+There are two methods. One uses additional virtual network
+interfaces. The principle and basic setup is described
+[here](doc/simple_transparent_proxy.md), with further
+scenarios described [there](doc/scenarios-for-simple-transparent-proxy.md).
+
+
+Another method uses iptable packet marking features, and is
+highly dependent on your network environment and
+infrastructure setup. There is no known generic approach,
+and if you do not find directions for your exact setup, you
+will probably need an extensive knowledge of network
+management and iptables setup".
+
+It is described in its own [document](doc/tproxy.md).
+In most cases, you will be better off following the first
+method.
 
 
 Docker image
@@ -65,7 +100,7 @@ version: "3"
 
 services:
   sslh:
-    image: sslh:latest
+    image: ghcr.io/yrutschle/sslh:latest
     hostname: sslh
     ports:
       - 443:443

basic.cfg

@@ -11,9 +11,13 @@ pidfile: "/var/run/sslh.pid";
 
 # Change hostname with your external address name, or the IP
 # of the interface that receives connections
+# Default is to bind all interfaces. httpd can be started
+# first to bind on localhost, in which case sslh will bind
+# only other interfaces.
 listen:
 (
-    { host: "thelonious"; port: "443"; }
+    { host: "0.0.0.0"; port: "443"; },
+    { host: "[::]"; port: "443"; }
 );
 
 
@@ -24,8 +28,6 @@ protocols:
 (
      { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; fork: true; },
      { name: "openvpn"; host: "localhost"; port: "1194"; },
-     { name: "xmpp"; host: "localhost"; port: "5222"; },
-     { name: "http"; host: "localhost"; port: "80"; },
      { name: "tls"; host: "localhost"; port: "443"; log_level: 0; },
      { name: "anyprot"; host: "localhost"; port: "443"; }
 );

common.c

@@ -12,11 +12,18 @@
 #include <sys/types.h>
 #include <ifaddrs.h>
 #include <netinet/in.h>
+#include <sys/un.h>
 
 #include "common.h"
 #include "probe.h"
 #include "log.h"
 #include "sslh-conf.h"
+#include "proxyprotocol.h"
+
+#if HAVE_LIBCAP
+#include <sys/capability.h>
+#include <sys/prctl.h>
+#endif
 
 /* Added to make the code compilable under CYGWIN
  * */
@@ -30,7 +37,7 @@
 #include <systemd/sd-daemon.h>
 #endif
 
-#ifdef LIBBSD
+#ifdef HAVE_LIBBSD
 #include <bsd/unistd.h>
 #endif
 
@@ -42,7 +49,7 @@ struct sslhcfg_item cfg;
 struct addrinfo *addr_listen = NULL; /* what addresses do we listen to? */
 
 
-#ifdef LIBWRAP
+#ifdef HAVE_LIBWRAP
 #include <tcpd.h>
 int allow_severity =0, deny_severity = 0;
 #endif
@@ -110,7 +117,7 @@ int make_listen_tfo(int s)
     return setsockopt(s, SOL_SOCKET, TCP_FASTOPEN, (char*)&qlen, sizeof(qlen));
 }
 
-/* Starts listening on a single address 
+/* Starts listening on a single address
  * Returns a socket filehandle, or dies with message in case of major error */
 int listen_single_addr(struct addrinfo* addr, int keepalive, int udp)
 {
@@ -155,17 +162,76 @@ int listen_single_addr(struct addrinfo* addr, int keepalive, int udp)
     return sockfd;
 }
 
+
+/* Start listening internet sockets for configuration entry 'index' 
+ * OUT: *sockfd[]: pointer to array of listen_endpoint object; we append new
+ * endpoints to that array
+ * IN: num_addr: how many entries are in sockfd[]
+ *     *cfg: configuration data for the endpoint we are adding
+ * Return: new value of num_addr
+ * */
+static int start_listen_inet(struct listen_endpoint *sockfd[], int num_addr, struct sslhcfg_listen_item* cfg)
+{
+    struct addrinfo *addr, *start_addr;
+    char buf[NI_MAXHOST];
+    int res;
+
+    res = resolve_split_name(&start_addr, cfg->host, cfg->port);
+    if (res) exit(4);
+
+    for (addr = start_addr; addr; addr = addr->ai_next) {
+        num_addr++;
+        *sockfd = realloc(*sockfd, num_addr * sizeof(*sockfd[0]));
+        (*sockfd)[num_addr-1].socketfd = listen_single_addr(addr, cfg->keepalive, cfg->is_udp);
+        (*sockfd)[num_addr-1].type = cfg->is_udp ? SOCK_DGRAM : SOCK_STREAM;
+        (*sockfd)[num_addr-1].family = AF_INET;
+        print_message(msg_config, "%d:\t%s\t[%s] [%s]\n", (*sockfd)[num_addr-1].socketfd, sprintaddr(buf, sizeof(buf), addr),
+                      cfg->keepalive ? "keepalive" : "",
+                      cfg->is_udp ? "udp" : "");
+    }
+    freeaddrinfo(start_addr);
+    return num_addr;
+}
+
+/* Same, but for UNIX sockets */
+static int start_listen_unix(struct listen_endpoint *sockfd[], int num_addr, struct sslhcfg_listen_item* cfg)
+{
+    int fd = socket(AF_UNIX, cfg->is_udp ? SOCK_DGRAM : SOCK_STREAM, 0);
+    CHECK_RES_DIE(fd, "socket(AF_UNIX)");
+
+    int res = unlink(cfg->host);
+    if ((res == -1) && (errno != ENOENT)) {
+        print_message(msg_config_error, "unlink unix socket `%s':%d:%s\n", cfg->host, errno, strerror(errno));
+        exit(4);
+    }
+
+    struct sockaddr_un sun;
+    sun.sun_family = AF_UNIX;
+    strncpy(sun.sun_path, cfg->host, sizeof(sun.sun_path)-1);
+    printf("binding [%s]\n", sun.sun_path);
+    res = bind(fd, (struct sockaddr*)&sun, sizeof(sun));
+    CHECK_RES_DIE(res, "bind(AF_UNIX)");
+
+    res = listen(fd, 50);
+
+    num_addr++;
+    *sockfd = realloc(*sockfd, num_addr * sizeof(*sockfd[0]));
+    (*sockfd)[num_addr-1].socketfd = fd;
+    (*sockfd)[num_addr-1].type = cfg->is_udp ? SOCK_DGRAM : SOCK_STREAM;
+    (*sockfd)[num_addr-1].family = AF_INET;
+
+    return num_addr;
+}
+
+
 /* Starts listening sockets on specified addresses.
  * OUT: *sockfd[]  pointer to newly-allocated array of listen_endpoint objects
  * Returns number of addresses bound
    */
 int start_listen_sockets(struct listen_endpoint *sockfd[])
 {
-    struct addrinfo *addr, *start_addr;
-    char buf[NI_MAXHOST];
-    int i, res;
-    int num_addr = 0, keepalive = 0, udp = 0;
-    int sd_socks = 0;
+    int i;
+    int num_addr = 0, sd_socks = 0;
 
     sd_socks = get_fd_sockets(sockfd);
 
@@ -178,22 +244,11 @@ int start_listen_sockets(struct listen_endpoint *sockfd[])
     print_message(msg_config, "Listening to:\n");
 
     for (i = 0; i < cfg.listen_len; i++) {
-        keepalive = cfg.listen[i].keepalive;
-        udp = cfg.listen[i].is_udp;
-
-        res = resolve_split_name(&start_addr, cfg.listen[i].host, cfg.listen[i].port);
-        if (res) exit(4);
-
-        for (addr = start_addr; addr; addr = addr->ai_next) {
-            num_addr++;
-            *sockfd = realloc(*sockfd, num_addr * sizeof(*sockfd[0]));
-            (*sockfd)[num_addr-1].socketfd = listen_single_addr(addr, keepalive, udp);
-            (*sockfd)[num_addr-1].type = udp ? SOCK_DGRAM : SOCK_STREAM;
-            print_message(msg_config, "%d:\t%s\t[%s] [%s]\n", (*sockfd)[num_addr-1].socketfd, sprintaddr(buf, sizeof(buf), addr),
-                          cfg.listen[i].keepalive ? "keepalive" : "",
-                          cfg.listen[i].is_udp ? "udp" : "");
+        if (cfg.listen[i].is_unix) {
+            num_addr = start_listen_unix(sockfd, num_addr, &cfg.listen[i]);
+        } else {
+            num_addr = start_listen_inet(sockfd, num_addr, &cfg.listen[i]);
         }
-        freeaddrinfo(start_addr);
     }
 
     return num_addr;
@@ -243,12 +298,17 @@ int is_same_machine(struct addrinfo* from)
 
 /* Transparent proxying: bind the peer address of fd to the peer address of
  * fd_from */
-#define IP_TRANSPARENT 19
+#ifndef IP_TRANSPARENT
+  #define IP_TRANSPARENT 19
+#endif
+#ifndef IP_BIND_ADDRESS_NO_PORT
+  #define IP_BIND_ADDRESS_NO_PORT 24
+#endif
 int bind_peer(int fd, int fd_from)
 {
     struct addrinfo from;
     struct sockaddr_storage ss;
-    int res, trans = 1;
+    int res, enable = 1, disable = 0;
 
     memset(&from, 0, sizeof(from));
     from.ai_addr = (struct sockaddr*)&ss;
@@ -262,23 +322,55 @@ int bind_peer(int fd, int fd_from)
     /* if the destination is the same machine, there's no need to do bind */
     if (is_same_machine(&from))
         return 0;
-    
+
 #ifndef IP_BINDANY /* use IP_TRANSPARENT */
-    res = setsockopt(fd, IPPROTO_IP, IP_TRANSPARENT, &trans, sizeof(trans));
+    res = setsockopt(fd, IPPROTO_IP, IP_TRANSPARENT, &enable, sizeof(enable));
     CHECK_RES_DIE(res, "setsockopt IP_TRANSPARENT");
+    res = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &enable, sizeof(enable));
+    CHECK_RES_DIE(res, "setsockopt SO_REUSEADDR");
 #else
     if (from.ai_addr->sa_family==AF_INET) { /* IPv4 */
-        res = setsockopt(fd, IPPROTO_IP, IP_BINDANY, &trans, sizeof(trans));
+        res = setsockopt(fd, IPPROTO_IP, IP_BINDANY, &enable, sizeof(enable));
         CHECK_RES_RETURN(res, "setsockopt IP_BINDANY", res);
 #ifdef IPV6_BINDANY
     } else { /* IPv6 */
-        res = setsockopt(fd, IPPROTO_IPV6, IPV6_BINDANY, &trans, sizeof(trans));
+        res = setsockopt(fd, IPPROTO_IPV6, IPV6_BINDANY, &enable, sizeof(enable));
         CHECK_RES_RETURN(res, "setsockopt IPV6_BINDANY", res);
 #endif /* IPV6_BINDANY */
     }
 #endif /* IP_TRANSPARENT / IP_BINDANY */
     res = bind(fd, from.ai_addr, from.ai_addrlen);
-    CHECK_RES_RETURN(res, "bind", res);
+    if (res == -1) {
+        if (errno != EADDRINUSE) {
+            print_message(msg_system_error, "%s:%d:%s:%d:%s\n", __FILE__, __LINE__,
+                        "bind", errno, strerror(errno));
+            return res;
+        }
+        res = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &disable, sizeof(disable));
+        CHECK_RES_DIE(res, "setsockopt SO_REUSEADDR");
+        res = setsockopt(fd, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, &enable, sizeof(enable));
+        CHECK_RES_RETURN(res, "setsockopt IP_BIND_ADDRESS_NO_PORT", res);
+        ((struct sockaddr_in *)from.ai_addr)->sin_port = 0;
+        res = bind(fd, from.ai_addr, from.ai_addrlen);
+        CHECK_RES_RETURN(res, "bind", res);
+        /*
+	 * There was a serious problem, when daisy-chaining programs using the same
+	 * ip transparent mechanism, as sslh uses. stunnel was mentioned in a previous 
+	 * comment. This problem should now be solved through the two methods, getting
+	 * a connection established:
+	 * In the first try, SO_REUSEADDR is set to socket, which will allow the same
+	 * IP-address:port tuple, as it is used by another application. The check for
+	 * inconsistency with other connections (same 4-value-tupel) is done at the 
+	 * moment, when the connection gets established.
+	 * If that fails, SO_REUSEADDR gets removed and IP_BIND_ADDRESS_NO_PORT get set.
+	 * This will search for a free port, which will not collide with current 
+	 * connections. Read more in this excellent blog-post: 
+	 * https://blog.cloudflare.com/how-to-stop-running-out-of-ephemeral-ports-and-start-to-love-long-lived-connections
+	 * The problem will still appear, if the another application in the daisy-chain
+	 * does not use similar mechanisms. In that case you must either pull this 
+	 * application at the beginning of the chain, or get it fixed.
+         */
+    }
 
     return 0;
 }
@@ -300,11 +392,8 @@ int set_nonblock(int fd)
 }
 
 
-/* Connect to first address that works and returns a file descriptor, or -1 if
- * none work.
- * If transparent proxying is on, use fd_from peer address on external address
- * of new file descriptor. */
-int connect_addr(struct connection *cnx, int fd_from, connect_blocking blocking)
+/* Connects to INET/INET6 domain sockets and return a fd */
+static int connect_inet(struct connection *cnx, int fd_from, connect_blocking blocking)
 {
     struct addrinfo *a, from;
     struct sockaddr_storage ss;
@@ -323,10 +412,10 @@ int connect_addr(struct connection *cnx, int fd_from, connect_blocking blocking)
         resolve_split_name(&(cnx->proto->saddr), cnx->proto->host,
                            cnx->proto->port);
     }
-
     for (a = cnx->proto->saddr; a; a = a->ai_next) {
-        /* When transparent, make sure both connections use the same address family */
-        if (transparent && a->ai_family != from.ai_addr->sa_family)
+        /* When transparent or using proxyprotocol, make sure both 
+         * connections use the same address family (e.g. IP4 on both sides) */
+        if ((transparent || cnx->proto->proxyprotocol_is_present) && (a->ai_family != from.ai_addr->sa_family))
             continue;
         print_message(msg_connections_try, "trying to connect to %s family %d len %d\n",
                     sprintaddr(buf, sizeof(buf), a),
@@ -371,8 +460,54 @@ int connect_addr(struct connection *cnx, int fd_from, connect_blocking blocking)
     return -1;
 }
 
+/* Connects to AF_UNIX domain sockets */
+static int connect_unix(struct connection *cnx, int fd_from, connect_blocking blocking)
+{
+    struct sockaddr_storage ss;
+    struct sockaddr_un* sun = (struct sockaddr_un*)&ss;
+
+    int fd = socket(AF_UNIX, SOCK_STREAM, 0);
+    sun->sun_family = AF_UNIX;
+    strncpy(sun->sun_path, cnx->proto->host, sizeof(sun->sun_path)-1);
+
+    int res = connect(fd, (struct sockaddr*)sun, sizeof(*sun));
+    CHECK_RES_RETURN(res, "connect", res);
+
+    if (blocking == NON_BLOCKING) {
+        set_nonblock(fd);
+    }
+    return fd;
+}
+
+/* 
+ * Connect to the first backend server address that works and updates the *cnx
+ * object accordingly (in cnx->q[1].fd). Set that to -1 in case of failure.
+ *
+ * If transparent proxying is on, use fd_from peer address on external address
+ * of new file descriptor. 
+ * If proxyprotocol is used, write header on new backend server connection
+ * */
+void connect_addr(struct connection *cnx, int fd_from, connect_blocking blocking)
+{
+    int fd;
+
+    if (cnx->proto->is_unix) {
+        fd = connect_unix(cnx, fd_from, blocking);
+    } else {
+        fd = connect_inet(cnx, fd_from, blocking);
+    }
+    cnx->q[1].fd = fd;
+
+    if (cnx->proto->proxyprotocol_is_present) {
+        pp_write_header(cnx->proto->proxyprotocol, cnx);
+        /* If pp_write_header() fails, it already logs a message and there is
+         * nothing much we can do. The server side will probably close the
+         * connection */
+    }
+}
+
 /* Store some data to write to the queue later */
-int defer_write(struct queue *q, void* data, int data_size)
+int defer_write(struct queue *q, void* data, ssize_t data_size)
 {
     char *p;
     ptrdiff_t data_offset = q->deferred_data - q->begin_deferred_data;
@@ -384,25 +519,46 @@ int defer_write(struct queue *q, void* data, int data_size)
     q->begin_deferred_data = p;
     q->deferred_data = p + data_offset;
     p += data_offset + q->deferred_data_size;
-    q->deferred_data_size += data_size;
+    q->deferred_data_size += (int)data_size;
     memcpy(p, data, data_size);
 
     return 0;
 }
 
+/* Store some data to write *before* what's already in the queue */
+int defer_write_before(struct queue *q, void* data, ssize_t data_size)
+{
+    char *p;
+
+    print_message(msg_fd, "writing deferred to beginning on fd %d\n", q->fd);
+    p = malloc(q->deferred_data_size + data_size);
+    CHECK_ALLOC(p, "malloc");
+
+    memcpy(p, data, data_size);
+    memcpy(p + data_size, q->deferred_data, q->deferred_data_size);
+
+    free(q->begin_deferred_data);
+
+    q->begin_deferred_data = p;
+    q->deferred_data = p;
+    q->deferred_data_size += (int)data_size;
+
+    return 0;
+}
+
 /* tries to flush some of the data for specified queue
  * Upon success, the number of bytes written is returned.
  * Upon failure, -1 returned (e.g. connexion closed)
  * */
 int flush_deferred(struct queue *q)
 {
-    int n;
+    ssize_t n;
 
     print_message(msg_fd, "flushing deferred data to fd %d\n", q->fd);
 
     n = write(q->fd, q->deferred_data, q->deferred_data_size);
     if (n == -1)
-        return n;
+        return (int)n;
 
     if (n == q->deferred_data_size) {
         /* All has been written -- release the memory */
@@ -413,10 +569,10 @@ int flush_deferred(struct queue *q)
     } else {
         /* There is data left */
         q->deferred_data += n;
-        q->deferred_data_size -= n;
+        q->deferred_data_size -= (int)n;
     }
 
-    return n;
+    return (int)n;
 }
 
 
@@ -451,7 +607,8 @@ void dump_connection(struct connection *cnx)
 int fd2fd(struct queue *target_q, struct queue *from_q)
 {
    char buffer[BUFSIZ];
-   int target, from, size_r, size_w;
+   int target, from;
+   ssize_t size_r, size_w;
 
    target = target_q->fd;
    from = from_q->fd;
@@ -463,6 +620,7 @@ int fd2fd(struct queue *target_q, struct queue *from_q)
            return FD_NODATA;
 
        case ECONNRESET:
+       case ENOTSOCK:
        case EPIPE:
            return FD_CNXCLOSED;
        }
@@ -495,7 +653,7 @@ int fd2fd(struct queue *target_q, struct queue *from_q)
 
    CHECK_RES_RETURN(size_w, "write", FD_CNXCLOSED);
 
-   return size_w;
+   return (int)size_w;
 }
 
 /* returns a string that prints the IP and port of the sockaddr */
@@ -504,6 +662,9 @@ char* sprintaddr(char* buf, size_t size, struct addrinfo *a)
    char host[NI_MAXHOST], serv[NI_MAXSERV];
    int res;
 
+   memset(host, 0, sizeof(host));
+   memset(serv, 0, sizeof(serv));
+
    res = getnameinfo(a->ai_addr, a->ai_addrlen,
                host, sizeof(host),
                serv, sizeof(serv),
@@ -530,7 +691,8 @@ char* sprintaddr(char* buf, size_t size, struct addrinfo *a)
 }
 
 /* Turns a hostname and port (or service) into a list of struct addrinfo
- * returns 0 on success, -1 otherwise and logs error
+ * On success, returns 0 
+ * On failure, returns -1 or one of getaddrinfo() codes
  */
 int resolve_split_name(struct addrinfo **out, char* host, char* serv)
 {
@@ -556,7 +718,7 @@ int resolve_split_name(struct addrinfo **out, char* host, char* serv)
 
    res = getaddrinfo(host, serv, &hint, out);
    if (res)
-      print_message(msg_system_error, "%s `%s:%s'\n", gai_strerror(res), host, serv);
+      print_message(msg_system_error, "resolve_split_name: %s `%s:%s'\n", gai_strerror(res), host, serv);
    return res;
 }
 
@@ -626,7 +788,7 @@ int get_connection_desc(struct connection_desc* desc, const struct connection *c
 
 void set_proctitle_shovel(struct connection_desc* desc, const struct connection *cnx)
 {
-#ifdef LIBBSD
+#ifdef HAVE_LIBBSD
     struct connection_desc d;
 
     if (!desc) {
@@ -651,7 +813,7 @@ void set_proctitle_shovel(struct connection_desc* desc, const struct connection
  */
 int check_access_rights(int in_socket, const char* service)
 {
-#ifdef LIBWRAP
+#ifdef HAVE_LIBWRAP
     union {
         struct sockaddr saddr;
         struct sockaddr_storage ss;
@@ -678,7 +840,7 @@ int check_access_rights(int in_socket, const char* service)
         }
     }
 
-    if (!hosts_ctl(service, host, addr_str, STRING_UNKNOWN)) {
+    if (!hosts_ctl((char*)service, host, addr_str, STRING_UNKNOWN)) {
         print_message(msg_connections, "connection from %s(%s): access denied", host, addr_str);
         close(in_socket);
         return -1;
@@ -717,7 +879,7 @@ void setup_signals(void)
 
 /* Ask OS to keep capabilities over a setuid(nonzero) */
 void set_keepcaps(int val) {
-#ifdef LIBCAP
+#if HAVE_LIBCAP
     int res;
     res = prctl(PR_SET_KEEPCAPS, val, 0, 0, 0);
     if (res) {
@@ -730,7 +892,7 @@ void set_keepcaps(int val) {
 /* Returns true if anything requires transparent proxying. */
 static int use_transparent(void)
 {
-#ifdef LIBCAP
+#if HAVE_LIBCAP
     if (cfg.transparent)
         return 1;
 
@@ -746,7 +908,7 @@ static int use_transparent(void)
  * IN: cap_net_admin: set to 1 to set CAP_NET_RAW
  * */
 void set_capabilities(int cap_net_admin) {
-#ifdef LIBCAP
+#if HAVE_LIBCAP
     int res;
     cap_t caps;
     cap_value_t cap_list[10];
@@ -824,28 +986,48 @@ void drop_privileges(const char* user_name, const char* chroot_path)
     }
 }
 
+
+#ifndef O_NOFOLLOW
+#define O_NOFOLLOW 0
+#endif
+
 /* Writes my PID */
 void write_pid_file(const char* pidfile)
 {
-    FILE *f;
-    int res;
+    int fd;
+    char pidbuf[32];
+    size_t len, written = 0;
+    ssize_t res;
 
-    f = fopen(pidfile, "w");
-    if (!f) {
-        print_message(msg_system_error, "write_pid_file:%s:%s", pidfile, strerror(errno));
-        exit(3);
+    /* Format PID as string */
+    len = snprintf(pidbuf, sizeof(pidbuf), "%d\n", getpid());
+    if (len >= sizeof(pidbuf)) {
+        print_message(msg_system_error, "write_pid_file: PID string too long\n");
+        return;
     }
 
-    res = fprintf(f, "%d\n", getpid());
-    if (res < 0) {
-        print_message(msg_system_error, "write_pid_file:fprintf:%s", strerror(errno));
-        exit(3);
+    /* Open file with O_NOFOLLOW to prevent symlink attacks (Similar to CVE-2020-28935) */
+    fd = open(pidfile, O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW ,0644);
+
+    if (fd == -1) {
+        print_message(msg_system_error, "write_pid_file: %s: %s\n", pidfile, strerror(errno));
+        return;
     }
 
-    res = fclose(f);
-    if (res == EOF) {
-        print_message(msg_system_error, "write_pid_file:fclose:%s", strerror(errno));
-        exit(3);
+    /* Write PID to file with proper error handling */
+    while (written < len) {
+        res = write(fd, pidbuf + written, len - written);
+        if (res == -1) {
+            if (errno == EINTR || errno == EAGAIN)
+                continue;
+            print_message(msg_system_error, "write_pid_file: write: %s\n", strerror(errno));
+            break;
+        }
+        written += res;
+    }
+
+    /* Close file */
+    if (close(fd) == -1) {
+        print_message(msg_system_error, "write_pid_file: close: %s\n", strerror(errno));
     }
 }
-

common.h

@@ -5,6 +5,7 @@
  * enough for the macros to adapt (http://support.microsoft.com/kb/111855)
  */
 #ifdef __CYGWIN__
+#undef FD_SETSIZE
 #define FD_SETSIZE 4096
 #endif
 
@@ -33,6 +34,11 @@
 #include <sys/capability.h>
 #endif
 
+#ifdef __APPLE__
+#include <AvailabilityMacros.h>
+#endif
+
+#include "config.h"
 #include "version.h"
 
 #define MAX(a, b)  (((a) > (b)) ? (a) : (b))
@@ -131,6 +137,7 @@ struct connection {
 struct listen_endpoint {
     int socketfd;       /* file descriptor of listening socket */
     int type;           /* SOCK_DGRAM | SOCK_STREAM */
+    int family;         /* AF_INET | AF_UNIX */
 };
 
 #define FD_CNXCLOSED    0
@@ -153,7 +160,7 @@ typedef enum {
 /* common.c */
 void init_cnx(struct connection *cnx);
 int set_nonblock(int fd);
-int connect_addr(struct connection *cnx, int fd_from, connect_blocking blocking);
+void connect_addr(struct connection *cnx, int fd_from, connect_blocking blocking);
 int fd2fd(struct queue *target, struct queue *from);
 char* sprintaddr(char* buf, size_t size, struct addrinfo *a);
 void resolve_name(struct addrinfo **out, char* fullname);
@@ -171,16 +178,25 @@ int resolve_split_name(struct addrinfo **out, char* hostname, char* port);
 
 int start_listen_sockets(struct listen_endpoint *sockfd[]);
 
-int defer_write(struct queue *q, void* data, int data_size);
+int defer_write(struct queue *q, void* data, ssize_t data_size);
+int defer_write_before(struct queue *q, void* data, ssize_t data_size);
 int flush_deferred(struct queue *q);
 
 extern struct sslhcfg_item cfg;
 extern struct addrinfo *addr_listen;
 extern const char* server_type;
 
+#if defined(__APPLE__) && (MAC_OS_X_VERSION_MIN_REQUIRED < 1080)
+extern int hosts_ctl();
+#endif
+
 /* sslh-fork.c */
 void start_shoveler(int);
 
 void main_loop(struct listen_endpoint *listen_sockets, int num_addr_listen);
 
+/* landlock.c */
+void setup_landlock(void);
+
+
 #endif

config.h.in

@@ -0,0 +1,21 @@
+
+
+#ifndef CONFIG_H
+/* Template for config.h, filled by `configure`. */
+
+/* Libwrap, to support host_ctl, /etc/allow and /etc/deny */
+#undef HAVE_LIBWRAP
+
+/* Landlock sandboxing Linux LSM */
+#undef HAVE_LANDLOCK
+
+/* Support for Proxy-protocol using libproxyprotocol */
+#undef HAVE_PROXYPROTOCOL
+
+/* libcap support, to use Linux capabilities */
+#undef HAVE_LIBCAP
+
+/* libbsd, to change process name */
+#undef HAVE_LIBBSD
+
+#endif

configure.ac

@@ -0,0 +1,20 @@
+
+dnl Use autoconf to generate the `configure` script from this and Makefile.in
+dnl This is awkardly adapted from https://github.com/edrosten/autoconf_tutorial
+dnl (all mistakes mine)
+
+AC_INIT
+AC_CONFIG_HEADERS(config.h)
+AC_CONFIG_FILES([Makefile])
+
+AC_CHECK_LIB([wrap], [hosts_ctl], [AC_DEFINE(HAVE_LIBWRAP) LIBS="$LIBS -lwrap" ], [])
+AC_CHECK_LIB([cap], [cap_get_proc], [AC_DEFINE(HAVE_LIBCAP) LIBS="$LIBS -lcap" ], [])
+AC_CHECK_LIB([bsd], [setproctitle], [AC_DEFINE(HAVE_LIBBSD) LIBS="$LIBS -lbsd" ], [])
+
+AC_CHECK_HEADERS(linux/landlock.h, AC_DEFINE(HAVE_LANDLOCK), [])
+AC_CHECK_HEADERS(proxy_protocol.h, [AC_DEFINE(HAVE_PROXYPROTOCOL) LIBS="$LIBS -lproxyprotocol" ], [])
+
+LIBS="$LIBS"
+AC_SUBST([LIBS])
+
+AC_OUTPUT

doc/Daisy-Chaining-Transparency-Explained.md

@@ -0,0 +1,283 @@
+# Daisy-Chaining-Transparency #
+This documentation goes a level deeper, what happens in the operating system with IP-addresses, and why some combinations of programs are failing, when they use the same transparency method.
+There are situations, where you need to combine two applications, both working as ip-transparent proxies, to reach your goal. One example is, having nginx or stunnel as an proxytunnel-endpoint for tls tunneled ssh connections through https-proxies. An example for such a combination will be desribed at the end of this article.<br>
+Unfortunately you will see a lot of errors popping out: **Address already in use**<br>
+[This article from Cloudflare blog](https://blog.cloudflare.com/how-to-stop-running-out-of-ephemeral-ports-and-start-to-love-long-lived-connections) explains why this is happening, while it is describing the solution to another problem. However this is a close relative to our problem.
+
+Let us look to the following example: We have sslh (S) accepting connections from a client (C) and forwarding one of those connections to a man-in-the-middle (M), which finally forwards this connection to sshd. If everything works perfectly, we would like to see those connections.
+
+![Dataflow-Of-Daisy-Chain](./detailed-ip-transparency.png)
+
+But unfortunately we are receiving in many constellations errors, when M tries to open its connection to our final target sshd, here called T.
+Let us look more close, why that is happening. We need for this two terminal windows on the same server.<br>
+### First example, uncooperative applications ###
+As the problem has nothing to do with transparency itself, but only of reuse of same IP-addresses and ports, we avoid the overhead of the additional capablities, to keep the example easy and clear.
+In the first terminal we are starting python3 and entering the following three lines:
+```
+user@host:~$ python3
+Python 3.11.2 (main, May  2 2024, 11:59:08) [GCC 12.2.0] on linux
+Type "help", "copyright", "credits" or "license" for more information.
+>>> import socket
+>>> sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
+>>> sock.bind(("192.168.255.254", 12345))
+>>> 
+```
+
+Now we are going to the second terminal window, and trying just the same:
+```
+Python 3.11.2 (main, May  2 2024, 11:59:08) [GCC 12.2.0] on linux
+Type "help", "copyright", "credits" or "license" for more information.
+>>> import socket
+>>> sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
+>>> sock.bind(("192.168.255.254", 12345))
+Traceback (most recent call last):
+  File "<stdin>", line 1, in <module>
+OSError: [Errno 98] Address already in use
+sock.bind(("192.168.255.254", 12346))  ##this however works!!
+```
+Here we are getting the error, which caused many of us hours of research.
+The problem is caused by the fact, that the kernel does not know at the moment of the bind()-call, how we want to use the socket. If we use this as a server socket, and will do a listen()-call as next, this will not work, as for server sockets, the two-value tuple ADDRESS:PORT needs to be unique only to the process, tied to this socket.
+That is the reason, that there are port ranges, reserved for servers, where the administrator is responsible not to assign the same port to two applications.
+But as server ports are coming from a range, which will not be used for client connections, a server can be sure, that if it is started at any time in the future, no outgoing client has used its port for an outbound connection.
+Clients are usually using ports from a so called [ephemeral port range](https://en.wikipedia.org/wiki/Ephemeral_port).
+However, for clients each connection is valid, as long as one value in the four-tuples describing the connection is different. In our example above, the two values from the destination are different, so this connection could be established (in theory) without conflicts.
+To make that happen, you need to deploy a special socket option to this socket, to explain, that we "know the risks" and we will reuse the ip-port combination.
+And, as we see from the second bind() in the second example, the error message: _**Address already in use**_ really means: _**Address:Port already in use**_
+
+### Taking Care, part I ###
+
+Ok, now we are entering our two terminals again, pressing Ctrl-D to finish python, and start a new session like this in both terminals:
+```
+user@host:~$ python3
+Python 3.11.2 (main, May  2 2024, 11:59:08) [GCC 12.2.0] on linux
+Type "help", "copyright", "credits" or "license" for more information.
+>>> import socket
+>>> sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+>>> sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)  
+>>> sock.bind(("192.168.255.254", 12345))
+>>> 
+``` 
+And we will see, that the problem is solved, when both applications are taking care.
+
+### Taking Care, part II ###
+
+Ok, now we are going back to our terminals, pressing again Ctrl-D to finish python, and start new sessions like this:
+In the first terminal we repeat the input from our first example, without the setsockopt() call:
+```
+user@host:~$ python3
+Python 3.11.2 (main, May  2 2024, 11:59:08) [GCC 12.2.0] on linux
+Type "help", "copyright", "credits" or "license" for more information.
+>>> import socket
+>>> sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
+>>> sock.bind(("192.168.255.254", 12345))
+>>> 
+```
+in the second terminal, we enter our modified cooperative example:
+
+```
+user@host:~$ python3
+Python 3.11.2 (main, May  2 2024, 11:59:08) [GCC 12.2.0] on linux
+Type "help", "copyright", "credits" or "license" for more information.
+>>> import socket
+>>> sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+>>> sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)  
+>>> sock.bind(("192.168.255.254", 12345))
+Traceback (most recent call last):
+  File "<stdin>", line 1, in <module>
+OSError: [Errno 98] Address already in use
+>>> 
+``` 
+Oops, here is our error again. And this is the reason, why I called this method "cooperative". As the first application has bound to that IP:PORT combination, without telling, that "it knows the risk", the kernel denies us, to use this combinations, as we may break the already active application. The first application is not "cooperative" :-(<br>
+ Ok, but the kernel gives as some more possibilities: As we now get connections from a uncoperative application, we can no longer use the Client-IP-Port combination. We need to use a conflict free port for the client IP, to succeed. So lets get back to terminal 2 and continue after the error with the following commands:
+```
+user@host:~$ python3
+Python 3.11.2 (main, May  2 2024, 11:59:08) [GCC 12.2.0] on linux
+Type "help", "copyright", "credits" or "license" for more information.
+>>> import socket
+>>> sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+>>> sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)  
+>>> sock.bind(("192.168.255.254", 12345))
+Traceback (most recent call last):
+  File "<stdin>", line 1, in <module>
+OSError: [Errno 98] Address already in use
+>>> sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 0)
+>>> sock.setsockopt(socket.SOL_IP, socket.IP_BIND_ADDRESS_NO_PORT, 1)
+>>> sock.bind(("192.168.255.254", 0))
+>>>
+```
+This last example makes it neccessary, that you use a recent version of the python3 socket library, as older versions, have the option _IP_BIND_ADDRESS_NO_PORT_ not yet defined.
+With his behaviour, we are telling the kernel, that the kernel should assign us a conflict free port address at latest possible moment, while calling connect().
+From `man ip`:
+```
+Inform the kernel to not reserve an ephemeral port when using bind(2)
+with a port number of 0. The port will later be automatically chosen
+at connect(2) time, in a way that allows sharing a source port as 
+long as the 4-tuple is unique.
+```
+
+Ok, now with those two actions an application is really ready for cooperative working in ip-transparent chains.
+If you are running in problems, with any kind of application, where you are redirecting transparent traffic to from sslh, check the following:
+- Are you using a recent version of sslh, having the described feature enabled
+- are you using the most recent version of the other application
+If you can confirm both checks, tell the maintainers of the other application, about possible fixes, and send them a link to this article.
+
+## Practical Use Of Daisy-Chaining: Proxytunnel Endpoint ##
+
+One reasons, why we want to combine two programs is related to the core functionality of sslh. You wish to hide your ssh connection behind a https port.
+But now you would like, to reach this port via the [proxy-tunnel application](https://github.com/proxytunnel/proxytunnel), though an restrictive http(s) proxy. This is in many cases, one of the few methods, to escape from restricted private networks, like in companies, schools and universities. Unfortunately, many of those proxy-servers will check, that the protocol leaving the proxy is really tls. Therefore you need and endpoint in your system, which will terminate the tls-connection and forward the encapsulated ssh stream to the sshd.  Sslh can't do tls termination, as this is not a core job of tls. One of the solutions tried here is stunnel. Stunnel can do transparency like sslh, but unfortunately belongs to the uncooperative ip-transparent programs. At the time of writing this article, you can use stunnel as the first-in-chain, and a very recent sslh as second in chain. But nginx (or openresty) is capable of this, however it prefers (at least in the tested versions), mostly the second way just selecting a new random port and not (always) preserving the original source port, what makes debugging of events much easier.
+
+
+```
+stream {
+  ssl_preread on;
+
+  map $ssl_preread_server_name $name {
+    default            master.yourdomain.top;
+    t1.yourdomain.top  t1.yourdomain.top;
+    t2.yourdomain.top  t2.yourdomain.top;
+    cryptic.foo.bar    location.selfsigned.cert;
+  }
+
+## $destination port :443 is assumed, beeing as real
+## webserver. Either anothe nginx http-server or apache 
+## or anything other ...
+  map $ssl_preread_server_name $dest {
+    default              192.168.255.254:443;
+    t1.yourdomain.top    192.168.255.254:443;
+    t2.yourdomain.top    192.168.255.254:444;
+    cryptic.foo.notexist 192.168.255.254:445;
+  }
+
+
+## this is the server, to handle incoming tcp streams
+## and dispatching them transparent to $dest
+## 192.168.255.254:1443 is the address, where
+## the front facing sslh sends traffic to
+  server {
+    listen 192.168.255.254:1443;
+    proxy_connect_timeout 5s;
+    proxy_timeout 3m;
+    proxy_bind $remote_addr transparent;
+    proxy_pass $dest;
+    ssl_preread on;
+  }
+
+  ## this is a basic endpoint for proxy-tunnel connections
+  server {
+    listen 192.168.255.254:444 ssl;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
+    ## give facl to the nginx user, see later in article
+    ssl_certificate /etc/letsencrypt/live/$name/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/$name/privkey.pem;
+    ssl_dhparam  /etc/nginx/dhparam-nginx.pem;
+    ssl_session_cache shared:MySSL:10m;
+    ssl_session_tickets off;
+    proxy_connect_timeout 5s;
+    proxy_timeout 3m;
+    proxy_bind $remote_addr transparent;
+    proxy_pass 192.168.255.254:22 ;
+  }
+
+
+## this is a fancy destination, using some tricks, to fool
+## some proxies.
+  server {
+    listen 192.168.255.254:445 ssl;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
+    ## this points to a directory, containg a self signed certificate
+    ## created with CN and SAN to an not officially existing
+    ## domain, e.g. cryptic.foo.notexists
+    ssl_certificate /etc/nginx/$name/fullchain.pem;
+    ssl_certificate_key /etc/nginx/$name/privkey.pem;
+    ssl_dhparam  /etc/nginx/dhparam-nginx.pem;
+    ssl_session_cache shared:MySSL:10m;
+    ssl_session_tickets off;
+    ## additional trick: requiring client certificate authentication
+    ssl_client_certificate /etc/nginx/public.cert ;
+    ssl_verify_client on ;
+    proxy_connect_timeout 5s;
+    proxy_timeout 3m;
+    proxy_bind $remote_addr transparent;
+    proxy_pass 192.168.255.254:22;
+  }
+}
+```
+
+This nginx stream server shows a combination of different possibilities, how to establish an endpoint for proxytunnel or similar programs, to hide your ssh connection. Remember: Hiding ssh tunneled in tls does not neccessarly raise the security of your connection. In theory a combination of two methods may also lower the security. In addition there are more drawbacks: Such a connection needs more cpu on both ends for doing double crypto, and the throughput through he connection drops, as the ratio payload/header increases. the single ssh-packets are smaller, than usual.
+So it is not recommended for doing scp or sftp through such connections.
+
+### Nginx Configration Explained ###
+
+However, there are situations, where this is the only way, to reach your server.
+So we have now this nginx instance helping us out.
+The server stanza listening on _192.168.255.254:1443_ is the main process, accepting incoming connections forwarded from sslh. It prereads tls SNI names, to get destination information. When in the nginx-configuration a variable is used, which is set by an map action, the mapping takes place just in that moment, when the variable needs to be expanded.
+So we have either default values, in case there is no SNI, or values for individual SNI.
+
+The connection stream is than forwarded ip-transparent to a given destination, which is itself another nginx instance, defined in the configuration file.
+
+#### The Standard TLS-Termination ####
+
+The server stanza listening on _192.168.255.254:444_ is a very basic TLS terminating endpoint. In most cases, a proxy is happy with a destination like this. Here nginx just terminates the TLS connection and shovels the incoming packets over to sshd in ip-transparent way. The proxytunnel configuration for this target will look like:
+```
+host t2.yourdomain.top 
+  ProxyCommand /path/to/proxytunnel -e -p PROXY-IP:3128 -d t2.yourdomain.top:443
+  ServerAliveInterval 30
+```
+If you have no proxytunnel on your system, you can also use openssl. In this case the configuration looks like:
+```
+host t2-alias
+  ProxyCommand openssl s_client -proxy PROXY-IP:3128  -connect t2.yourdomain.top:443 
+  ServerAliveInterval 30
+```
+`ssh ts-alias` will use this configuration.
+
+One point from the above configuration needs further explanation, as we just refer to our common letsencrypt store, for certificates.
+
+##### Excurse To File ACLs #####
+
+We are using here our common letsencrypt certificate store, as copying certificates after renewal is a pain in the as and prone to errors.
+A small script makes sure, that all applications can read the certificates:
+```
+for i in  Debian-exim dovecot mail www-data nginx ; do
+  setfacl -Rdm u:$i:rX ./archive/
+  setfacl -Rdm u:$i:rX ./live/
+  setfacl -Rm u:$i:rX ./archive/
+  setfacl -Rm u:$i:rX ./live/
+  for file in $( find ./live ./archive -type l,f ) ; do
+    echo -e "$i $file set"
+    setfacl -m u:$i:r $file
+  done
+done
+```
+This script needs only to be run, when a new application user needs access.
+The first two lines are making sure (watch the **d**), that the given options
+on those directories will be the default for newly created files below.
+The uppercase **X** means, that **x**-access will only be granted to directories or files, having already **x** set for others.
+
+#### The Tricky TLS Termination ####
+
+The server stanza listening on _192.168.255.254:445_ is a more tricky TLS terminating endpoint. Some proxies are trying to inspect the destination, before letting you go. Some of them you can fool, others not.
+One trick can be to use an phantasy domain name with a self signed certificate, no dns server will ever resolve. As you are using this name as SNI name in your proxy-tunnel connection, it will work.  This can be also a way, to hide your sshd, if someone, who knows you are using sslh tries to find your sshd. As long, as this person does not get access to proxies you are using, this may help in some situations.
+Another trick is, requiring a client certificate for authentication. This is in each case the much better approach, as you can combine this also with official connected domain names. Without the client certificate no sshd!
+The client certificate does not increase the above mentioned ratio between payload and headers, as this is only used while establishing the TLS connection.
+It prevents however a proxy, doing a parallel sneak to your destination, to figure out what is behind. I have seen proxies letting you connect with this method, others are denying access.
+
+To access this endpoint, the proxytunnel configuration inside `~/.ssh/config`
+will look like:
+```
+host cryptic.foo.notexists
+  ProxyCommand /path/to/proxytunnel -e -c ~/public.cert -k ~/private.pem -C ~/myOwnCA.cert -p PROXY-IP:3128 -o cryptic.foo.notexists  -d t1.yourdomain.top:443
+  ServerAliveInterval 30
+```
+-C gives the certfile to your certificate used for selfsigning the server certificate. You can also set -z for not verifying the certificate, but that is not recommended! `t1.yourdomain.top` represents a valid domain name, where the listening sslh can be reached. This name is not taken for SNI, because **-o** sets our hidden SNI name. Whenever you enter `ssh cryptic.foo.notexists` you will get connected to your server!
+
+The best reommendation however is: Avoid self signed certs, if you are not really sure, what you are doing.
+

doc/FAQ.md

@@ -12,19 +12,20 @@ GitHub.
 Getting more info
 =================
 
-In general, if something doesn't work, you'll want to run
-`sslh` with lots of logging, and the logging directly in
-the terminal (Otherwise, logs are sent to `syslog`, and
-usually end up in `/var/log/auth.log`). You will achieve
-this by running `sslh` in foreground with verbose:
+There are several `verbose` options that each enable a set
+of messages, each related to some event type. See
+`example.cfg` for a list of them.
+
+If something doesn't work, you'll want to run `sslh` with
+lots of logging, and the logging directly in the terminal
+(Otherwise, logs are sent to `syslog`, and usually end up in
+`/var/log/auth.log`). There is a general `--verbose` option
+that will allow you to enable all messages:
 
 ```
-sslh -v 1 -f -F myconfig.cfg
+sslh -v 3 -f -F myconfig.cfg
 ```
 
-Higher values of `verbose` produce more information. 1 is
-usually sufficient. 2 will also print incoming packets used
-for probing.
 
 forward to [PROBE] failed:connect: Connection refused
 =====================================================

doc/INSTALL.md

@@ -1,3 +1,13 @@
+Pre-built binaries
+==================
+
+Docker images of `master` and of the tagged versions are
+available directly from [Github](https://github.com/yrutschle/sslh/pkgs/container/sslh).
+
+Windows binaries for Cygwin are graciously produced by
+nono303 on his [repository](https://github.com/nono303/sslh).
+
+
 Compile and install
 ===================
 
@@ -6,139 +16,156 @@ Dependencies
 
 `sslh` uses:
 
-* [libconfig](http://www.hyperrealm.com/libconfig/). For
-  Debian this is contained in package `libconfig-dev`. You
-can compile with or without it using USELIBCONFIG in the
-Makefile.
+* [libconfig](http://www.hyperrealm.com/libconfig/).
+  For Debian this is contained in package `libconfig-dev`.
+  You can compile with or without it using USELIBCONFIG in the Makefile.
 
 * [libwrap](http://packages.debian.org/source/unstable/tcp-wrappers).
-    For Debian, this is contained in packages
-`libwrap0-dev`. You
-can compile with or without it using USELIBWRAP in the
-Makefile.
+  For Debian, this is contained in packages `libwrap0-dev`.
+  Presence of libwrap is checked by the configure script.
 
-* [libsystemd](http://packages.debian.org/source/unstable/libsystemd-dev), in package `libsystemd-dev`.  You
-can compile with or without it using USESYSTEMD in the
-Makefile.
+* [libsystemd](http://packages.debian.org/source/unstable/libsystemd-dev), in package `libsystemd-dev`.
+  You can compile with or without it using USESYSTEMD in the Makefile.
 
-* [libcap](http://packages.debian.org/source/unstable/libcap-dev), in package `libcap-dev`. You can compile with or without it using USELIBCAP in the Makefile
+* [libcap](http://packages.debian.org/source/unstable/libcap-dev), in package `libcap-dev`.
+  Presence of libcap is checked by the configure script.
 
-* libbsd, to enable to change the process name (as shown in
-  `ps`, so each forked process shows what protocol and what
-  connection it is serving),
-which requires `libbsd` at runtime, and `libbsd-dev` at
-compile-time.
+* [libconfig++-dev](https://packages.debian.org/bookworm/libconfig++-dev), in package `lìbconfig++-dev`
+    
+* libbsd, to enable to change the process name (as shown in `ps`,
+  so each forked process shows what protocol and what connection it is serving),
+  which requires `libbsd` at runtime, and `libbsd-dev` at compile-time.
+  Presence of libbsd is checked by the configure script.
 
-* libpcre2, in package `libpcre-dev`. You can compile
-  with or without it using ENABLE_REGEX in the Makefile.
+* libpcre2, in package `libpcre2-dev`.
+  You can compile with or without it using ENABLE_REGEX in the Makefile.
 
-* libev-dev, in package `libev-dev`. If you build a binary
-  specifically and do not build `sslh-ev`, you don't need
-  this.
+* libev-dev, in package `libev-dev`.
+  If you build a binary specifically and do not build `sslh-ev`, you don't need this.
 
+* [libproxyprotocol](https://github.com/kosmas-valianos/libproxyprotocol.git)
+  to support HAProxy's [ProxyProtocol](https://www.haproxy.org/download/2.3/doc/proxy-protocol.txt).
+  As this is not part of the distribution packages, set
+  C_INCLUDE_PATH, LD_LIBRARY_PATH, and LIBRARY_PATH to the appropriate
+  values:
+  ```
+    export C_INCLUDE_PATH=/home/user/src/libproxyprotocol/src 
+    export LD_LIBRARY_PATH=/home/user/src/libproxyprotocol/libs
+    export LIBRARY_PATH=/home/user/src/libproxyprotocol/libs
+  ```
 
 For OpenSUSE, these are contained in packages libconfig9 and
 libconfig-dev in repository
 <http://download.opensuse.org/repositories/multimedia:/libs/openSUSE_12.1/>
 
-For Fedora, you'll need packages `libconfig` and
-`libconfig-devel`:
+For Fedora, you'll need packages `libconfig` and `libconfig-devel`:
 
-	yum install libconfig libconfig-devel
+    yum install libconfig libconfig-devel
 
-If you want to rebuild `sslh-conf.c` (after a `make
-distclean` for example), you will also need to add
-[conf2struct](https://www.rutschle.net/tech/conf2struct/README.html)
+If you want to rebuild `sslh-conf.c` (after a `make distclean` for example),
+you will also need to add [conf2struct](https://www.rutschle.net/tech/conf2struct/README.html)
 (v1.5) to your path.
 
-
 The test scripts are written in Perl, and will require
-IO::Socket::INET6 (libio-socket-inet6-perl in Debian).
+`IO::Socket::INET6` (`libio-socket-inet6-perl` in Debian).
+
 
 Compilation
 -----------
+First you have to run `./configure`  in the _**./sslh**_ directory. After this, 
+the Makefile is created, and you can do your configuration changes in the Makefile. 
+After each run of ./configure, those changes are gone and the Makefile is recreated.
 
-After this, the Makefile should work:
+There are a couple of configuration options at the beginning of the Makefile: 
 
-	make install
+* `# override undefine HAVE_LANDLOCK` if you uncomment this line, sslh will be compiled
+  without landlock. This works with gcc versions < 12. Otherwise, if your system has
+  linux/landlock.h in the include path, the configure script creates a _**config.h**_ file, 
+  which defines HAVE_LANDLOCK. It is not enough, to set this to 0, you must delete it, 
+  when you don't wish to have landlock in your binary.
+  
+* `USELIBWRAP` compiles support for host access control (see `hosts_access(3)`),
+  you will need `libwrap` headers and library to compile (`libwrap0-dev` in Debian).
 
-There are a couple of configuration options at the beginning
-of the Makefile: 
+* `USELIBCONFIG` compiles support for the configuration file.
+  You will need `libconfig` headers to compile (`libconfig8-dev` in Debian).
 
-* `USELIBWRAP` compiles support for host access control (see
-  `hosts_access(3)`), you will need `libwrap` headers and
-  library to compile (`libwrap0-dev` in Debian).
+* `USESYSTEMD` compiles support for using systemd socket activation.
+  You will need `systemd` headers to compile (`systemd-devel` in Fedora).
 
-* `USELIBCONFIG` compiles support for the configuration
-  file. You will need `libconfig` headers to compile
-  (`libconfig8-dev` in Debian).
+* `USELIBBSD` compiles support for updating the process name (as shown by `ps`).
 
-*  `USESYSTEMD` compiles support for using systemd socket activation.
-   You will need `systemd` headers to compile (`systemd-devel` in Fedora).
+* `USELIBCAP` compiles support for libcap, which allows to inherit capabilities to 
+  daughter-processes, which run as restricted users. You need this, when you wish to 
+  make sure, that the --user= parameter can be used, without setting capabilities etc.
+  to your binaries, to make this work.
+
+Now you can do either a plain `make` to create the binaries, or you can do an 
+`make install` to create the binaries and install them.
 
-* `USELIBBSD` compiles support for updating the process name (as shown
-  by `ps`).
 
 Generating the configuration parser
 -----------------------------------
 
-The configuration file and command line parser is generated
-by `conf2struct`, from `sslhconf.cfg`, which generates
-`sslh-conf.c` and `sslh-conf.h`. The resulting files are
-included in the source so `sslh` can be built without
-`conf2struct` installed.
+The configuration file and command line parser is generated by `conf2struct`,
+from `sslhconf.cfg`, which generates `sslh-conf.c` and `sslh-conf.h`.
+The resulting files are included in the source
+so `sslh` can be built without `conf2struct` installed.
+
+Further, to prevent build issues,
+`sslh-conf.[ch]` has no dependency to `sslhconf.cfg` in the Makefile.
+In the event of adding configuration settings,
+they need to be regenerated using `make c2s`.
 
-Further, to prevent build issues, `sslh-conf.[ch]` has no
-dependency to `sslhconf.cfg` in the Makefile.  In the event
-of adding configuration settings, they need to be
-regenerated using `make c2s`.
 
 Binaries
 --------
 
-The Makefile produces three different executables: `sslh-fork`,
-`sslh-select` and `sslh-ev`:
+The Makefile produces three different executables:
+`sslh-fork`, `sslh-select` and `sslh-ev`:
 
 * `sslh-fork` forks a new process for each incoming connection.
-It is well-tested and very reliable, but incurs the overhead
-of many processes.  
-If you are going to use `sslh` for a "small" setup (less than
-a dozen ssh connections and a low-traffic https server) then
-`sslh-fork` is probably more suited for you. 
+  It is well-tested and very reliable, but incurs the overhead of many processes.  
+  If you are going to use `sslh` for a "small" setup
+  (less than a dozen ssh connections and a low-traffic https server)
+  then `sslh-fork` is probably more suited for you.
 
-* `sslh-select` uses only one thread, which monitors all
-  connections at once. It only incurs a 16 byte overhead per
-connection.  Also, if it stops, you'll lose all connections,
-which means you can't upgrade it remotely.  If you are going
-to use `sslh` on a "medium" setup (a few hundreds of
-connections), or if you are on a system where forking is
-expensive (e.g. Windows), `sslh-select` will be better.
+* `sslh-select` uses only one thread, which monitors all connections at once.
+  It only incurs a 16 byte overhead per connection.
+  Also, if it stops, you'll lose all connections,
+  which means you can't upgrade it remotely.
+  If you are going to use `sslh` on a "medium" setup (a few hundreds of connections),
+  or if you are on a system where forking is expensive (e.g. Windows),
+  `sslh-select` will be better.
+
+* `sslh-ev` is similar to `sslh-select`, but uses `libev` as a backend.
+  This allows using specific kernel APIs that
+  allow to manage thousands of connections concurrently.
 
-* `sslh-ev` is similar to `sslh-select`, but uses `libev` as
-  a backend. This allows using specific kernel APIs that
-allow to manage thousands of connections concurrently.
 
 Installation
 ------------
 
 * In general:
-
-		make
-		cp sslh-fork /usr/local/sbin/sslh
-		cp basic.cfg /etc/sslh.cfg
-                vi /etc/sslh.cfg
-
+  ```sh
+  ./configure
+  make
+  cp sslh-fork /usr/local/sbin/sslh
+  cp basic.cfg /etc/sslh.cfg
+  vi /etc/sslh.cfg
+  ```
 * For Debian:
-
-		cp scripts/etc.init.d.sslh /etc/init.d/sslh
-	
+  ```sh
+  cp scripts/etc.init.d.sslh /etc/init.d/sslh
+  ```
 * For CentOS:
-
-		cp scripts/etc.rc.d.init.d.sslh.centos /etc/rc.d/init.d/sslh
-
+  ```sh
+  cp scripts/etc.rc.d.init.d.sslh.centos /etc/rc.d/init.d/sslh
+  ```
 
 You might need to create links in /etc/rc<x>.d so that the server
 start automatically at boot-up, e.g. under Debian:
-
-	update-rc.d sslh defaults
+```sh
+update-rc.d sslh defaults
+```
 

doc/README.Windows.md

@@ -0,0 +1,72 @@
+It is possible to run `sslh` on Windows. The `fork` model
+should be avoided as it is very inefficient on Windows, but
+`sslh-select` and `sslh-ev` both work with good performance
+(prefer the latter, however).
+
+
+The following script downloads the latest cygwin, the latest version of sslh, and then compiles and copies the binaries with dependancies to an output folder.
+
+It may be needed to correct it from time to time, but it works. I use it in a virtual machine.
+Just retrieve WGET.EXE from https://eternallybored.org/misc/wget/ or git binaries.
+
+Copy the 3 files
+
+	GO.cmd
+	wget.exe
+	compile.sh
+	
+to C root folder, then execute **GO.cmd** with administrative rights.
+
+with **GO.cmd**
+
+	@ECHO OFF
+	CD /D "%~dp0"
+	
+	NET SESSION >NUL 2>&1
+	IF %ERRORLEVEL% NEQ 0 (
+	    ECHO Permission denied. This script must be run as an Administrator.
+	    ECHO:
+	    GOTO FIN
+	) ELSE (
+	    ECHO Running as Administrator.
+	    TIMEOUT /T 2 >NUL
+		wget --no-check-certificate https://www.cygwin.com/setup-x86_64.exe
+		IF NOT EXIST setup-x86_64.exe GOTO FIN
+		MKDIR C:\Z
+		setup-x86_64.exe -l C:\Z -s ftp://ftp.funet.fi/pub/mirrors/sourceware.org/pub/cygwin/ -q -P make -P git -P gcc-g++ -P autoconf -P automake -P libtool -P libpcre-devel -P libpcre2-devel -P bison -P libev-devel
+		MKDIR C:\cygwin64\home\user
+	COPY COMPILE.SH C:\cygwin64\home\user
+			START C:\cygwin64\bin\mintty.exe /bin/bash --login -i ~/compile.sh
+		START EXPLORER C:\zzSORTIE
+	)
+	:FIN
+	PAUSE
+	EXIT
+
+
+and **compile.sh**
+
+	# SAVE FILE TO UNIX FORMAT
+	# COPY IT IN C cygwin64 home user
+	git clone https://github.com/hyperrealm/libconfig.git
+	cd libconfig
+	autoreconf -fi
+	./configure
+	make
+	make install
+	cd ..
+	cp /usr/local/lib/libconfig.* /usr/lib
+	git clone https://github.com/yrutschle/sslh.git
+	cd sslh
+	make
+	cd ..
+	mkdir /cygdrive/c/zzSORTIE
+	cp ./sslh/sslh*.exe /cygdrive/c/zzSORTIE
+	cp /usr/local/bin/cygconfig-11.dll /cygdrive/c/zzSORTIE
+	cp /cygdrive/c/cygwin64/bin/cygwin1.dll /cygdrive/c/zzSORTIE
+	cp /cygdrive/c/cygwin64/bin/cygpcreposix-0.dll /cygdrive/c/zzSORTIE
+	cp /cygdrive/c/cygwin64/bin/cygpcre-1.dll /cygdrive/c/zzSORTIE
+	cp /cygdrive/c/cygwin64/bin/cygev-4.dll /cygdrive/c/zzSORTIE
+	cp /cygdrive/c/cygwin64/bin/cygpcre2-8-0.dll /cygdrive/c/zzSORTIE
+
+This method was contributed by lerenardo on [github](https://github.com/yrutschle/sslh/issues/196#issuecomment-1692805639).

doc/config.md

@@ -76,10 +76,10 @@ Configuration goes like this on the server side, using `stunnel3`:
 Capabilities support
 --------------------
 
-On Linux (only?), you can compile sslh with `USELIBCAP=1` to
-make use of POSIX capabilities; this will save the required
-capabilities needed for transparent proxying for unprivileged
-processes.
+On Linux (only?), you can compile sslh with `USELIBCAP=1` set 
+in the Makefile to make use of POSIX capabilities; this will 
+save the required capabilities needed for transparent proxying 
+for unprivileged processes.
 
 Alternatively, you may use filesystem capabilities instead
 of starting sslh as root and asking it to drop privileges.
@@ -99,12 +99,11 @@ Then you can run sslh-select as an unprivileged user, e.g.:
 Transparent proxy support
 -------------------------
 
-Transparent proxying allows the target server to see the
-original client IP address, i.e. `sslh` becomes invisible.
-This makes it easier to use the server's logs, and potential
-IP-based banning ability.
+Transparent proxying is described in its own
+[document](tproxy.md).
 
-Set up can get complicated, so it has its own [document](tproxy.md).
+It might be easier to configure `sslh` to use Proxyprotocol
+if the backend server supports it.
 
 Systemd Socket Activation
 -------------------------

doc/scenarios-for-simple-transparent-proxy.md

@@ -0,0 +1,51 @@
+# Three Scenarios for the simple transparent proxy setup #
+
+![Simple Transparent Proxy Examples](./sslh-examples-v3.png)
+
+## Introduction ##
+The first example is the configuration, which was described in the previous document. I omitted the loopback interface "lo" in those diagrams, trying not no overload the picture. 
+The connections have two different endings, showing the direction of the opening connection (SYN flag) and the answer connection (SYN-ACK flags). This is important, as the traffic in the transparent proxy setup flows somewhat unexpected.
+
+## Example 1 ##
+The first example shows the setup, which is described in the [previous document](./simple_transparent_proxy.md). You see the Client connecting to sslh (red connection). When sslh accepts this connection, the SYN-ACK packet is send back to the client, which sends the first data packet(s) together with the ACK for the SYN-ACK. So the bidirectional tcp connection is fully open.
+Sslh opens now the blue connection to sshd and needs for that elevation rights, as it uses the clients IP address as its own address for opening this connection. Now things are becoming complicated: Sshd send back the first packet with SYN-ACK flags (green line), addressed to the clients IP (dotted line). As already described, that would go wrong, so our routing trick makes this packet beeing deflected back to sslh, so this tcp connection is also opened. But we have here now an asymetric behaviour, that the read and write pathes of the tcp connection are going different routes.
+The sslh process shuffles now all the bytes coming from sshd from the green line to the red line, vice versa for the packets from the client.
+
+## Example 2 ##
+In this example sshd is running on another server. No matter, if this is docker, kvm, virtualbox or another physical host, connected with an ethernet cable. Here we need no dummy interface, so we need another way, to configure our routing deflection.  The principle is the same: We need to force packets coming back from sshd going to sslh and not directly back to the client.
+In this case its your decision, where those rules will be tied in, options are:
+
+* the startscript of sslh
+* the docker or kvm configuration
+* the configuration of the outgoing interface
+
+Its two lines you need:
+```
+ip rule add from SSHD_ADDRESS/32 table sslh
+ip route add local 0.0.0.0/0 dev lo table sslh
+```
+On the sshd host, we need no additional rules, as all traffic is coming back to our sslh host, because this is in this setting the default gateway.  The only thing, we need to do: Assign a unique IP address only for sshd and all other services, you wish to hide behind sslh and host on this device.
+
+There are two ways, how you can add multiple ip addresses to one device. The new _**ip addr add**_ supports multiple add statements to one and the same interface name. So you can just duplicate the interface stancas in the _**/etc/network/interfaces**_ configuration. The problem with this method is, that some older managment tools, like ifconfig are unable to show the additional addresses. So when you are used to some older tools, you may configure sub-interfaces like eth0:1.
+However my recommendation is, migrate to new tools, get used to it, as old tools don't show you the whole configuration!
+
+## Example 3 ##
+This is now the extended version of the previous example. The target host has another path back to the client, as there is a default route to another interface. Now we need **TWO** routing deflections, one on the sslh host, like in scenario 2, and one on the sshd target host.
+The routing setup on the target host looks like:
+* Add an routing table name for the deflection table in _**/etc/iproute2/rt_tables**_
+* Find a location, where you will hook the two routing rules in
+```
+ip rule add from SSHD_ADDRESS/32 table sslh_routeback
+ip route add default via SERVER1_ETH1_IP dev eth0 table sslh_routeback
+
+```
+This is setting up a default route for all traffic, originating from the ip address sshd (or any other service) is using, back to the host, hosting sslh. On that host, those packets will be deflected again with the same rule from scenario 2.
+
+Be aware, that scenario 3 can look very different and the picture above shows only one of those setups. Each configuration, where packets from the target system can find their way back, without beeing forcibly routed through the sslh hosting system, belongs into this category. This are e.g. virtual machines or containers, having interfaces in the same network, like the sslh hosting system. Even, when they look in some drawings embedded in their host, as soon, as they have network interfaces, allowing a direct connection to the client, it is scenario 3!
+
+## Modifications ##
+Now you can think about many modifications, but the tools will be the same, for all other thinkable scenarios. You must always make sure, that packets from foreign hosts, will find their way back to the sslh host. So if the chain consists of three or four servers, all need the deflection rules. 
+
+## Important Finding On Routing ##
+When I went ahead and wrote in my first drawings the warning, that the kernel in scenario 2 and 3 needs to have forwarding in place, I finally tested, that this is not true. **Both scenarios are working without kernel forwarding beeing activated!**
+The background:  The deflecting routing table cames into the game, before the kernel has to made the decision, that packets with non local ip addresses in source and destination must be forwarded. After the routing rule deliveres the packet to sslh and sslh rewrites the source ip, the packet is treated as local, and can pass the system.

doc/simple_transparent_proxy.md

@@ -0,0 +1,135 @@
+# Transparent Proxy Configuration Using IP Routing#
+This documentation is another explanation of the transparent proxy with the goal, beeing secure and minimalistic. Besides this documentation will explain, how and why this configuration works.
+The explanation will only describe the connection to sshd, so the target sshd can be replace with any other target service, sslh supports.
+
+## Introduction in the data flow ##
+This chapter can be skipped, if you just like to configure things fast.
+This chapter is a little excurse to the dataflow. First point of all is something, which you will unfortunately not see in the nice routing diagrams for iptables or netfilter-tables (nft) like: [Iptables at wikipedia](https://upload.wikimedia.org/wikipedia/commons/thumb/3/37/Netfilter-packet-flow.svg/2560px-Netfilter-packet-flow.svg.png), [Netfilter Flow](https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks#Netfilter_hooks_into_Linux_networking_packet_flows).
+
+Packets from local application talking to other local applications are routed through the loopback-interface. They leave postrouting to lo and reentering from there prerouting, without passing ingress/egress.
+This has nothing to do with the "**route_localnet = 1**" trick, which only makes, that the the local ip range 10.0.0.0/8 gets routed!
+As you can read in many articles, this is nothing you should do, as you may bring your system at risk, because it allows to leak packets from outside to applications, which feel themselves secure, by using those unroutable addresses.
+#### A Simple Simulation ####
+You can prove this behaviour with a simple test:
+```
+# In one terminal start socat as a local echo server
+# this is simulating sshd
+
+socat TCP4-LISTEN:2000,bind=SERVER_IP,fork EXEC:cat
+
+# In the next terminal start another instance of socat,
+# simulating sslh
+
+socat TCP-LISTEN:3000,bind=SERVER_IP,fork TCP:SERVER_IP:2000
+
+# In another terminal you can watch the traffic on lo
+
+tcpdump -i lo port 2000
+
+# In the last terminal talk to the echo server
+telnet SERVER_IP 2000
+```
+You will see your traffic on lo, but not on eth0, if you retry the tcpdump there.
+
+If you setup sslh as non transparent proxy, it will just work, as what we have seen.  
+
+#### Going Transparent ####
+
+In case of transparent proxy however, sslh uses some tricks, to reuse the clients IP on its outgoing interface to sshd. It opens the interface in raw mode, so it either needs to be started as root and drop privileges after binding, or you will need to give some capabilities to the sslh binary (cap_net_bind_service,cap_net_raw+ep), if you will start it as restricted user.
+In this setup we continue, with dropping priviledges.
+
+Doing so, you can send packets to the sshd, listening on another interface, but, the answer packets from sshd will get routed back to the client. This however will not work, as the client would refuse those packets, because they don't belong to a tcp session, the client opened. In most cases those packets would even not reach the client, as source ip addresses from private address space, will be blocked by most internet routers and connection providers.
+
+So its mandatory, to use some tricks, to get those packets back to sslh. All configurations, I have seen so far, are using two components for that. They bind sshd to lo, and than they introduce some firewall rules, to mark packets, originating from the sshd port on lo, so that those packets can be routed in a next step -based on that marking- back to sslh.
+
+##### Drawbacks From Using loopback #####
+This idea has some serious drawbacks: First, you need to allow routing of the local address space, 127.0.0.0/8, with kernel configurations. Search for the string "net.ipv4.conf.default.route_localnet" and you will find lot of articles, why you should not do this.
+By allowing this, you need additional firewall rules, dropping martian packets, which otherwise would get routed to the internet from other applications, running on lo, not aware, that their traffic could be routed.  You need further firewall rules, blocking incoming packets to loopback addresses, as otherwise some applications (especially udp) could be the goal of some bad traffic.
+
+##### Using A Dedicated Interface #####
+So this configuration makes use of a own interface, just for the services, where sslh should hide the traffic for. We use a interface of the dummy kernel module, which was designed just for this case.  It is an interface, beeing there, having no cable connection or whatsever, but applications can bind to it. We assign to this interface just a /32 private address, as this interface is not part of any network.
+
+Doing so, we can avoid all the hassle with marking certain packets, coming from the single applications, sslh has to hide, as we now just route ALL traffic from this specific interface by its ip to sslh.
+We need one routing rule and one routing table, this covers as many targets sslh will serve on this interface, without adding additional rules for adding apache, openvpn and others.
+
+We need no firewall rules, preventing martians, as this single routing rule will deadroute all traffic from this interface, if sslh is not catching it up.
+
+We only need firewall protection for this specific ip address, when we have activated ip forwarding on that system.  If the system is no router and needs no forwarding, there is no protection needed.
+
+## Finally The Configuration ##
+
+As described, we need as a first step a dedicated interface, just for the services, sslh should hide. Its possible, to generate individual interfaces for different configurations, however, that makes things again more complex and has no advantages seen so far.
+
+### Named Routing Table ###
+As we configure the needed routing rules in the interface configuration, we need to define a name for the sslh routing table first.
+Using named routing tables helps, understanding the routing configuration, as a name indicates, why this routing table is configured.
+To do so go to  _**/etc/iproute2/rt_tables**_ and add a line
+
+```
+ 111     sslh
+```
+With newer versions of iproute2 the /etc/iproute2 directory with the embedded templates got no longer installed. The cause maybe, that the example names, which were not used in any configuration, generated confusion. However, once you need those files, generate them and they will be honoured. You still can use just numbers for your routing table. But doing this, and having more than one routing table, you need a list, which numer belongs to which configuration. 
+And seeing in the output from `ip route list table all ` the tables names instead just numbers is worth creating the file.
+
+### Dummy Interface ###
+Now we configure our dedicated interface.
+In the file _**/etc/network/interfaces**_, we place this entry:
+```
+auto dummy0
+iface dummy0 inet static
+    address 192.168.255.254/32
+    pre-up modprobe dummy
+    ## Attention! with kernels, not automatically creating a dummy0
+    ## interface after module loading the following line should be:
+    ## pre-up modprobe dummy; if [ ! -e /sys/class/net/dummy0 ]; then ip link add dummy0 type dummy ; fi
+    post-up ip rule add from 192.168.255.254 table sslh
+    post-up ip route add local 0.0.0.0/0 dev dummy0 table sslh
+    pre-down ip route del local 0.0.0.0/0 dev dummy0 table sslh
+    pre-down ip rule del from 192.168.255.254 table sslh
+```
+As long, as your system has no other interfaces with private address-space, or is routing such addresses, you can continue with the given example. Otherwise you need to select a conflict free address.
+If you are updating a older current configuration, make sure, that you have no longer insecure localnet routing in place:
+```
+ sysctl  net.ipv4.conf.default.route_localnet  
+ sysctl net.ipv4.conf.all.route_localnet
+```
+should both report "0"! 
+
+
+### Explanation Of The Routing Rules ###
+The two routing rules in the dummy0 interface configuration are the key for this configuration.
+
+The first line is an routing rule entry, routing everything coming from the dummy0 ip source address to a special routing table _**sslh**_. 
+
+The next line generates this table implicitly, by inserting a single rule, routing everything from that ip address to dummy0.
+
+Opposite to other firewall based configurations, we have those rules now tied to the dummy0 device, dedicated to the hidden services.
+When this interface comes up, the routing rules are making sure, that no martian packets can leave the system, by some processes using this IP address. When the interface goes down, we delete those rules.
+Also the startup script needs lo longer special treatment for the transparent mode.
+
+
+#### SSLH Default Configuration ####
+And finally you need to configute _**/etc/default/sslh**_ with the right settings for all the services, sslh should work for.
+```
+DAEMON_OPTS="--user sslh --listen SERVER_IP:443 --transparent  \
+             --ssh 192.168.255.254:22 --tls 192.168.255.254:443 \
+             --pidfile /var/run/sslh/sslh.pid"
+```
+
+#### Systemd #### 
+This setup is now startup agnostic. As we don't need special treatment in the startup script, the sysV based init scripts will just work, like the systemd scripts. Nothing needs to be modified, when going transparent.
+
+#### Remote Setups ####
+This concept can also be adapted for several setups, where the sshd (or any other target service) is running in a container, kvm-virtual machine, etc.
+Precondition is, that the target system is the next hop and uses the sslh-hosting system as default gateway. In addition you need to bind an additional ip-address, solely used for sshd on the corresponding interface.
+Than you can adapt the routing rule, routing traffic coming back from this ip to the sslh-routing-table.
+Its also possible, to forward to an next hop system, which has its own default gateway back, bypassing the sslh-host.
+In this case, you need to add a special route back to the sslh host, for all traffic with the sshd source ip address. This can be done similar to the two rules described above:
+```
+  # first define a name for the table in /etc/iproute2/rt_tables e.g. sslh-routeback
+  ip rule add from IPADRESS-OF-SERVIE table sslh-routeback
+  ip route add default via IPADDRESS-OF_SSLH-HOST dev eth0 table sslh-routeback
+```
+The details are depending on your network settings. Als long, as the forward chain to the hidden service passes systems under your control, you can add backroutes on each system in that route. Precondition: The used ip address produces no conflict on those systems.
+
+[I added a second document](./scenarios-for-simple-transparent-proxy.md), describing three possible scenarios in detail. Those three scenarios should cover all setups related to transparent proxying. 

doc/tproxy.md

@@ -1,15 +1,11 @@
-# Transparent proxy
+# Transparent proxy using packet marking
 
-On Linux and FreeBSD you can use the `--transparent` option to
-request transparent proxying. This means services behind `sslh`
-(Apache, `sshd` and so on) will see the external IP and ports
-as if the external world connected directly to them. This
-simplifies IP-based access control (or makes it possible at
-all).
+Before reading further, make sure you try to set up
+transparent proxying using [IP routing](doc/simple_transparent_proxy.md).
+It is conceptually easier to understand, cleaner, and more
+portable.
 
-This document shows recipes that may help to do that.
-
-Note that getting this to work is very tricky and
+Using this method is very tricky and
 detail-dependant: depending on whether the target server and
 sslh are on the same machine, different machines, or
 different dockers, and tool versions, all seem to change the

echosrv-conf.c

@@ -1,8 +1,8 @@
 /* Generated by conf2struct (https://www.rutschle.net/tech/conf2struct/README)
- * on Sat Apr 30 09:55:03 2022. 
+ * on Sun Apr  6 11:44:59 2025. 
 
 # conf2struct: generate libconf parsers that read to structs
-# Copyright (C) 2018-2021  Yves Rutschle
+# Copyright (C) 2018-2024  Yves Rutschle
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -36,6 +36,8 @@
 #include <stdlib.h>
 #include <stddef.h>
 #include <stdio.h>
+#include <stdarg.h>
+#include <setjmp.h>
 #include "echosrv-conf.h"
 #include "argtable3.h"
 #ifdef LIBPCRE
@@ -216,6 +218,19 @@ char* config_error_text(config_t* c) {
 }
 #endif
 
+static jmp_buf c2s_asprintf_fail;
+
+static int c2s_asprintf(char **restrict strp, const char *restrict fmt, ...)
+{
+    va_list ap;
+
+    va_start(ap,fmt);
+    int res = vasprintf(strp, fmt, ap);
+    va_end(ap);
+    if (res == -1) longjmp(c2s_asprintf_fail, res);
+    return res;
+}
+
 /* This is the same as config_setting_lookup_string() except
 it allocates a new string which belongs to the caller */
 static int myconfig_setting_lookup_stringcpy(
@@ -226,7 +241,7 @@ static int myconfig_setting_lookup_stringcpy(
     const char* str;
     *value = NULL;
     if (config_setting_lookup_string(setting, name, &str) == CONFIG_TRUE) {
-        asprintf(value, "%s", str);
+        c2s_asprintf(value, "%s", str);
         return CONFIG_TRUE;
     } else {
         return CONFIG_FALSE;
@@ -310,7 +325,7 @@ static int settingcpy(config_type type, void* target, const config_setting_t* se
         break;
 
     case CFG_STRING:
-        asprintf(&str, "%s", config_setting_get_string(setting));
+        c2s_asprintf(&str, "%s", config_setting_get_string(setting));
         val.def_string = str;
         *(char**)target = val.def_string;
         break;
@@ -353,7 +368,7 @@ static int clcpy(config_type type, void* target, const void* cl_arg)
         break;
 
     case CFG_STRING:
-        asprintf(&str, "%s", (*(struct arg_str**)cl_arg)->sval[0]);
+        c2s_asprintf(&str, "%s", (*(struct arg_str**)cl_arg)->sval[0]);
         val.def_string = str;
         *(char**)target = val.def_string;
         break;
@@ -365,7 +380,7 @@ static int clcpy(config_type type, void* target, const void* cl_arg)
     return 0;
 }
 
-/* Copy the value of a string argument to arbitrary memory
+/* Copy the value of a string argument to arbitary memory
 * location that must be large enough, converting on the way
 * (i.e. CFG_INT gets atoi() and so on) */
 /* 0: success
@@ -765,7 +780,7 @@ static int read_block_setval(void* target,
             /* setting is present in cfg, look it up */
             if (lookup_typed_ud(cfg, target, desc) != CONFIG_TRUE) {
                 TRACE_READ((" but wrong type (expected %s) ", type2str[desc->type]));
-                asprintf(errmsg, "Option \"%s\" wrong type, expected %s\n", 
+                c2s_asprintf(errmsg, "Option \"%s\" wrong type, expected %s\n", 
                     desc->name, type2str[desc->type]);
                 return 0;
             }
@@ -822,7 +837,7 @@ static int read_block(config_setting_t* cfg, void* target, struct config_desc* d
         set = read_block_setval(target, cfg, desc, errmsg);
 
         if (!set && desc->mandatory) {
-            asprintf(errmsg, "Mandatory option \"%s\" not found", desc->name);
+            c2s_asprintf(errmsg, "Mandatory option \"%s\" not found", desc->name);
             return 0;
         }
 
@@ -862,7 +877,7 @@ static int set_target_fields(void* target_addr, struct compound_cl_arg* arg, con
             if (pmatch[pmatch_cnt].rm_so == -1) {
                 /* This should not happen as regexec() did
                 * match before, unless there is a
-                * discrepancy between the regex and the
+                * discrepency between the regex and the
                 * number of backreferences */
                 return 0;
             }
@@ -980,13 +995,13 @@ static int regcompmatch_posix( regmatch_t* pmatch,
         int errlen = regerror(res, &preg, NULL, 0);
         regerr = malloc(errlen);
         regerror(res, &preg, regerr, errlen);
-        asprintf(errmsg, "compiling pattern /%s/:%s", arg->regex, regerr);
+        c2s_asprintf(errmsg, "compiling pattern /%s/:%s", arg->regex, regerr);
         free(regerr);
         return 0;
     }
     res = regexec(&preg, arg_cl->sval[arg_index], MAX_MATCH, &pmatch[0], 0);
     if (res) {
-        asprintf(errmsg, "--%s %s: Illegal argument", 
+        c2s_asprintf(errmsg, "--%s %s: Illegal argument", 
         arg_cl->hdr.longopts, 
         arg->regex); 
         return 0;
@@ -1012,7 +1027,7 @@ static int regcompmatch_pcre2( regmatch_t* pmatch,
     pcre = pcre2_compile((PCRE2_SPTR8)arg->regex, PCRE2_ZERO_TERMINATED, 0, &error, &error_offset, NULL);
     if (!pcre) {
         pcre2_get_error_message(error, err_str, sizeof(err_str));
-        asprintf(errmsg, "compiling pattern /%s/:%d: %s at offset %ld\n",
+        c2s_asprintf(errmsg, "compiling pattern /%s/:%d: %s at offset %ld\n",
                 arg->regex, error, err_str, error_offset);
         return 0;
     }
@@ -1022,7 +1037,7 @@ static int regcompmatch_pcre2( regmatch_t* pmatch,
                           0, 0, matches, NULL);
     if (res < 0) {
         pcre2_get_error_message(res, err_str, sizeof(err_str));
-        asprintf(errmsg, "matching %s =~ /%s/:%d: %s\n", 
+        c2s_asprintf(errmsg, "matching %s =~ /%s/:%d: %s\n", 
                           arg_cl->sval[arg_index], arg->regex, res, err_str);
         return 0;
     }
@@ -1111,13 +1126,13 @@ static int c2s_parse_file(const char* filename, config_t* c, char**errmsg)
     /* Read config file */
     if (config_read_file(c, filename) == CONFIG_FALSE) {
         if (config_error_line(c) != 0) {
-           asprintf(errmsg, "%s:%d:%s", 
+           c2s_asprintf(errmsg, "%s:%d:%s", 
                     filename,
                     config_error_line(c),
                     config_error_text(c));
            return 0;
         }
-        asprintf(errmsg, "%s:%s", filename, config_error_text(c));
+        c2s_asprintf(errmsg, "%s:%s", filename, config_error_text(c));
         return 0;
     }
     return 1;
@@ -1128,23 +1143,23 @@ static void scalar_to_string(char** strp, config_setting_t* s)
 {
     switch(config_setting_type(s)) {
     case CONFIG_TYPE_INT:
-        asprintf(strp, "%d\n", config_setting_get_int(s));
+        c2s_asprintf(strp, "%d\n", config_setting_get_int(s));
         break;
 
     case CONFIG_TYPE_BOOL:
-        asprintf(strp, "%s\n", config_setting_get_bool(s) ?  "[true]" : "[false]" );
+        c2s_asprintf(strp, "%s\n", config_setting_get_bool(s) ?  "[true]" : "[false]" );
         break;
 
     case CONFIG_TYPE_INT64:
-        asprintf(strp, "%lld\n", config_setting_get_int64(s));
+        c2s_asprintf(strp, "%lld\n", config_setting_get_int64(s));
         break;
 
     case CONFIG_TYPE_FLOAT:
-        asprintf(strp, "%lf\n", config_setting_get_float(s));
+        c2s_asprintf(strp, "%lf\n", config_setting_get_float(s));
         break;
 
     case CONFIG_TYPE_STRING:
-        asprintf(strp, "%s\n", config_setting_get_string(s));
+        c2s_asprintf(strp, "%s\n", config_setting_get_string(s));
         break;
 
     default: /* This means a bug */
@@ -1155,7 +1170,7 @@ static void scalar_to_string(char** strp, config_setting_t* s)
 
 /* Typesets all the settings in a configuration as a
 * newly-allocated string. The string management is caller's
-* responsibility. 
+* responsability. 
 * Returns the number of scalars in the configuration */
 static int cfg_as_string(config_setting_t* parent, const char* path, char** strp)
 {
@@ -1172,9 +1187,9 @@ static int cfg_as_string(config_setting_t* parent, const char* path, char** strp
 
         if(config_setting_is_list(parent) ||
            config_setting_is_array(parent)) {
-            asprintf(&subpath, "%s[%d]%s", path, config_setting_index(child), name);
+            c2s_asprintf(&subpath, "%s[%d]%s", path, config_setting_index(child), name);
         } else {
-            asprintf(&subpath, "%s/%s", path, name);
+            c2s_asprintf(&subpath, "%s/%s", path, name);
         }
 
         if (config_setting_is_scalar(child)) {
@@ -1182,12 +1197,12 @@ static int cfg_as_string(config_setting_t* parent, const char* path, char** strp
 
             /* Add value to the output string  */
             if (*strp) {
-                asprintf(&old, "%s", *strp);
+                c2s_asprintf(&old, "%s", *strp);
                 free(*strp);
             }  else {
-                asprintf(&old, "%s", "");
+                c2s_asprintf(&old, "%s", "");
             }
-            asprintf(strp, "%s%s:%s", old, subpath, value);
+            c2s_asprintf(strp, "%s%s:%s", old, subpath, value);
             free(value);
             free(old);
 
@@ -1224,6 +1239,14 @@ int echocfg_cl_parse(int argc, char* argv[], struct echocfg_item* cfg)
 
     };
 
+    /* Set up failure handler in case asprintf() runs out of
+    * memory */
+    ;
+    if (setjmp(c2s_asprintf_fail)) {
+        fprintf(stderr, "asprintf: probably out of memory\n");
+        return -1;
+    }
+
     /* Parse command line */
     nerrors = arg_parse(argc, argv, argtable);
     if (nerrors) {

echosrv-conf.h

@@ -1,8 +1,8 @@
 /* Generated by conf2struct (https://www.rutschle.net/tech/conf2struct/README)
- * on Sat Apr 30 09:55:03 2022. 
+ * on Sun Apr  6 11:44:59 2025. 
 
 # conf2struct: generate libconf parsers that read to structs
-# Copyright (C) 2018-2021  Yves Rutschle
+# Copyright (C) 2018-2024  Yves Rutschle
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without

echosrv.c

@@ -62,9 +62,10 @@ void check_res_dump(int res, struct addrinfo *addr, char* syscall)
 
 void start_echo(int fd)
 {
-    int res;
+    ssize_t res;
     char buffer[1 << 20];
-    int ret, prefix_len;
+    ssize_t ret;
+    size_t prefix_len;
     int first = 1;
 
     prefix_len = strlen(cfg.prefix);
@@ -151,7 +152,7 @@ void udp_echo(struct listen_endpoint* listen_socket)
 
     while (1) {
         addrlen = sizeof(src_addr);
-        size_t len = recvfrom(listen_socket->socketfd, 
+        ssize_t len = recvfrom(listen_socket->socketfd,
                            data + prefix_len,
                            sizeof(data) - prefix_len,
                            0,
@@ -162,11 +163,11 @@ void udp_echo(struct listen_endpoint* listen_socket)
             perror("recvfrom");
         }
         *(data + prefix_len + len) = 0;
-        fprintf(stderr, "%ld: %s\n", len, data + prefix_len);
+        fprintf(stderr, "%zd %s\n", len, data + prefix_len);
 
         print_udp_xchange(listen_socket->socketfd, &src_addr, addrlen);
 
-        int res = sendto(listen_socket->socketfd,
+        ssize_t res = sendto(listen_socket->socketfd,
                          data,
                          len + prefix_len,
                          0,

example.cfg

@@ -16,6 +16,7 @@ chroot: "/var/empty";
 # Value: 1: stdout; 2: syslog; 3: stdout+syslog; 4: logfile; ...; 7: all
 # Defaults are indicated here, and should be sensible. Generally, you want *-error
 # to be always enabled, to know if something is going wrong.
+# Each option relates to a different set of messages.
 verbose-config: 0; #  print configuration at startup
 verbose-config-error: 3;  # print configuration errors
 verbose-connections: 3; # trace established incoming address to forward address
@@ -28,6 +29,9 @@ verbose-probe-error: 3; # failures and problems during probing
 verbose-system-error: 3; # system call problem, i.e.  malloc, fork, failing
 verbose-int-error: 3; # internal errors, the kind that should never happen
 
+# This one is special and overrides all previous options if
+# set, as a quick way to get "as much as possible"
+#verbose: 3;
 
 # Specify a path to the logfile.
 #logfile: "/var/log/sslh.log"
@@ -49,7 +53,8 @@ listen:
 (
     { host: "thelonious"; port: "443"; },
     { host: "thelonious"; port: "8080"; keepalive: true; },
-    { host: "thelonious"; is_udp: true; port: "443" }
+    { host: "thelonious"; is_udp: true; port: "443"; },
+    { host: "/tmp/unix_socket"; is_unix: true; port: ""; }
 );
 
 # List of protocols
@@ -72,13 +77,22 @@ listen:
 #   transparent: Set to true to proxy this protocol
 #         transparently (server sees the remote client IP
 #         address). Same as the global option, but per-protocol
+#   is_unix: [true|false] connect to a UNIX socket. The host
+#         field becomes the pathname to the socket, and the port
+#         field is unused (but necessary).
+#   proxyprotocol: <1|2>; When connecting to the backend
+#         server, a proxyprotocol header of the specified
+#         version will be added, containing the client's
+#         connection information.
 #
 #  Probe-specific options:
 # (sslh will try each probe in order they are declared, and
 # connect to the first that matches.)
 #
 #       tls:
-#               sni_hostnames:  list of FQDN for that target
+#               sni_hostnames:  list of FQDN for that target. Each name can
+#               include wildcard following glob(7) rules.
+
 #               alpn_protocols: list of ALPN protocols for that target, see:
 #               https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
 #
@@ -94,12 +108,18 @@ listen:
 #               that target.
 #   
 # You can specify several of 'regex' and 'tls'.
+#
+# If you want to filter on incoming IP addresses, you can
+# use libwrap which will use /etc/hosts.allow and
+# /etc/hosts.deny.
  
 protocols:
 (
      { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; 
        keepalive: true; fork: true; tfo_ok: true },
-     { name: "http"; host: "localhost"; port: "80"; },
+
+# UNIX socket to a local NGINX. The socket name is in  'host'; 'port' is necessary but not used.
+     { name: "http"; is_unix: true; host: "/tmp/nginx.sock"; port: ""; },
 
 # match BOTH ALPN/SNI
      { name: "tls"; host: "localhost"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; sni_hostnames: [ "im.somethingelse.net" ]; log_level: 0; tfo_ok: true },

landlock.c

@@ -0,0 +1,186 @@
+/*
+ * Setup a sandbox using the Landlock LSM, if available.
+
+# Copyright (C) 2023  Yves Rutschle
+# 
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later
+# version.
+# 
+# This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE.  See the GNU General Public License for more
+# details.
+# 
+# The full text for the General Public License is here:
+# http://www.gnu.org/licenses/gpl.html
+#
+*/
+
+#include "config.h"
+#include "log.h"
+
+#ifdef HAVE_LANDLOCK
+
+#define _GNU_SOURCE
+#include <linux/landlock.h>
+#include <sys/prctl.h>
+#include <sys/syscall.h>
+
+/* Ubuntu 22.04 does not have this symbol */
+#ifndef LANDLOCK_ACCESS_FS_REFER
+#define LANDLOCK_ACCESS_FS_REFER			(1ULL << 13)
+#endif
+
+#ifndef landlock_create_ruleset
+static inline int
+landlock_create_ruleset(const struct landlock_ruleset_attr *const attr,
+			const size_t size, const __u32 flags)
+{
+	return syscall(__NR_landlock_create_ruleset, attr, size, flags);
+}
+#endif
+
+#ifndef landlock_add_rule
+static inline int landlock_add_rule(const int ruleset_fd,
+				    const enum landlock_rule_type rule_type,
+				    const void *const rule_attr,
+				    const __u32 flags)
+{
+	return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr,
+		       flags);
+}
+#endif
+
+#ifndef landlock_restrict_self
+static inline int landlock_restrict_self(const int ruleset_fd,
+					 const __u32 flags)
+{
+	return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
+}
+#endif
+
+typedef enum {
+    LL_TREE,
+    LL_FILE
+} ll_obj_type;
+
+static int add_path_ro(int ruleset_fd, ll_obj_type otype, const char* path)
+{
+    int fd = open(path, O_PATH | O_CLOEXEC);
+    if (fd < 0) {
+        print_message(msg_config_error, "Landlock: Failed to open %s: %s\n", path, strerror(errno));
+        return -1;
+    }
+
+    struct landlock_path_beneath_attr path_beneath = {
+        .allowed_access = (otype == LL_TREE ? LANDLOCK_ACCESS_FS_READ_DIR : 0 ) |
+                          LANDLOCK_ACCESS_FS_READ_FILE,
+        .parent_fd = fd,
+    };
+
+    int res = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0);
+    if (res) {
+        print_message(msg_config_error, "Landlock: Failed to update the ruleset with \"%s\": %s\n",
+                path, strerror(errno));
+        close(path_beneath.parent_fd);
+        return -1;
+    }
+
+    // close helper handle
+    close(fd);
+
+    return 0;
+}
+
+
+static int add_libs(int ruleset_fd)
+{
+    /* Access to libraries, to be able to fork */
+    add_path_ro(ruleset_fd, LL_TREE, "/lib");
+    add_path_ro(ruleset_fd, LL_TREE, "/usr/lib");
+    add_path_ro(ruleset_fd, LL_FILE, "/etc/ld.so.cache");  /* To avoid searching all libs... */
+    return 0;
+}
+
+static int add_resolv(int ruleset_fd)
+{
+    /* Files to resolve names (required when dynamic resolution is used) */
+    add_path_ro(ruleset_fd, LL_FILE, "/etc/hosts");
+    add_path_ro(ruleset_fd, LL_FILE, "/etc/resolv.conf");
+    add_path_ro(ruleset_fd, LL_FILE, "/etc/nsswitch.conf");
+    return 0;
+}
+
+static int add_libwrap(int ruleset_fd)
+{
+    /* Files for libwrap */
+#ifdef LIBWRAP
+    add_path_ro(ruleset_fd, LL_FILE, "/etc/hosts.allow");
+    add_path_ro(ruleset_fd, LL_FILE, "/etc/hosts.deny");
+#endif
+
+    return 0;
+}
+
+
+
+void setup_landlock(void)
+{
+    __u64 restrict_rules = 
+        LANDLOCK_ACCESS_FS_EXECUTE |
+        LANDLOCK_ACCESS_FS_READ_FILE |
+        LANDLOCK_ACCESS_FS_READ_DIR |
+        LANDLOCK_ACCESS_FS_WRITE_FILE |
+        LANDLOCK_ACCESS_FS_REMOVE_DIR |
+        LANDLOCK_ACCESS_FS_REMOVE_FILE |
+        LANDLOCK_ACCESS_FS_MAKE_CHAR |
+        LANDLOCK_ACCESS_FS_MAKE_DIR |
+        LANDLOCK_ACCESS_FS_MAKE_REG |
+        LANDLOCK_ACCESS_FS_MAKE_SOCK |
+        LANDLOCK_ACCESS_FS_MAKE_FIFO |
+        LANDLOCK_ACCESS_FS_MAKE_BLOCK |
+        LANDLOCK_ACCESS_FS_MAKE_SYM |
+        LANDLOCK_ACCESS_FS_REFER;
+
+    struct landlock_ruleset_attr ruleset_attr = {
+        .handled_access_fs = restrict_rules
+    };
+
+    /* ruleset_addr.handled_access_fs contains all rights that will be restricted
+     * unless explicitly added */
+    int ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
+    if (ruleset_fd < 0) {
+        print_message(msg_config_error, "Landlock: Failed to create a ruleset");
+        return;
+    }
+
+
+    /* Add all the paths we need */
+    add_libs(ruleset_fd);
+    add_resolv(ruleset_fd);
+    add_libwrap(ruleset_fd);
+
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+        print_message(msg_config_error, "Landlock: Failed to restrict privileges");
+        return;
+    }
+    if (landlock_restrict_self(ruleset_fd, 0)) {
+        print_message(msg_config_error, "Landlock: Failed to enforce ruleset");
+        return;
+    }
+    close(ruleset_fd);
+
+    print_message(msg_config, "Landlock: all restricted\n");
+}
+
+#else /* HAVE_LANDLOCK */
+void setup_landlock(void)
+{
+    print_message(msg_config, "Landlock: not built in\n");
+    return;
+}
+#endif /* HAVE_LANDLOCK */

probe.c

@@ -323,7 +323,7 @@ static int is_adb_protocol(const char *p, ssize_t len, struct sslhcfg_protocols_
     if (len < min_data_packet_size + sizeof(empty_message))
         return PROBE_AGAIN;
 
-    if (memcmp(&p[0], empty_message, sizeof(empty_message)))
+    if (memcmp(&p[0], empty_message, sizeof(empty_message)) != 0)
         return PROBE_NEXT;
 
     return probe_adb_cnxn_message(&p[sizeof(empty_message)]);

proxyprotocol.c

@@ -0,0 +1,120 @@
+/*
+# proxyprotocol: Support for HAProxy's proxyprotocol
+#
+# Copyright (C) 2025  Yves Rutschle
+# 
+# This program is free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later
+# version.
+# 
+# This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE.  See the GNU General Public License for more
+# details.
+# 
+# The full text for the General Public License is here:
+# http://www.gnu.org/licenses/gpl.html
+
+*/
+
+#include "config.h"
+
+#ifdef HAVE_PROXYPROTOCOL
+
+#include <proxy_protocol.h>
+#include "common.h"
+#include "log.h"
+
+
+/* Converts socket family to libproxyprotocol family */
+static int family_to_pp(int af_family)
+{
+    switch (af_family) {
+    case AF_INET:
+        return ADDR_FAMILY_INET;
+
+    case AF_INET6:
+        return ADDR_FAMILY_INET6;
+
+    case AF_UNIX:
+        return ADDR_FAMILY_UNIX;
+
+    default:
+        print_message(msg_int_error, "Unknown internal socket family %d\n", af_family);
+        return -1;
+    }
+}
+
+typedef char libpp_addr[108]; /* This is hardcoded in libproxyprotocol/proxy_protocol.h */
+
+/* Fills *addr, *host and *serv with the connection information corresponding
+ * to fd. *host is the IP address as string and *serv is the service (port)
+ * */
+static int get_info(int fd, struct addrinfo* addr, libpp_addr* host, uint16_t* serv)
+{
+    char serv_str[NI_MAXSERV];
+    int res;
+
+    res = getpeername(fd, addr->ai_addr, &addr->ai_addrlen);
+    CHECK_RES_RETURN(res, "getpeername", -1);
+
+    res = getnameinfo(addr->ai_addr, addr->ai_addrlen,
+                      (char*)host, sizeof(*host),
+                      serv_str, sizeof(serv_str),
+                      NI_NUMERICHOST | NI_NUMERICSERV );
+    CHECK_RES_RETURN(res, "getnameinfo", -1);
+
+    *serv = atoi(serv_str);
+
+    return 0;
+}
+
+
+
+int pp_write_header(int pp_version, struct connection* cnx)
+{
+    pp_info_t pp_info_in_v1 = {
+        .transport_protocol = TRANSPORT_PROTOCOL_STREAM,
+    };
+    uint16_t pp1_hdr_len;
+    int32_t error;
+
+    struct sockaddr_storage ss;
+    struct addrinfo addr;
+    int res;
+
+    addr.ai_addr = (struct sockaddr*)&ss;
+    addr.ai_addrlen = sizeof(ss);
+
+    res = get_info(cnx->q[0].fd,
+             &addr,
+             &pp_info_in_v1.src_addr,
+             &pp_info_in_v1.src_port);
+    if (res == -1) return -1;
+    pp_info_in_v1.address_family = family_to_pp(addr.ai_addr->sa_family);
+
+    res = get_info(cnx->q[1].fd,
+             &addr,
+             &pp_info_in_v1.dst_addr,
+             &pp_info_in_v1.dst_port
+            );
+    if (res == -1) return -1;
+
+    uint8_t *pp1_hdr = pp_create_hdr(pp_version, &pp_info_in_v1, &pp1_hdr_len, &error);
+
+    if (!pp1_hdr) {
+        print_message(msg_system_error, "pp_create_hrd:%d:%s\n", error, pp_strerror(error));
+        return -1;
+    }
+    defer_write_before(&cnx->q[1], pp1_hdr, pp1_hdr_len);
+
+    pp_info_clear(&pp_info_in_v1);
+    free(pp1_hdr);
+
+    return 0;
+}
+
+#endif /* HAVE_PROXYPROTOCOL */

proxyprotocol.h

@@ -0,0 +1,15 @@
+#ifndef PROXYPROTOCOL_H
+#define PROXYPROTOCOL_H
+
+
+#if HAVE_PROXYPROTOCOL
+int pp_write_header(int pp_version, struct connection* cnx);
+
+
+#else /* HAVE_PROXYPROTOCOL */
+
+static inline int pp_write_header(int pp_version, struct connection* cnx) { return 0; }
+
+#endif /* HAVE_PROXYPROTOCOL */
+
+#endif /* PROXYPROTOCOL_H */

scripts/etc-init.d-sslh-debian-modified.sslh

@@ -0,0 +1,186 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          sslh
+# Required-Start:    $remote_fs $syslog $network
+# Required-Stop:     $remote_fs $syslog $network
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: ssl/ssh multiplexer
+# Description:       sslh lets one accept both HTTPS and SSH connections on the
+#                    same port. It makes it possible to connect to an SSH server
+#                    on port 443 (e.g. from inside a corporate firewall) while
+#                    still serving HTTPS on that port.
+### END INIT INFO
+
+# Original Author: Guillaume Delacour <gui@iroqwa.org>
+# modified and optimized for current sslh-fork 
+
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="ssl/ssh multiplexer"
+NAME=sslh
+DAEMON=/usr/sbin/$NAME
+DAEMON_OPTS=""
+PIDFILE=/var/run/sslh/$NAME.pid
+SCRIPTNAME=/etc/init.d/$NAME
+RUN=yes
+
+
+# If you want to use a configuration file, put -F/path/to/sslh.cfg
+# into /etc/default/sslh DAEMON_OPTS
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+# Exit if the package is not installed
+if [ -x "$DAEMON" ] 
+then
+  echo "Can not start \"$DAEMON\", path not available"
+  log_failure_msg "Can not start \"$DAEMON\", path not available"
+fi
+
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+        # Return
+        #   0 if daemon has been started
+        #   1 if daemon was already running
+        #   2 if daemon could not be started
+    
+  # Use this if you want the user to explicitly set 'RUN' in
+  # /etc/default/
+  if [ "$RUN" != "yes" ]
+  then
+      echo "$NAME disabled, please adjust the configuration to your needs "
+      log_failure_msg "and then set RUN to 'yes' in /etc/default/$NAME to enable it."
+      return 2
+  fi
+    
+        # sslh write the pid as sslh user
+        if [ ! -d /var/run/sslh/ ]
+        then
+                mkdir -p /var/run/sslh
+                chown sslh:sslh /var/run/sslh
+        fi
+
+        start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+                || return 1
+        start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
+                $DAEMON_OPTS \
+                || return 2
+        # Add code here, if necessary, that waits for the process to be ready
+        # to handle requests from services started subsequently which depend
+        # on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+        # Return
+        #   0 if daemon has been stopped
+        #   1 if daemon was already stopped
+        #   2 if daemon could not be stopped
+        #   other if a failure occurred
+        start-stop-daemon --stop --quiet --retry=TERM/45/KILL/5 --pidfile $PIDFILE --name $NAME
+        RETVAL="$?"
+        [ "$RETVAL" = 2 ] && return 2
+  # As long, as the started sslh is sslh-fork, don't kill the still existing 
+  # connections. You may need the following construct for sslh-ev and sslh-select,
+  # as sslh has currently no function reloading its configuration.
+
+  # Wait for children to finish too if this is a daemon that forks
+        # and if the daemon is only ever run from this initscript.
+        # If the above conditions are not satisfied then add some other code
+        # that waits for the process to drop all resources that could be
+        # needed by services started subsequently.  A last resort is to
+        # sleep for some time.
+        #start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+        #[ "$?" = 2 ] && return 2
+        # Many daemons don't delete their pidfiles when they exit.
+        rm -f $PIDFILE
+        return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+# don't activate this, as this kills only the leading process
+# of sslh-fork, and the spawned worker stays connected listening.
+# After that, the Owner of the PID from PIDFILE is gone, the
+# listening connection is still blocked
+# sslh can't reload its configuration as of Aug 2024
+#do_reload() {
+        #
+        # If the daemon can reload its configuration without
+        # restarting (for example, when it is sent a SIGHUP),
+        # then implement that here.
+        #
+#       start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+#       return 0
+#}
+
+case "$1" in
+  start)
+        # check if sslh is launched via inetd
+        if [ -f /etc/inetd.conf ] && [ $(egrep -q "^https.*/usr/sbin/sslh" /etc/inetd.conf|wc -l) -ne 0 ]
+        then
+                echo "sslh is started from inetd."
+                exit 1
+        fi
+
+        log_daemon_msg "Starting $DESC" "$NAME"
+        do_start
+        case "$?" in
+                0|1) log_end_msg 0 ;;
+                2) log_end_msg 1 ;;
+        esac
+        ;;
+  stop)
+        log_daemon_msg "Stopping $DESC" "$NAME"
+        do_stop
+        case "$?" in
+                0|1) log_end_msg 0 ;;
+                2) log_end_msg 1 ;;
+        esac
+        ;;
+  status)
+       status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+       ;;
+  restart|force-reload)
+        log_daemon_msg "Restarting $DESC" "$NAME"
+        do_stop
+        case "$?" in
+          0|1)
+                do_start
+                case "$?" in
+                        0) log_end_msg 0 ;;
+                        1) log_end_msg 1 ;; # Old process is still running
+                        *) log_end_msg 1 ;; # Failed to start
+                esac
+                ;;
+          *)
+                # Failed to stop
+                log_end_msg 1
+                ;;
+        esac
+        ;;
+  *)
+        echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2
+        exit 3
+        ;;
+esac

scripts/systemd.sslh-select@.service

@@ -0,0 +1,27 @@
+[Unit]
+Description=SSL/SSH multiplexer (select mode) for %I
+After=network.target
+
+[Service]
+EnvironmentFile=/etc/default/sslh
+ExecStart=/usr/sbin/sslh-select -F/etc/sslh/%I.cfg -f $DAEMON_OPTS
+KillMode=process
+#Hardening
+PrivateTmp=true
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+SecureBits=noroot-locked
+ProtectSystem=strict
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+MountFlags=private
+NoNewPrivileges=true
+PrivateDevices=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+MemoryDenyWriteExecute=true
+DynamicUser=true
+
+[Install]
+WantedBy=multi-user.target

scripts/systemd.sslh@.service

@@ -1,10 +1,10 @@
 [Unit]
-Description=SSL/SSH multiplexer
+Description=SSL/SSH multiplexer (fork mode) for %I
 After=network.target
 
 [Service]
-EnvironmentFile=/etc/conf.d/sslh
-ExecStart=/usr/sbin/sslh --foreground $DAEMON_OPTS
+EnvironmentFile=/etc/default/sslh
+ExecStart=/usr/sbin/sslh -F/etc/sslh/%I.cfg -f $DAEMON_OPTS
 KillMode=process
 #Hardening
 PrivateTmp=true

sslh-conf.c

@@ -1,8 +1,8 @@
 /* Generated by conf2struct (https://www.rutschle.net/tech/conf2struct/README)
- * on Sun Sep 11 21:43:25 2022. 
+ * on Sun Apr  6 11:44:58 2025. 
 
 # conf2struct: generate libconf parsers that read to structs
-# Copyright (C) 2018-2021  Yves Rutschle
+# Copyright (C) 2018-2024  Yves Rutschle
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -36,6 +36,8 @@
 #include <stdlib.h>
 #include <stddef.h>
 #include <stdio.h>
+#include <stdarg.h>
+#include <setjmp.h>
 #include "sslh-conf.h"
 #include "argtable3.h"
 #ifdef LIBPCRE
@@ -216,6 +218,19 @@ char* config_error_text(config_t* c) {
 }
 #endif
 
+static jmp_buf c2s_asprintf_fail;
+
+static int c2s_asprintf(char **restrict strp, const char *restrict fmt, ...)
+{
+    va_list ap;
+
+    va_start(ap,fmt);
+    int res = vasprintf(strp, fmt, ap);
+    va_end(ap);
+    if (res == -1) longjmp(c2s_asprintf_fail, res);
+    return res;
+}
+
 /* This is the same as config_setting_lookup_string() except
 it allocates a new string which belongs to the caller */
 static int myconfig_setting_lookup_stringcpy(
@@ -226,7 +241,7 @@ static int myconfig_setting_lookup_stringcpy(
     const char* str;
     *value = NULL;
     if (config_setting_lookup_string(setting, name, &str) == CONFIG_TRUE) {
-        asprintf(value, "%s", str);
+        c2s_asprintf(value, "%s", str);
         return CONFIG_TRUE;
     } else {
         return CONFIG_FALSE;
@@ -310,7 +325,7 @@ static int settingcpy(config_type type, void* target, const config_setting_t* se
         break;
 
     case CFG_STRING:
-        asprintf(&str, "%s", config_setting_get_string(setting));
+        c2s_asprintf(&str, "%s", config_setting_get_string(setting));
         val.def_string = str;
         *(char**)target = val.def_string;
         break;
@@ -353,7 +368,7 @@ static int clcpy(config_type type, void* target, const void* cl_arg)
         break;
 
     case CFG_STRING:
-        asprintf(&str, "%s", (*(struct arg_str**)cl_arg)->sval[0]);
+        c2s_asprintf(&str, "%s", (*(struct arg_str**)cl_arg)->sval[0]);
         val.def_string = str;
         *(char**)target = val.def_string;
         break;
@@ -365,7 +380,7 @@ static int clcpy(config_type type, void* target, const void* cl_arg)
     return 0;
 }
 
-/* Copy the value of a string argument to arbitrary memory
+/* Copy the value of a string argument to arbitary memory
 * location that must be large enough, converting on the way
 * (i.e. CFG_INT gets atoi() and so on) */
 /* 0: success
@@ -443,6 +458,7 @@ struct compound_cl_arg {
 
 
 struct arg_file* sslhcfg_conffile;
+ struct arg_int* sslhcfg_verbose;
  struct arg_int* sslhcfg_verbose_config;
  struct arg_int* sslhcfg_verbose_config_error;
  struct arg_int* sslhcfg_verbose_connections;
@@ -471,6 +487,7 @@ struct arg_file* sslhcfg_conffile;
  	struct arg_str* sslhcfg_listen;
  	struct arg_str* sslhcfg_ssh;
  	struct arg_str* sslhcfg_tls;
+ 	struct arg_str* sslhcfg_ssl;
  	struct arg_str* sslhcfg_openvpn;
  	struct arg_str* sslhcfg_tinc;
  	struct arg_str* sslhcfg_wireguard;
@@ -483,7 +500,7 @@ struct arg_file* sslhcfg_conffile;
  	struct arg_str* sslhcfg_anyprot;
  struct arg_end* sslhcfg_end;
 
-                                                                                                                                                        
+                                                                                                                                                                          
 static struct config_desc table_sslhcfg_protocols[] = {
 
 
@@ -551,6 +568,22 @@ static struct config_desc table_sslhcfg_protocols[] = {
             /* default_val*/    .default_val.def_string = NULL 
         },
 
+        { 
+            /* name */          "is_unix", 
+            /* type */          CFG_BOOL, 
+            /* sub_group*/      NULL,
+            /* arg_cl */        NULL,
+            /* base_addr */     NULL,
+            /* offset */        offsetof(struct sslhcfg_protocols_item, is_unix),
+            /* offset_len */    0,
+            /* offset_present */ 0,
+            /* size */          sizeof(int), 
+            /* array_type */    -1,
+            /* mandatory */     0, 
+            /* optional */      0, 
+            /* default_val*/    .default_val.def_bool = 0 
+        },
+
         { 
             /* name */          "is_udp", 
             /* type */          CFG_BOOL, 
@@ -742,9 +775,25 @@ static struct config_desc table_sslhcfg_protocols[] = {
             /* optional */      1, 
             /* default_val*/    .default_val.def_int = 0 
         },
+
+        { 
+            /* name */          "proxyprotocol", 
+            /* type */          CFG_INT, 
+            /* sub_group*/      NULL,
+            /* arg_cl */        NULL,
+            /* base_addr */     NULL,
+            /* offset */        offsetof(struct sslhcfg_protocols_item, proxyprotocol),
+            /* offset_len */    0,
+            /* offset_present */ offsetof(struct sslhcfg_protocols_item, proxyprotocol_is_present),
+            /* size */          sizeof(int), 
+            /* array_type */    -1,
+            /* mandatory */     0, 
+            /* optional */      1, 
+            /* default_val*/    .default_val.def_int = 0 
+        },
 	{ 0 }
 };
-                                             
+                                                      
 static struct config_desc table_sslhcfg_listen[] = {
 
 
@@ -796,6 +845,22 @@ static struct config_desc table_sslhcfg_listen[] = {
             /* default_val*/    .default_val.def_bool = 0 
         },
 
+        { 
+            /* name */          "is_unix", 
+            /* type */          CFG_BOOL, 
+            /* sub_group*/      NULL,
+            /* arg_cl */        NULL,
+            /* base_addr */     NULL,
+            /* offset */        offsetof(struct sslhcfg_listen_item, is_unix),
+            /* offset_len */    0,
+            /* offset_present */ 0,
+            /* size */          sizeof(int), 
+            /* array_type */    -1,
+            /* mandatory */     0, 
+            /* optional */      0, 
+            /* default_val*/    .default_val.def_bool = 0 
+        },
+
         { 
             /* name */          "keepalive", 
             /* type */          CFG_BOOL, 
@@ -813,10 +878,26 @@ static struct config_desc table_sslhcfg_listen[] = {
         },
 	{ 0 }
 };
-                                                                                                                                                                                                                                  
+                                                                                                                                                                                                                                           
 static struct config_desc table_sslhcfg[] = {
 
 
+        { 
+            /* name */          "verbose", 
+            /* type */          CFG_INT, 
+            /* sub_group*/      NULL,
+            /* arg_cl */        & sslhcfg_verbose,
+            /* base_addr */     NULL,
+            /* offset */        offsetof(struct sslhcfg_item, verbose),
+            /* offset_len */    0,
+            /* offset_present */ 0,
+            /* size */          sizeof(int), 
+            /* array_type */    -1,
+            /* mandatory */     0, 
+            /* optional */      0, 
+            /* default_val*/    .default_val.def_int = 0 
+        },
+
         { 
             /* name */          "verbose_config", 
             /* type */          CFG_INT, 
@@ -1254,7 +1335,7 @@ static struct compound_cl_target sslhcfg_anyprot_targets [] = {
 	{ & table_sslhcfg_protocols[0], 0, .value.def_string = "anyprot" },
 	{ & table_sslhcfg_protocols[1], 1, .value.def_string = "0" },
 	{ & table_sslhcfg_protocols[2], 2, .value.def_string = "0" },
-	{ & table_sslhcfg_protocols[10], 0, .value.def_int = 1 },
+	{ & table_sslhcfg_protocols[11], 0, .value.def_int = 1 },
 	{ 0 }
 };
 
@@ -1262,7 +1343,7 @@ static struct compound_cl_target sslhcfg_msrdp_targets [] = {
 	{ & table_sslhcfg_protocols[0], 0, .value.def_string = "msrdp" },
 	{ & table_sslhcfg_protocols[1], 1, .value.def_string = "0" },
 	{ & table_sslhcfg_protocols[2], 2, .value.def_string = "0" },
-	{ & table_sslhcfg_protocols[10], 0, .value.def_int = 1 },
+	{ & table_sslhcfg_protocols[11], 0, .value.def_int = 1 },
 	{ 0 }
 };
 
@@ -1270,7 +1351,7 @@ static struct compound_cl_target sslhcfg_syslog_targets [] = {
 	{ & table_sslhcfg_protocols[0], 0, .value.def_string = "syslog" },
 	{ & table_sslhcfg_protocols[1], 1, .value.def_string = "0" },
 	{ & table_sslhcfg_protocols[2], 2, .value.def_string = "0" },
-	{ & table_sslhcfg_protocols[10], 0, .value.def_int = 1 },
+	{ & table_sslhcfg_protocols[11], 0, .value.def_int = 1 },
 	{ 0 }
 };
 
@@ -1278,7 +1359,7 @@ static struct compound_cl_target sslhcfg_socks5_targets [] = {
 	{ & table_sslhcfg_protocols[0], 0, .value.def_string = "socks5" },
 	{ & table_sslhcfg_protocols[1], 1, .value.def_string = "0" },
 	{ & table_sslhcfg_protocols[2], 2, .value.def_string = "0" },
-	{ & table_sslhcfg_protocols[10], 0, .value.def_int = 1 },
+	{ & table_sslhcfg_protocols[11], 0, .value.def_int = 1 },
 	{ 0 }
 };
 
@@ -1286,7 +1367,7 @@ static struct compound_cl_target sslhcfg_adb_targets [] = {
 	{ & table_sslhcfg_protocols[0], 0, .value.def_string = "adb" },
 	{ & table_sslhcfg_protocols[1], 1, .value.def_string = "0" },
 	{ & table_sslhcfg_protocols[2], 2, .value.def_string = "0" },
-	{ & table_sslhcfg_protocols[10], 0, .value.def_int = 1 },
+	{ & table_sslhcfg_protocols[11], 0, .value.def_int = 1 },
 	{ 0 }
 };
 
@@ -1294,7 +1375,7 @@ static struct compound_cl_target sslhcfg_http_targets [] = {
 	{ & table_sslhcfg_protocols[0], 0, .value.def_string = "http" },
 	{ & table_sslhcfg_protocols[1], 1, .value.def_string = "0" },
 	{ & table_sslhcfg_protocols[2], 2, .value.def_string = "0" },
-	{ & table_sslhcfg_protocols[10], 0, .value.def_int = 1 },
+	{ & table_sslhcfg_protocols[11], 0, .value.def_int = 1 },
 	{ 0 }
 };
 
@@ -1302,7 +1383,7 @@ static struct compound_cl_target sslhcfg_xmpp_targets [] = {
 	{ & table_sslhcfg_protocols[0], 0, .value.def_string = "xmpp" },
 	{ & table_sslhcfg_protocols[1], 1, .value.def_string = "0" },
 	{ & table_sslhcfg_protocols[2], 2, .value.def_string = "0" },
-	{ & table_sslhcfg_protocols[10], 0, .value.def_int = 1 },
+	{ & table_sslhcfg_protocols[11], 0, .value.def_int = 1 },
 	{ 0 }
 };
 
@@ -1310,8 +1391,8 @@ static struct compound_cl_target sslhcfg_wireguard_targets [] = {
 	{ & table_sslhcfg_protocols[0], 0, .value.def_string = "wireguard" },
 	{ & table_sslhcfg_protocols[1], 1, .value.def_string = "0" },
 	{ & table_sslhcfg_protocols[2], 2, .value.def_string = "0" },
-	{ & table_sslhcfg_protocols[10], 0, .value.def_int = 1 },
-	{ & table_sslhcfg_protocols[7], 0, .value.def_bool = 1 },
+	{ & table_sslhcfg_protocols[11], 0, .value.def_int = 1 },
+	{ & table_sslhcfg_protocols[8], 0, .value.def_bool = 1 },
 	{ 0 }
 };
 
@@ -1319,8 +1400,8 @@ static struct compound_cl_target sslhcfg_tinc_targets [] = {
 	{ & table_sslhcfg_protocols[0], 0, .value.def_string = "tinc" },
 	{ & table_sslhcfg_protocols[1], 1, .value.def_string = "0" },
 	{ & table_sslhcfg_protocols[2], 2, .value.def_string = "0" },
-	{ & table_sslhcfg_protocols[10], 0, .value.def_int = 1 },
-	{ & table_sslhcfg_protocols[7], 0, .value.def_bool = 1 },
+	{ & table_sslhcfg_protocols[11], 0, .value.def_int = 1 },
+	{ & table_sslhcfg_protocols[8], 0, .value.def_bool = 1 },
 	{ 0 }
 };
 
@@ -1328,8 +1409,17 @@ static struct compound_cl_target sslhcfg_openvpn_targets [] = {
 	{ & table_sslhcfg_protocols[0], 0, .value.def_string = "openvpn" },
 	{ & table_sslhcfg_protocols[1], 1, .value.def_string = "0" },
 	{ & table_sslhcfg_protocols[2], 2, .value.def_string = "0" },
-	{ & table_sslhcfg_protocols[10], 0, .value.def_int = 1 },
-	{ & table_sslhcfg_protocols[7], 0, .value.def_bool = 1 },
+	{ & table_sslhcfg_protocols[11], 0, .value.def_int = 1 },
+	{ & table_sslhcfg_protocols[8], 0, .value.def_bool = 1 },
+	{ 0 }
+};
+
+static struct compound_cl_target sslhcfg_ssl_targets [] = {
+	{ & table_sslhcfg_protocols[0], 0, .value.def_string = "tls" },
+	{ & table_sslhcfg_protocols[1], 1, .value.def_string = "0" },
+	{ & table_sslhcfg_protocols[2], 2, .value.def_string = "0" },
+	{ & table_sslhcfg_protocols[11], 0, .value.def_int = 1 },
+	{ & table_sslhcfg_protocols[8], 0, .value.def_bool = 1 },
 	{ 0 }
 };
 
@@ -1337,8 +1427,8 @@ static struct compound_cl_target sslhcfg_tls_targets [] = {
 	{ & table_sslhcfg_protocols[0], 0, .value.def_string = "tls" },
 	{ & table_sslhcfg_protocols[1], 1, .value.def_string = "0" },
 	{ & table_sslhcfg_protocols[2], 2, .value.def_string = "0" },
-	{ & table_sslhcfg_protocols[10], 0, .value.def_int = 1 },
-	{ & table_sslhcfg_protocols[7], 0, .value.def_bool = 1 },
+	{ & table_sslhcfg_protocols[11], 0, .value.def_int = 1 },
+	{ & table_sslhcfg_protocols[8], 0, .value.def_bool = 1 },
 	{ 0 }
 };
 
@@ -1346,9 +1436,9 @@ static struct compound_cl_target sslhcfg_ssh_targets [] = {
 	{ & table_sslhcfg_protocols[0], 0, .value.def_string = "ssh" },
 	{ & table_sslhcfg_protocols[1], 1, .value.def_string = "0" },
 	{ & table_sslhcfg_protocols[2], 2, .value.def_string = "0" },
-	{ & table_sslhcfg_protocols[6], 0, .value.def_bool = 1 },
-	{ & table_sslhcfg_protocols[10], 0, .value.def_int = 1 },
 	{ & table_sslhcfg_protocols[7], 0, .value.def_bool = 1 },
+	{ & table_sslhcfg_protocols[11], 0, .value.def_int = 1 },
+	{ & table_sslhcfg_protocols[8], 0, .value.def_bool = 1 },
 	{ 0 }
 };
 
@@ -1362,7 +1452,7 @@ static struct compound_cl_arg compound_cl_args[] = {
         {   /* arg: listen */
             .regex =           "(.+):(\\w+)",
             .arg_cl =          & sslhcfg_listen,
-            .base_entry =      & table_sslhcfg [25],
+            .base_entry =      & table_sslhcfg [26],
             .targets =         sslhcfg_listen_targets,
 
 
@@ -1374,7 +1464,7 @@ static struct compound_cl_arg compound_cl_args[] = {
         {   /* arg: ssh */
             .regex =           "(.+):(\\w+)",
             .arg_cl =          & sslhcfg_ssh,
-            .base_entry =      & table_sslhcfg [26],
+            .base_entry =      & table_sslhcfg [27],
             .targets =         sslhcfg_ssh_targets,
 
 
@@ -1386,7 +1476,7 @@ static struct compound_cl_arg compound_cl_args[] = {
         {   /* arg: tls */
             .regex =           "(.+):(\\w+)",
             .arg_cl =          & sslhcfg_tls,
-            .base_entry =      & table_sslhcfg [26],
+            .base_entry =      & table_sslhcfg [27],
             .targets =         sslhcfg_tls_targets,
 
 
@@ -1395,10 +1485,22 @@ static struct compound_cl_arg compound_cl_args[] = {
             .override_const = "tls",
         },
 
+        {   /* arg: ssl */
+            .regex =           "(.+):(\\w+)",
+            .arg_cl =          & sslhcfg_ssl,
+            .base_entry =      & table_sslhcfg [27],
+            .targets =         sslhcfg_ssl_targets,
+
+
+            .override_desc =   & table_sslhcfg_protocols [0],
+            .override_matchindex = 0,
+            .override_const = "tls",
+        },
+
         {   /* arg: openvpn */
             .regex =           "(.+):(\\w+)",
             .arg_cl =          & sslhcfg_openvpn,
-            .base_entry =      & table_sslhcfg [26],
+            .base_entry =      & table_sslhcfg [27],
             .targets =         sslhcfg_openvpn_targets,
 
 
@@ -1410,7 +1512,7 @@ static struct compound_cl_arg compound_cl_args[] = {
         {   /* arg: tinc */
             .regex =           "(.+):(\\w+)",
             .arg_cl =          & sslhcfg_tinc,
-            .base_entry =      & table_sslhcfg [26],
+            .base_entry =      & table_sslhcfg [27],
             .targets =         sslhcfg_tinc_targets,
 
 
@@ -1422,7 +1524,7 @@ static struct compound_cl_arg compound_cl_args[] = {
         {   /* arg: wireguard */
             .regex =           "(.+):(\\w+)",
             .arg_cl =          & sslhcfg_wireguard,
-            .base_entry =      & table_sslhcfg [26],
+            .base_entry =      & table_sslhcfg [27],
             .targets =         sslhcfg_wireguard_targets,
 
 
@@ -1434,7 +1536,7 @@ static struct compound_cl_arg compound_cl_args[] = {
         {   /* arg: xmpp */
             .regex =           "(.+):(\\w+)",
             .arg_cl =          & sslhcfg_xmpp,
-            .base_entry =      & table_sslhcfg [26],
+            .base_entry =      & table_sslhcfg [27],
             .targets =         sslhcfg_xmpp_targets,
 
 
@@ -1446,7 +1548,7 @@ static struct compound_cl_arg compound_cl_args[] = {
         {   /* arg: http */
             .regex =           "(.+):(\\w+)",
             .arg_cl =          & sslhcfg_http,
-            .base_entry =      & table_sslhcfg [26],
+            .base_entry =      & table_sslhcfg [27],
             .targets =         sslhcfg_http_targets,
 
 
@@ -1458,7 +1560,7 @@ static struct compound_cl_arg compound_cl_args[] = {
         {   /* arg: adb */
             .regex =           "(.+):(\\w+)",
             .arg_cl =          & sslhcfg_adb,
-            .base_entry =      & table_sslhcfg [26],
+            .base_entry =      & table_sslhcfg [27],
             .targets =         sslhcfg_adb_targets,
 
 
@@ -1470,7 +1572,7 @@ static struct compound_cl_arg compound_cl_args[] = {
         {   /* arg: socks5 */
             .regex =           "(.+):(\\w+)",
             .arg_cl =          & sslhcfg_socks5,
-            .base_entry =      & table_sslhcfg [26],
+            .base_entry =      & table_sslhcfg [27],
             .targets =         sslhcfg_socks5_targets,
 
 
@@ -1482,7 +1584,7 @@ static struct compound_cl_arg compound_cl_args[] = {
         {   /* arg: syslog */
             .regex =           "(.+):(\\w+)",
             .arg_cl =          & sslhcfg_syslog,
-            .base_entry =      & table_sslhcfg [26],
+            .base_entry =      & table_sslhcfg [27],
             .targets =         sslhcfg_syslog_targets,
 
 
@@ -1494,7 +1596,7 @@ static struct compound_cl_arg compound_cl_args[] = {
         {   /* arg: msrdp */
             .regex =           "(.+):(\\w+)",
             .arg_cl =          & sslhcfg_msrdp,
-            .base_entry =      & table_sslhcfg [26],
+            .base_entry =      & table_sslhcfg [27],
             .targets =         sslhcfg_msrdp_targets,
 
 
@@ -1506,7 +1608,7 @@ static struct compound_cl_arg compound_cl_args[] = {
         {   /* arg: anyprot */
             .regex =           "(.+):(\\w+)",
             .arg_cl =          & sslhcfg_anyprot,
-            .base_entry =      & table_sslhcfg [26],
+            .base_entry =      & table_sslhcfg [27],
             .targets =         sslhcfg_anyprot_targets,
 
 
@@ -1721,7 +1823,7 @@ static int read_block_setval(void* target,
             /* setting is present in cfg, look it up */
             if (lookup_typed_ud(cfg, target, desc) != CONFIG_TRUE) {
                 TRACE_READ((" but wrong type (expected %s) ", type2str[desc->type]));
-                asprintf(errmsg, "Option \"%s\" wrong type, expected %s\n", 
+                c2s_asprintf(errmsg, "Option \"%s\" wrong type, expected %s\n", 
                     desc->name, type2str[desc->type]);
                 return 0;
             }
@@ -1778,7 +1880,7 @@ static int read_block(config_setting_t* cfg, void* target, struct config_desc* d
         set = read_block_setval(target, cfg, desc, errmsg);
 
         if (!set && desc->mandatory) {
-            asprintf(errmsg, "Mandatory option \"%s\" not found", desc->name);
+            c2s_asprintf(errmsg, "Mandatory option \"%s\" not found", desc->name);
             return 0;
         }
 
@@ -1818,7 +1920,7 @@ static int set_target_fields(void* target_addr, struct compound_cl_arg* arg, con
             if (pmatch[pmatch_cnt].rm_so == -1) {
                 /* This should not happen as regexec() did
                 * match before, unless there is a
-                * discrepancy between the regex and the
+                * discrepency between the regex and the
                 * number of backreferences */
                 return 0;
             }
@@ -1936,13 +2038,13 @@ static int regcompmatch_posix( regmatch_t* pmatch,
         int errlen = regerror(res, &preg, NULL, 0);
         regerr = malloc(errlen);
         regerror(res, &preg, regerr, errlen);
-        asprintf(errmsg, "compiling pattern /%s/:%s", arg->regex, regerr);
+        c2s_asprintf(errmsg, "compiling pattern /%s/:%s", arg->regex, regerr);
         free(regerr);
         return 0;
     }
     res = regexec(&preg, arg_cl->sval[arg_index], MAX_MATCH, &pmatch[0], 0);
     if (res) {
-        asprintf(errmsg, "--%s %s: Illegal argument", 
+        c2s_asprintf(errmsg, "--%s %s: Illegal argument", 
         arg_cl->hdr.longopts, 
         arg->regex); 
         return 0;
@@ -1968,7 +2070,7 @@ static int regcompmatch_pcre2( regmatch_t* pmatch,
     pcre = pcre2_compile((PCRE2_SPTR8)arg->regex, PCRE2_ZERO_TERMINATED, 0, &error, &error_offset, NULL);
     if (!pcre) {
         pcre2_get_error_message(error, err_str, sizeof(err_str));
-        asprintf(errmsg, "compiling pattern /%s/:%d: %s at offset %ld\n",
+        c2s_asprintf(errmsg, "compiling pattern /%s/:%d: %s at offset %ld\n",
                 arg->regex, error, err_str, error_offset);
         return 0;
     }
@@ -1978,7 +2080,7 @@ static int regcompmatch_pcre2( regmatch_t* pmatch,
                           0, 0, matches, NULL);
     if (res < 0) {
         pcre2_get_error_message(res, err_str, sizeof(err_str));
-        asprintf(errmsg, "matching %s =~ /%s/:%d: %s\n", 
+        c2s_asprintf(errmsg, "matching %s =~ /%s/:%d: %s\n", 
                           arg_cl->sval[arg_index], arg->regex, res, err_str);
         return 0;
     }
@@ -2067,13 +2169,13 @@ static int c2s_parse_file(const char* filename, config_t* c, char**errmsg)
     /* Read config file */
     if (config_read_file(c, filename) == CONFIG_FALSE) {
         if (config_error_line(c) != 0) {
-           asprintf(errmsg, "%s:%d:%s", 
+           c2s_asprintf(errmsg, "%s:%d:%s", 
                     filename,
                     config_error_line(c),
                     config_error_text(c));
            return 0;
         }
-        asprintf(errmsg, "%s:%s", filename, config_error_text(c));
+        c2s_asprintf(errmsg, "%s:%s", filename, config_error_text(c));
         return 0;
     }
     return 1;
@@ -2084,23 +2186,23 @@ static void scalar_to_string(char** strp, config_setting_t* s)
 {
     switch(config_setting_type(s)) {
     case CONFIG_TYPE_INT:
-        asprintf(strp, "%d\n", config_setting_get_int(s));
+        c2s_asprintf(strp, "%d\n", config_setting_get_int(s));
         break;
 
     case CONFIG_TYPE_BOOL:
-        asprintf(strp, "%s\n", config_setting_get_bool(s) ?  "[true]" : "[false]" );
+        c2s_asprintf(strp, "%s\n", config_setting_get_bool(s) ?  "[true]" : "[false]" );
         break;
 
     case CONFIG_TYPE_INT64:
-        asprintf(strp, "%lld\n", config_setting_get_int64(s));
+        c2s_asprintf(strp, "%lld\n", config_setting_get_int64(s));
         break;
 
     case CONFIG_TYPE_FLOAT:
-        asprintf(strp, "%lf\n", config_setting_get_float(s));
+        c2s_asprintf(strp, "%lf\n", config_setting_get_float(s));
         break;
 
     case CONFIG_TYPE_STRING:
-        asprintf(strp, "%s\n", config_setting_get_string(s));
+        c2s_asprintf(strp, "%s\n", config_setting_get_string(s));
         break;
 
     default: /* This means a bug */
@@ -2111,7 +2213,7 @@ static void scalar_to_string(char** strp, config_setting_t* s)
 
 /* Typesets all the settings in a configuration as a
 * newly-allocated string. The string management is caller's
-* responsibility. 
+* responsability. 
 * Returns the number of scalars in the configuration */
 static int cfg_as_string(config_setting_t* parent, const char* path, char** strp)
 {
@@ -2128,9 +2230,9 @@ static int cfg_as_string(config_setting_t* parent, const char* path, char** strp
 
         if(config_setting_is_list(parent) ||
            config_setting_is_array(parent)) {
-            asprintf(&subpath, "%s[%d]%s", path, config_setting_index(child), name);
+            c2s_asprintf(&subpath, "%s[%d]%s", path, config_setting_index(child), name);
         } else {
-            asprintf(&subpath, "%s/%s", path, name);
+            c2s_asprintf(&subpath, "%s/%s", path, name);
         }
 
         if (config_setting_is_scalar(child)) {
@@ -2138,12 +2240,12 @@ static int cfg_as_string(config_setting_t* parent, const char* path, char** strp
 
             /* Add value to the output string  */
             if (*strp) {
-                asprintf(&old, "%s", *strp);
+                c2s_asprintf(&old, "%s", *strp);
                 free(*strp);
             }  else {
-                asprintf(&old, "%s", "");
+                c2s_asprintf(&old, "%s", "");
             }
-            asprintf(strp, "%s%s:%s", old, subpath, value);
+            c2s_asprintf(strp, "%s%s:%s", old, subpath, value);
             free(value);
             free(old);
 
@@ -2171,6 +2273,7 @@ int sslhcfg_cl_parse(int argc, char* argv[], struct sslhcfg_item* cfg)
             #ifdef LIBCONFIG
         sslhcfg_conffile = arg_filen("F", "config", "<file>", 0, 1, "Specify configuration file"),
     #endif
+         sslhcfg_verbose = arg_intn("v", "verbose", "<n>", 0, 1, "Override all verbosness options"),
          sslhcfg_verbose_config = arg_intn(NULL, "verbose-config", "<n>", 0, 1, "Print configuration at startup"),
          sslhcfg_verbose_config_error = arg_intn(NULL, "verbose-config-error", "<n>", 0, 1, "Print configuration errors"),
          sslhcfg_verbose_connections = arg_intn(NULL, "verbose-connections", "<n>", 0, 1, "Trace established incoming address to forward address"),
@@ -2199,6 +2302,7 @@ int sslhcfg_cl_parse(int argc, char* argv[], struct sslhcfg_item* cfg)
  	sslhcfg_listen = arg_strn("p", "listen", "<host:port>", 0, 10, "Listen on host:port"),
  	sslhcfg_ssh = arg_strn(NULL, "ssh", "<host:port>", 0, 10, "Set up ssh target"),
  	sslhcfg_tls = arg_strn(NULL, "tls", "<host:port>", 0, 10, "Set up TLS/SSL target"),
+ 	sslhcfg_ssl = arg_strn(NULL, "ssl", "<host:port>", 0, 10, "Set up TLS/SSL target"),
  	sslhcfg_openvpn = arg_strn(NULL, "openvpn", "<host:port>", 0, 10, "Set up OpenVPN target"),
  	sslhcfg_tinc = arg_strn(NULL, "tinc", "<host:port>", 0, 10, "Set up tinc target"),
  	sslhcfg_wireguard = arg_strn(NULL, "wireguard", "<host:port>", 0, 10, "Set up WireGuard target"),
@@ -2213,6 +2317,14 @@ int sslhcfg_cl_parse(int argc, char* argv[], struct sslhcfg_item* cfg)
 
     };
 
+    /* Set up failure handler in case asprintf() runs out of
+    * memory */
+    ;
+    if (setjmp(c2s_asprintf_fail)) {
+        fprintf(stderr, "asprintf: probably out of memory\n");
+        return -1;
+    }
+
     /* Parse command line */
     nerrors = arg_parse(argc, argv, argtable);
     if (nerrors) {
@@ -2282,6 +2394,9 @@ static void sslhcfg_protocols_fprint(
             fprintf(out, " <unset>");
         fprintf(out, "\n");
         indent(out, depth);
+        fprintf(out, "is_unix: %d", sslhcfg_protocols->is_unix);
+        fprintf(out, "\n");
+        indent(out, depth);
         fprintf(out, "is_udp: %d", sslhcfg_protocols->is_udp);
         fprintf(out, "\n");
         indent(out, depth);
@@ -2328,6 +2443,11 @@ static void sslhcfg_protocols_fprint(
         if (! sslhcfg_protocols->minlength_is_present)
             fprintf(out, " <unset>");
         fprintf(out, "\n");
+        indent(out, depth);
+        fprintf(out, "proxyprotocol: %d", sslhcfg_protocols->proxyprotocol);
+        if (! sslhcfg_protocols->proxyprotocol_is_present)
+            fprintf(out, " <unset>");
+        fprintf(out, "\n");
 }
 
 static void sslhcfg_listen_fprint(
@@ -2346,6 +2466,9 @@ static void sslhcfg_listen_fprint(
         fprintf(out, "is_udp: %d", sslhcfg_listen->is_udp);
         fprintf(out, "\n");
         indent(out, depth);
+        fprintf(out, "is_unix: %d", sslhcfg_listen->is_unix);
+        fprintf(out, "\n");
+        indent(out, depth);
         fprintf(out, "keepalive: %d", sslhcfg_listen->keepalive);
         fprintf(out, "\n");
 }
@@ -2356,6 +2479,9 @@ void sslhcfg_fprint(
         int depth) 
 {
     int i;
+        indent(out, depth);
+        fprintf(out, "verbose: %d", sslhcfg->verbose);
+        fprintf(out, "\n");
         indent(out, depth);
         fprintf(out, "verbose_config: %d", sslhcfg->verbose_config);
         fprintf(out, "\n");

sslh-conf.h

@@ -1,8 +1,8 @@
 /* Generated by conf2struct (https://www.rutschle.net/tech/conf2struct/README)
- * on Sun Sep 11 21:43:25 2022. 
+ * on Sun Apr  6 11:44:58 2025. 
 
 # conf2struct: generate libconf parsers that read to structs
-# Copyright (C) 2018-2021  Yves Rutschle
+# Copyright (C) 2018-2024  Yves Rutschle
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -44,6 +44,7 @@ struct sslhcfg_listen_item {
 	char*	host;
 	char*	port;
 	int	is_udp;
+	int	is_unix;
 	int	keepalive;
 };
 
@@ -53,6 +54,7 @@ struct sslhcfg_protocols_item {
 	char*	port;
 	int	service_is_present;
 	char*	service;
+	int	is_unix;
 	int	is_udp;
 	int	udp_timeout;
 	int	fork;
@@ -69,6 +71,8 @@ struct sslhcfg_protocols_item {
 	char** regex_patterns;
 	int	minlength_is_present;
 	int	minlength;
+	int	proxyprotocol_is_present;
+	int	proxyprotocol;
 	T_PROBE*	probe;
 	struct addrinfo*	saddr;
 	void*	data;
@@ -76,6 +80,7 @@ struct sslhcfg_protocols_item {
 };
 
 struct sslhcfg_item {
+	int	verbose;
 	int	verbose_config;
 	int	verbose_config_error;
 	int	verbose_connections;

sslh-fork.c

@@ -26,7 +26,7 @@
 #include "tcp-probe.h"
 #include "log.h"
 
-#ifdef LIBBSD
+#if HAVE_LIBBSD
 #include <bsd/unistd.h>
 #endif
 
@@ -74,7 +74,6 @@ void start_shoveler(int in_socket)
    fd_set fds;
    struct timeval tv;
    int res = PROBE_AGAIN;
-   int out_socket;
    struct connection cnx;
    struct connection_desc desc;
 
@@ -110,13 +109,11 @@ void start_shoveler(int in_socket)
    }
 
    /* Connect the target socket */
-   out_socket = connect_addr(&cnx, in_socket, BLOCKING);
-   CHECK_RES_DIE(out_socket, "connect");
+   connect_addr(&cnx, in_socket, BLOCKING);
+   CHECK_RES_DIE(cnx.q[1].fd, "connect");
 
    set_capabilities(0);
 
-   cnx.q[1].fd = out_socket;
-
    get_connection_desc(&desc, &cnx);
    log_connection(&desc, &cnx);
    set_proctitle_shovel(&desc, &cnx);
@@ -126,7 +123,7 @@ void start_shoveler(int in_socket)
    shovel(&cnx);
 
    close(in_socket);
-   close(out_socket);
+   close(cnx.q[1].fd);
    
    print_message(msg_fd, "connection closed down\n");
 
@@ -147,7 +144,7 @@ void stop_listeners(int sig)
 
 void set_listen_procname(struct listen_endpoint *listen_socket)
 {
-#ifdef LIBBSD
+#if HAVE_LIBBSD
     int res;
     struct addrinfo addr;
     struct sockaddr_storage ss;
@@ -164,6 +161,13 @@ void set_listen_procname(struct listen_endpoint *listen_socket)
 }
 
 
+/* At least MacOS does not know these two options, so define them to something
+ * equivalent for our use case */
+#ifndef ENONET
+#define ENONET EWOULDBLOCK
+#endif
+/* /MacOS kludge */
+
 /* TCP listener: connections, fork a child for each new connection 
  * IN: 
  *      endpoint: array of listening endpoint objects
@@ -177,7 +181,25 @@ void tcp_listener(struct listen_endpoint* endpoint, int num_endpoints, int activ
 
     while (1) {
         in_socket = accept(endpoint[active_endpoint].socketfd, 0, 0);
-        CHECK_RES_RETURN(in_socket, "accept", /*void*/ );
+        if (in_socket == -1) {
+            print_message(msg_system_error, "%s:%d:%s:%d:%s\n", 
+                          __FILE__, __LINE__, "accept", errno, strerror(errno));
+            switch(in_socket) {
+            case ENETDOWN:  /* accept(2) cites all these errnos as "you should retry" */
+            case EPROTO:
+            case ENOPROTOOPT:
+            case EHOSTDOWN:
+            case ENONET:
+            case EHOSTUNREACH:
+            case EOPNOTSUPP:
+            case ENETUNREACH:
+            case ECONNABORTED:
+                continue;
+
+            default:  /* Otherwise, it's something wrong in our parameters, we fail */
+                return;
+            }
+        }
         print_message(msg_fd, "accepted fd %d\n", in_socket);
 
         switch(fork()) {
@@ -221,9 +243,11 @@ void main_loop(struct listen_endpoint listen_sockets[], int num_addr_listen)
         case 0:
             set_listen_procname(&listen_sockets[i]);
             if (listen_sockets[i].type == SOCK_DGRAM)
-                print_message(msg_config_error, "UDP not (yet?) supported in sslh-fork\n");
+                print_message(msg_config_error, "UDP not supported in sslh-fork\n");
             else
                 tcp_listener(listen_sockets, num_addr_listen, i);
+
+            exit(0);
 	    break;
 
 	/* We're in the parent, we don't need to do anything */
@@ -244,7 +268,7 @@ void main_loop(struct listen_endpoint listen_sockets[], int num_addr_listen)
     wait(NULL);
 }
 
-/* The actual main is in common.c: it's the same for both version of
+/* The actual main() is in sslh_main.c: it's the same for all versions of
  * the server
  */
 

sslh-main.c

@@ -30,19 +30,24 @@
 #include <pcre2.h>
 #endif
 
-#ifdef LIBBSD
-#include <bsd/unistd.h>
-#endif
-
 #include "common.h"
 #include "probe.h"
 #include "log.h"
+#include "tcp-probe.h"
+
+#if HAVE_LIBBSD
+#include <bsd/unistd.h>
+#endif
+
+#if HAVE_LIBCAP
+#include <sys/capability.h>
+#endif
 
 /* Constants for options that have no one-character shorthand */
 #define OPT_ONTIMEOUT   257
 
 static void printcaps(void) {
-#ifdef LIBCAP
+#if HAVE_LIBCAP
     cap_t caps;
     char* desc;
     ssize_t len;
@@ -60,20 +65,30 @@ static void printcaps(void) {
 
 static void printsettings(void)
 {
-    char buf[NI_MAXHOST];
+    char buf[NI_MAXHOST + 256]; /* 256 > " family %d %d" for reasonable ints */
     int i;
     struct sslhcfg_protocols_item *p;
     
     for (i = 0; i < cfg.protocols_len; i++ ) {
         p = &cfg.protocols[i];
+        if (p->is_unix) {
+            sprintf(buf, "unix socket: %s", p->host);
+        } else {
+            strcpy(buf, "resolve on forward");
+            if (!p->resolve_on_forward) {
+                sprintaddr(buf, sizeof(buf), p->saddr);
+                size_t len = strlen(buf);
+                sprintf(buf+len, " family %d %d",
+                        p->saddr->ai_family,
+                        p->saddr->ai_addr->sa_family);
+            }
+        }
         print_message(msg_config, 
-                      "%s addr: %s. libwrap service: %s log_level: %d family %d %d [%s] [%s] [%s]\n",
+                      "%s addr: %s. libwrap service: %s log_level: %d [%s] [%s] [%s]\n",
                       p->name, 
-                      sprintaddr(buf, sizeof(buf), p->saddr), 
+                      buf,
                       p->service,
                       p->log_level,
-                      p->saddr->ai_family,
-                      p->saddr->ai_addr->sa_family,
                       p->keepalive ? "keepalive" : "",
                       p->fork ? "fork" : "",
                       p->transparent ? "transparent" : ""
@@ -92,7 +107,8 @@ static void printsettings(void)
 static void setup_regex_probe(struct sslhcfg_protocols_item *p)
 #ifdef ENABLE_REGEX
 {
-    int num_patterns, i, error;
+    size_t num_patterns, i;
+    int error;
     pcre2_code** pattern_list;
     PCRE2_SIZE error_offset;
     PCRE2_UCHAR8 err_str[120];
@@ -121,6 +137,36 @@ static void setup_regex_probe(struct sslhcfg_protocols_item *p)
 }
 #endif
 
+/* Perform some fixups on configuration after reading it.
+ * if verbose is present, override all other verbose options
+ */
+void config_finish(struct sslhcfg_item* cfg)
+{
+    if (cfg->verbose) {
+        cfg->verbose_config = cfg->verbose;
+	cfg->verbose_config_error = cfg->verbose;
+	cfg->verbose_connections = cfg->verbose;
+	cfg->verbose_connections_try = cfg->verbose;
+	cfg->verbose_connections_error = cfg->verbose;
+	cfg->verbose_fd = cfg->verbose;
+	cfg->verbose_packets = cfg->verbose;
+	cfg->verbose_probe_info = cfg->verbose;
+	cfg->verbose_probe_error = cfg->verbose;
+	cfg->verbose_system_error = cfg->verbose;
+	cfg->verbose_int_error = cfg->verbose;
+    }
+}
+
+/* Checks that the UNIX socket specified exists and is accessible
+ * Dies otherwise
+ */
+static void check_access_unix_socket(struct sslhcfg_protocols_item* p)
+{
+    /* TODO */
+    return;
+}
+
+
 /* For each protocol in the configuration, resolve address and set up protocol
  * options if required
  */
@@ -130,7 +176,9 @@ static void config_protocols()
     for (i = 0; i < cfg.protocols_len; i++) {
         struct sslhcfg_protocols_item* p = &(cfg.protocols[i]);
 
-        if (
+        if (p->is_unix) {
+            check_access_unix_socket(p);
+        } else if (
             !p->resolve_on_forward &&
             resolve_split_name(&(p->saddr), p->host, p->port)
         ) {
@@ -180,7 +228,7 @@ void config_sanity_check(struct sslhcfg_item* cfg)
 #endif
 
     for (i = 0; i < cfg->protocols_len; ++i) {
-        if (strcmp(cfg->protocols[i].name, "tls")) {
+        if (strcmp(cfg->protocols[i].name, "tls") != 0) {
             if (cfg->protocols[i].sni_hostnames_len) {
                 print_message(msg_config_error, "name: \"%s\"; host: \"%s\"; port: \"%s\": "
                               "Config option sni_hostnames is only applicable for tls\n",
@@ -211,6 +259,24 @@ void config_sanity_check(struct sslhcfg_item* cfg)
     }
 }
 
+/* Connect stdin, stdout, stderr to /dev/null. It is better to keep them around
+ * so they do not get re-used by socket descriptors, and accidently used by
+ * some library code.
+ */
+void close_std(void)
+{
+    int newfd;
+
+    if ((newfd = open("/dev/null", O_RDWR))) {
+        dup2 (newfd, STDIN_FILENO);
+        dup2 (newfd, STDOUT_FILENO);
+        dup2 (newfd, STDERR_FILENO);
+        /* close the helper handle, as this is now unnecessary */
+        close(newfd);
+    } else {
+        print_message(msg_system_error, "Error closing standard filehandles for background daemon\n");
+    }
+}
 
 int main(int argc, char *argv[], char* envp[])
 {
@@ -220,13 +286,14 @@ int main(int argc, char *argv[], char* envp[])
    int res, num_addr_listen;
    struct listen_endpoint *listen_sockets;
 
-#ifdef LIBBSD
+#if HAVE_LIBBSD
    setproctitle_init(argc, argv, envp);
 #endif
 
    memset(&cfg, 0, sizeof(cfg));
    res = sslhcfg_cl_parse(argc, argv, &cfg);
    if (res) exit(6);
+   config_finish(&cfg);
 
    if (cfg.version) {
        printf("%s %s\n", server_type, VERSION);
@@ -239,6 +306,7 @@ int main(int argc, char *argv[], char* envp[])
    if (cfg.inetd)
    {
        close(fileno(stderr)); /* Make sure no error will go to client */
+       tcp_init();
        start_shoveler(0);
        exit(0);
    }
@@ -256,6 +324,7 @@ int main(int argc, char *argv[], char* envp[])
 
    if (!cfg.foreground) {
        if (fork() > 0) exit(0); /* Detach */
+       close_std();
 
        /* New session -- become group leader */
        if (getuid() == 0) {
@@ -277,6 +346,7 @@ int main(int argc, char *argv[], char* envp[])
 
    if (cfg.user || cfg.chroot)
        drop_privileges(cfg.user, cfg.chroot);
+   setup_landlock();
 
    printcaps();
 

sslh-select.c

@@ -67,7 +67,7 @@ static void watchers_init(watchers** w, struct listen_endpoint* listen_sockets,
 void watchers_add_read(watchers* w, int fd)
 {
     FD_SET(fd, &w->fds_r); 
-    if (fd > w->max_fd)
+    if (fd + 1 > w->max_fd)
         w->max_fd = fd + 1;
 }
 
@@ -148,7 +148,7 @@ void main_loop(struct listen_endpoint listen_sockets[], int num_addr_listen)
 
         print_message(msg_fd, "selecting... max_fd=%d num_probing=%d\n",
                                           fd_info.watchers->max_fd, fd_info.num_probing);
-        res = select(fd_info.watchers->max_fd + 1, &readfds, &writefds,
+        res = select(fd_info.watchers->max_fd, &readfds, &writefds,
                      NULL, fd_info.num_probing ? &tv : NULL);
         if (res < 0)
             perror("select");
@@ -210,7 +210,7 @@ void start_shoveler(int listen_socket) {
 }
 
 
-/* The actual main is in common.c: it's the same for both version of
+/* The actual main is in sslh-main.c: it's the same for all versions of
  * the server
  */
 

sslh.pod

@@ -6,7 +6,7 @@
 
 =head1 SYNOPSIS
 
-sslh [B<-F>I<config file>] [B<-t> I<num>] [B<--transparent>] [B<-p> I<listening address> [B<-p> I<listening address> ...]  [B<--tls> I<target address for TLS>] [B<--ssh> I<target address for SSH>] [B<--openvpn> I<target address for OpenVPN>] [B<--http> I<target address for HTTP>] [B<--xmpp> I<target address for XMPP>] [B<--tinc> I<target address for TINC>] [B<--anyprot> I<default target address>] [B<--on-timeout> I<protocol name>] [B<-u> I<username>] [B<-C> I<chroot>] [B<-P> I<pidfile>] [-v] [-i] [-V] [-f] [-n]
+sslh [B<-F>I<config file>] [B<-t> I<num>] [B<--transparent>] [B<-p> I<listening address> [B<-p> I<listening address> ...]  [B<--tls> I<target address for TLS>] [B<--ssh> I<target address for SSH>] [B<--openvpn> I<target address for OpenVPN>] [B<--http> I<target address for HTTP>] [B<--xmpp> I<target address for XMPP>] [B<--tinc> I<target address for TINC>] [B<--anyprot> I<default target address>] [B<--on-timeout> I<protocol name>] [B<-u> I<username>] [B<-C> I<chroot>] [B<-P> I<pidfile>] [B<-v> I<n>] [-i] [-V] [-f] [-n]
 
 =head1 DESCRIPTION
 
@@ -14,7 +14,7 @@ B<sslh> accepts connections on specified ports, and forwards
 them further based on tests performed on the first data
 packet sent by the remote client.
 
-Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are
+Probes for HTTP, TLS, SSH, OpenVPN, tinc, XMPP are
 implemented, and any other protocol that can be tested using
 a regular expression, can be recognised. A typical use case
 is to allow serving several services on port 443 (e.g. to
@@ -102,8 +102,10 @@ clients wait for the server to send its banner.
 
 Makes B<sslh> behave as a transparent proxy, i.e. the
 receiving service sees the original client's IP address.
-This works on Linux only and involves B<iptables> settings.
-Refer to the README for more information.
+This works on Linux only and involves B<iproute2> settings.
+In some cases also B<iptables/nftables> settings are needed.
+Refer to the README or L<https://github.com/ftasnetamot/sslh/blob/2014-08-16--close-filehandles-with-detach/doc/simple_transparent_proxy.md>
+for more information.
 
 =item B<-p> I<listening address>, B<--listen> I<listening address>
 
@@ -123,10 +125,11 @@ Note that you can set B<sslh> to listen on I<ext_ip:443> and
 B<httpd> to listen on I<localhost:443>: this allows clients
 inside your network to just connect directly to B<httpd>.
 
-Also, B<sslh> probes for SSLv3 (or TLSv1) handshake and will
+Also, B<sslh> probes for TLS handshakes and will
 reject connections from clients requesting SSLv2. This is
-compliant with RFC6176 which prohibits the usage of SSLv2. If
-you wish to accept SSLv2, use B<--anyprot> instead.
+compliant with RFC6176 which prohibits the usage of SSLv2. 
+If you wish to accept SSLv2, use B<--anyprot> instead.
+
 
 =item B<--ssh> I<target address>
 
@@ -164,9 +167,10 @@ specified on the command line, this should be specified
 last. If no default is specified, B<sslh> will forward
 unknown protocols to the first protocol specified.
 
-=item B<-v>, B<--verbose>
+=item B<-v>, B<--verbose> I<n>
 
-Increase verboseness.
+Override all verboseness. Refer to B<example.cfg> for all
+verbose sub-options.
 
 =item B<-n>, B<--numeric>
 
@@ -233,8 +237,8 @@ detailed explanation of the variables used by B<sslh>.
 =head1 SEE ALSO
 
 The latest version is available from
-L<http://www.rutschle.net/tech/sslh>, and can be tracked
-from L<http://freecode.com/projects/sslh>.
+L<https://github.com/yrutschle/sslh>. There you can find a more
+detailed and recent documentation.
 
 =head1 AUTHOR
 

sslhconf.cfg

@@ -25,6 +25,9 @@ config: {
          name : "sslhcfg",
          type: "list",
          items: (
+            { name: "verbose"; type: "int" default: 0;
+                short: "v";
+                description: "Override all verbosness options" },
             { name: "verbose-config"; type: "int"; default: 0; 
                 description: "Print configuration at startup" },
             { name: "verbose-config-error"; type: "int"; default: 3; 
@@ -95,6 +98,7 @@ config: {
                     { name: "host"; type: "string"; var: true; },
                     { name: "port"; type: "string"; var: true; },
                     { name: "is_udp"; type: "bool"; default: false },
+                    { name: "is_unix"; type: "bool"; default: false },
                     { name: "keepalive"; type: "bool"; default: false; }
                 )
             },
@@ -107,6 +111,7 @@ config: {
                     { name: "host"; type: "string"; var: true; },
                     { name: "port"; type: "string"; var: true; },
                     { name: "service"; type: "string"; optional: true; },
+                    { name: "is_unix"; type: "bool"; default: false },
                     { name: "is_udp"; type: "bool"; default: false },
                     { name: "udp_timeout"; type: "int"; default: 60 },
                     { name: "fork"; type: "bool"; default: false },
@@ -131,6 +136,7 @@ config: {
                     element_type: "string"
                     },
                     { name: "minlength"; type: "int"; optional: true },
+                    { name: "proxyprotocol"; type: "int"; optional: true },
 
                     # Runtime data
                     { name: "probe"; type: "runtime"; c_type: "T_PROBE*" },
@@ -186,6 +192,19 @@ cl_groups: (
         { path: "tfo_ok"; value: 1 }
         );
     },
+    # Redundant with the --tls setting before, for backwards compatibility
+    { name: "ssl"; pattern: "(.+):(\w+)"; description: "Set up TLS/SSL target";
+        list: "protocols";
+        override: "name";
+        argdesc: "<host:port>";
+        targets: (
+        { path: "name"; value: "tls" },
+        { path: "host"; value: "$1" },
+        { path: "port"; value: "$2" },
+        { path: "log_level"; value: 1 },
+        { path: "tfo_ok"; value: 1 }
+        );
+    },
     { name: "openvpn"; pattern: "(.+):(\w+)"; description: "Set up OpenVPN target";
         list: "protocols";
         override: "name";

systemd-sslh-generator.c

@@ -1,39 +1,72 @@
 #include <libconfig.h>
+#include <dirent.h>
 #include <stdio.h>
+#include <errno.h>
 #include <string.h>
 #include <stdlib.h>
+#include <stdbool.h>
+#include <stdarg.h>
+#include <sys/stat.h>
 #include "common.h"
 
 
-#define print_message(sink, format, file, line) fprintf(stderr, format, file, line)
+#define print_message(sink, format, file, line) fprintf(stderr, format, file, line)                                                                                                                                               
 
-static char* resolve_listen(const char *hostname, const char *port) {
-    /* Need room in the strcat for \0 and :
-     * the format in the socket unit file is hostname:port */
-    char *conn = malloc(strlen(hostname)+strlen(port)+2);
-    CHECK_ALLOC(conn, "malloc");
+typedef struct FileList FileList;
+
+struct FileList {
+    char *name;
+    struct FileList *prev;
+};
+
+static void free_file_list(FileList *fl) {
+    while (fl != NULL) {
+        FileList *prev = fl->prev;
+        free(fl->name);
+        free(fl);
+        fl = prev;
+    }
+}
+
+static FILE *err_log;
+static bool systemd_invoked = false;
+static const char
+        *socket_ext = ".socket",
+        *dropin_ext = ".conf",
+        *service_ext = ".service.d/",
+        *fork_unit_file = "/sslh@",
+        *select_unit_file = "/sslh-select@",
+        *fork_unit = "# Automatically generated by systemd-sslh-generator\n\n"
+                     "[Unit]\n"
+                     "Requires=sslh@%s.socket\n"
+                     "Conflicts=sslh-select@%s.service\n"
+                     "PartOf=sslh@%s.socket\n",
+        *select_unit = "# Automatically generated by systemd-sslh-generator\n\n"
+                       "[Unit]\n"
+                       "Requires=sslh@%s.socket\n"
+                       "Conflicts=sslh@%s.service\n"
+                       "PartOf=sslh@%s.socket\n";
+
+static char *resolve_listen(const char *hostname, const char *port) {
+    char *conn = calloc(1, strlen(hostname) + strlen(port) + 2);
+    CHECK_ALLOC(conn, "malloc")
     strcpy(conn, hostname);
     strcat(conn, ":");
     strcat(conn, port);
-
     return conn;
-
 }
 
-
 static int get_listen_from_conf(const char *filename, char **listen[]) {
     config_t config;
     config_setting_t *setting, *addr;
     const char *hostname, *port;
     int len = 0;
 
-    /* look up the listen stanzas in the config file so these
-     * can be used in the socket file generated */
     config_init(&config);
     if (config_read_file(&config, filename) == CONFIG_FALSE) {
-        /* we don't care if file is missing, skip it */
         if (config_error_line(&config) != 0) {
-            fprintf(stderr, "%s:%d:%s\n",
+            fprintf(err_log,
+                    "systemd-sslh-generator: %s%d%s\n",
                     filename,
                     config_error_line(&config),
                     config_error_text(&config));
@@ -42,118 +75,247 @@ static int get_listen_from_conf(const char *filename, char **listen[]) {
     } else {
         setting = config_lookup(&config, "listen");
         if (setting) {
-	    int i;
             len = config_setting_length(setting);
             *listen = malloc(len * sizeof(**listen));
-            CHECK_ALLOC(*listen, "malloc");
-            for (i = 0; i < len; i++) {
+            CHECK_ALLOC(*listen, "malloc")
+            for (int i = 0; i < len; i++) {
                 addr = config_setting_get_elem(setting, i);
-                if (! (config_setting_lookup_string(addr, "host", &hostname) &&
-                       config_setting_lookup_string(addr, "port", &port))) {
-                    fprintf(stderr,
-                            "line %d:Incomplete specification (hostname and port required)\n",
+                if (!(config_setting_lookup_string(addr, "host", &hostname) && config_setting_lookup_string(addr, "port", &port))) {
+                    fprintf(err_log,
+                            "systemd-sslh-generator: line %d:Incomplete specification (hostname and port required)\n",
                             config_setting_source_line(addr));
                     return -1;
                 } else {
-                    char *resolved_listen = resolve_listen(hostname, port);
-
-                    (*listen)[i] = malloc(strlen(resolved_listen));
-                    CHECK_ALLOC((*listen)[i], "malloc");
-                    strcpy((*listen)[i], resolved_listen);
-                    free(resolved_listen);
+                    (*listen)[i] = resolve_listen(hostname, port);
                 }
             }
         }
     }
-
     return len;
-
 }
 
-static int write_socket_unit(FILE *socket, char *listen[], int num_addr, const char *source) {
-    int i;
-
+static void write_socket_unit(FILE *socket, char *listen[], int num_addr, const char *cfg, const char *source) {
     fprintf(socket,
             "# Automatically generated by systemd-sslh-generator\n\n"
             "[Unit]\n"
-            "Before=sslh.service\n"
+            "Before=sslh@%s.service\n"
             "SourcePath=%s\n"
+            "PartOf=sslh@%s.service\n"
             "Documentation=man:sslh(8) man:systemd-sslh-generator(8)\n\n"
             "[Socket]\n"
             "FreeBind=true\n",
-            source);
-
-    for (i = 0; i < num_addr; i++) {
+            cfg,
+            source,
+            cfg);
+    for (int i = 0; i < num_addr; i++) {
         fprintf(socket, "ListenStream=%s\n", listen[i]);
     }
+    fprintf(socket,
+           "\n[Install]\n"
+           "WantedBy=sockets.target\n");
+}
 
+static int write_unit_dropin(const char *runtime_unit_dir, const bool is_fork, const char *cfg) {
+    const char
+        *unit_file = is_fork ? fork_unit_file : select_unit_file,
+        *unit_string = is_fork ? fork_unit : select_unit;
+    FILE *dropin_fd = stdout;
+    if (systemd_invoked) {
+        //Systemd drop-in configuration for the base select service sslh@%I.service
+        const size_t runtime_len = strlen(runtime_unit_dir);
+        size_t len = strlen(unit_file) + strlen(cfg) + strlen(service_ext) + strlen(dropin_ext);
+        char dropin_dir[runtime_len + len + 1];
+        strcpy(dropin_dir, runtime_unit_dir);
+        strcat(dropin_dir, unit_file);
+        strcat(dropin_dir, cfg);
+        strcat(dropin_dir, service_ext);
+
+        if (mkdir(dropin_dir, S_IRWXU | S_IRWXG | S_IROTH)) {
+            fprintf(err_log,
+                    "systemd-sslh-generator: Could not create directory '%s' to generate drop-in configuration: %s\n",
+                    dropin_dir,
+                    strerror(errno));
+            return errno;
+        }
+
+        len = len + strlen(cfg) + strlen(dropin_ext);
+        char dropin_path[len + 1];
+        strcpy(dropin_path, dropin_dir);
+        strcat(dropin_path, cfg);
+        strcat(dropin_path, dropin_ext);
+        dropin_fd = fopen(dropin_path, "w");
+        if (!dropin_fd) {
+            fprintf(err_log,
+                    "systemd-sslh-generator: Could not open '%s' to generate drop-in configuration: %s\n",
+                    dropin_path,
+                    strerror(errno));
+            return errno;
+        }
+    }
+    fprintf(dropin_fd, unit_string, cfg, cfg, cfg);
+    if (systemd_invoked) {
+        fclose(dropin_fd);
+    }
     return 0;
 }
 
 static int gen_sslh_config(char *runtime_unit_dir) {
-    char *sslh_conf;
-    int num_addr;
-    FILE *config;
+    int status = 0;
+    const char *config_dir = "/etc/sslh/";
     char **listen;
-    FILE *runtime_conf_fd = stdout;
-    const char *unit_file;
+    DIR *d = opendir(config_dir);
+    FileList *fa = NULL;
 
-    /* There are two default locations so check both with first given preference */
-    sslh_conf = "/etc/sslh.cfg";
-
-    config = fopen(sslh_conf, "r");
-    if (config  == NULL) {
-        sslh_conf="/etc/sslh/sslh.cfg";
-        config = fopen(sslh_conf, "r");
-        if (config == NULL) {
-            return -1;
+    if (d) {
+        struct dirent *dir;
+        while ((dir = readdir(d)) != NULL) {
+            if ((strcmp(dir->d_name, ".") == 0) || (strcmp(dir->d_name, "..") == 0)) {
+                continue;
+            }
+            FileList *lfa = malloc(sizeof(FileList));
+            CHECK_ALLOC(lfa, "malloc")
+            lfa->name = malloc(strlen(dir->d_name) + 1);
+            CHECK_ALLOC(lfa->name, "malloc")
+            strcpy(lfa->name, dir->d_name);
+            lfa->prev = NULL;
+            if (fa) {
+                lfa->prev = fa;
+            }
+            fa = lfa;
         }
+        closedir(d);
+    } else {
+        fprintf(err_log,
+                "systemd-sslh-generator: Configuration directory '/etc/sslh/' does not exist! No units generated.\n");
+        //Config directory /etc/sslh/ does not exist
+        return 0;
     }
-
-    fclose(config);
-
-    num_addr = get_listen_from_conf(sslh_conf, &listen);
-    if (num_addr < 0)
-        return -1;
-
-    /* If this is run by systemd directly write to the location told to
-     * otherwise write to standard out so that it's trivial to check what
-     * will be written */
-    if (runtime_unit_dir && *runtime_unit_dir) {
-        unit_file = "/sslh.socket";
-        size_t uf_len = strlen(unit_file);
-        size_t runtime_len = strlen(runtime_unit_dir) + uf_len + 1;
-        char *runtime_conf = malloc(runtime_len);
-        CHECK_ALLOC(runtime_conf, "malloc");
-        strcpy(runtime_conf, runtime_unit_dir);
-        strcat(runtime_conf, unit_file);
-        runtime_conf_fd = fopen(runtime_conf, "w");
-        free(runtime_conf);
+    if (!fa) {
+        fprintf(err_log,
+                "systemd-sslh-generator: Configuration directory '/etc/sslh/' is empty! No units generated.\n");
+        //No configuration files in /etc/sslh/
+        return 0;
     }
+    FileList *fa_ref = fa;
+//    size_t num_listen_addresses = 0;
+//    char **listen_addresses = NULL;
+    //Process all config files
+    do {
+        char *end = strstr(fa->name, ".cfg");
+        if (!end) {
+            continue;
+        }
+        //Current sslh config name
+        const size_t end_count = end - fa->name;
+        char config_name[end_count + 1];
+        memcpy(config_name, fa->name, end_count);
+        config_name[end_count] = '\0';
 
-
-    return write_socket_unit(runtime_conf_fd, listen, num_addr, sslh_conf);
+        //Full path to current sslh config
+        char full_path[strlen(config_dir) + strlen(fa->name) + 1];
+        strcpy(full_path, config_dir);
+        strcat(full_path, fa->name);
+        FILE *config = fopen(full_path, "r");
+        if (!config) {
+            fprintf(err_log,
+                    "systemd-sslh-generator: Could not open config file '%s': %s\n",
+                    full_path,
+                    strerror(errno));
+            return errno;
+        } else {
+            fclose(config);
+            int num_addr = get_listen_from_conf(full_path, &listen);
+            if (num_addr <= 0) {
+                fprintf(err_log,
+                        "systemd-sslh-generator: sslh config '%s' contains no valid listen configurations!\n",
+                        fa->name);
+                status |= -1;
+                continue;
+            }
+            FILE *socket_fd = stdout;
+            if (systemd_invoked) {
+                //Systemd socket for the current sslh config
+                const size_t len = strlen(runtime_unit_dir) + strlen(fork_unit_file) + strlen(config_name) + strlen(socket_ext);
+                char socket_path[len + 1];
+                strcpy(socket_path, runtime_unit_dir);
+                strcat(socket_path, fork_unit_file);
+                strcat(socket_path, config_name);
+                strcat(socket_path, socket_ext);
+                socket_fd = fopen(socket_path, "w");
+                if (!socket_fd) {
+                    fprintf(err_log,
+                            "systemd-sslh-generator: Could not open '%s' to generate socket configuration: %s\n",
+                            socket_path,
+                            strerror(errno));
+                    status |= errno;
+                    continue;
+                }
+            }
+            //Write socket unit
+            write_socket_unit(socket_fd, listen, num_addr, config_name, full_path);
+            //Write forking drop-in config
+            status |= write_unit_dropin(runtime_unit_dir, false, config_name);
+            //Write select drop-in config
+            status |= write_unit_dropin(runtime_unit_dir, true, config_name);
+            if (systemd_invoked) {
+                fclose(socket_fd);
+            }
+//            if (listen_addresses) {
+//                //Check for overlapping addresses
+//                for (size_t i = 0; i < num_listen_addresses; i++) {
+//                    for (size_t j = 0; j < num_addr; j++) {
+//                        if (strcmp(*(listen_addresses + i), *(listen + j)) == 0) {
+//                            fprintf(err_log, "systemd-sslh-generator: Overlapping listen addresses across sslh configurations!");
+//                            return -1;
+//                        }
+//                    }
+//                }
+//            }
+//            char *listen_addresses_copy[num_listen_addresses + num_addr];
+//            if (listen_addresses) {
+//                //Copy previous configurations' listen addresses into temp
+//                memcpy(listen_addresses_copy, listen_addresses, num_listen_addresses);
+//                //Free global list of listen addresses
+//                free(listen_addresses);
+//            }
+//            //Copy listen addresses from current configuration into temp
+//            memcpy(listen_addresses_copy + num_listen_addresses, listen, num_addr);
+//            num_listen_addresses += num_addr;
+//            listen_addresses = malloc(num_listen_addresses * sizeof(char *));
+//            CHECK_ALLOC(listen_addresses, "malloc")
+//            //Append all addresses to global list
+//            memcpy(listen_addresses, listen_addresses_copy, num_listen_addresses);
+            //Free all allocated listen strings
+            for (size_t i = 0; i < num_addr; i++) {
+                free(*(listen + i));
+            }
+        }
+    } while((fa = fa->prev));
+    free_file_list(fa_ref);
+    return status;
 }
 
-
-int main(int argc, char *argv[]){
-    int r = 0;
-    int k;
-    char *runtime_unit_dest = "";
-
-    if (argc > 1 && (argc != 4) ) {
+int main(int argc, char *argv[]) {
+    if (argc == 1 || argc == 4) {
+        systemd_invoked = argc == 4;
+        if (systemd_invoked) {
+            err_log = fopen("/dev/kmsg", "w");
+            if (!err_log) {
+                return -1;
+            }
+        } else {
+            err_log = stderr;
+        }
+        const int r = gen_sslh_config(systemd_invoked ? argv[1] : "");
+        if (systemd_invoked) {
+            fclose(err_log);
+        }
+        if (!r) {
+            fprintf(err_log, "systemd-sslh-generator: Successfully generated all targets.\n");
+        }
+        return r < 0 ? -1 : 0;
+    } else {
         printf("This program takes three or no arguments.\n");
         return -1;
     }
-
-    if (argc  > 1)
-        runtime_unit_dest = argv[1];
-
-    k = gen_sslh_config(runtime_unit_dest);
-    if (k < 0)
-        r = k;
-
-    return r < 0 ? -1 : 0;
 }
-
-

t_load

@@ -14,7 +14,7 @@
 use strict;
 use IO::Socket::INET6;
 use Data::Dumper;
-use Conf::Libconfig;
+use Conf::Libconfig 1.0.3;
 
 ## BEGIN TEST CONFIG
 
@@ -44,7 +44,7 @@ $conf->read_file("test.cfg");
 
 
 # Pick one address for TCP and one for UDP
-my @listen = @{$conf->fetch_array("listen")};
+my @listen = @{$conf->value("listen")};
 my ($sslh_tcp_address, $sslh_udp_address);
 
 foreach my $l (@listen) {
@@ -186,7 +186,7 @@ sub udp_client {
     }
 }
 
-foreach my $p (@{$conf->fetch_array("protocols")}) {
+foreach my $p (@{$conf->value("protocols")}) {
     if (!fork) {
         my $udp = $p->{is_udp} ? "--udp" : "";
         my $cmd = "./echosrv $udp -p $p->{host}:$p->{port} --prefix '$p->{name}: ' 2> /dev/null";
@@ -203,7 +203,7 @@ sleep 2; # Let echosrv's and sslh start
 my ($c_in, $c_out);
 pipe $c_in, $c_out;
 
-my @protocols = @{$conf->fetch_array("protocols")};
+my @protocols = @{$conf->value("protocols")};
 
 if (!fork) {
     # Process that starts all the clients

tcp-listener.c

@@ -153,7 +153,7 @@ static int connect_queue(struct connection* cnx,
 {
     struct queue *q = &cnx->q[1];
 
-    q->fd = connect_addr(cnx, cnx->q[0].fd, NON_BLOCKING);
+    connect_addr(cnx, cnx->q[0].fd, NON_BLOCKING);
     if (q->fd != -1) {
         log_connection(NULL, cnx);
         flush_deferred(q);
@@ -227,7 +227,6 @@ static void shovel_single(struct connection *cnx)
 static void connect_proxy(struct connection *cnx)
 {
     int in_socket;
-    int out_socket;
 
     /* Minimize the file descriptor value to help select() */
     in_socket = dup(cnx->q[0].fd);
@@ -238,18 +237,16 @@ static void connect_proxy(struct connection *cnx)
         cnx->q[0].fd = in_socket;
     }
 
-    /* Connect the target socket */
-    out_socket = connect_addr(cnx, in_socket, BLOCKING);
-    CHECK_RES_DIE(out_socket, "connect");
-
-    cnx->q[1].fd = out_socket;
+    /* Connect the backend server socket */
+    connect_addr(cnx, in_socket, BLOCKING);
+    CHECK_RES_DIE(cnx->q[1].fd, "connect");
 
     log_connection(NULL, cnx);
 
     shovel_single(cnx);
 
     close(in_socket);
-    close(out_socket);
+    close(cnx->q[1].fd);
 
     print_message(msg_fd, "connection closed down\n");
 

tcp-probe.c

@@ -60,13 +60,13 @@ int probe_client_protocol(struct connection *cnx)
 
 static void tcp_protocol_list_init(void)
 {
+    tcp_protocols = calloc(cfg.protocols_len, sizeof(tcp_protocols));
+    CHECK_ALLOC(tcp_protocols, "tcp_protocols");
     for (int i = 0; i < cfg.protocols_len; i++) {
         struct sslhcfg_protocols_item* p = &cfg.protocols[i];
         if (!p->is_udp) {
+            tcp_protocols[tcp_protocols_len] = p;
             tcp_protocols_len++;
-            tcp_protocols = realloc(tcp_protocols, tcp_protocols_len * sizeof(*tcp_protocols));
-            CHECK_ALLOC(tcp_protocols, "realloc");
-            tcp_protocols[tcp_protocols_len-1] = p;
         }
     }
 }

test.cfg

@@ -32,7 +32,8 @@ listen:
 (
     { host: "localhost"; port: "8080"; keepalive: true; },
     { host: "localhost"; port: "8081"; keepalive: true; },
-    { host: "ip4-localhost"; is_udp: true; port: "8086"; }
+    { host: "ip4-localhost"; is_udp: true; port: "8086"; },
+    { host: "/tmp/sslh.sock"; is_unix: true; port: ""; }
 );
 
 
@@ -42,9 +43,9 @@ listen:
  
 protocols:
 (
-     { name: "ssh";  host: "localhost"; port: "9000"; fork: true; transparent: true; },
+     { name: "ssh";  host: "localhost"; port: "9000"; fork: true; transparent: true; resolve_on_forward: true; },
      { name: "socks5";  host: "localhost"; port: "9001";  },
-     { name: "http";  host: "localhost"; port: "9002";  },
+     { name: "http";  host: "localhost"; port: "80"; proxyprotocol: 2;  },
      { name: "tinc";  host: "localhost"; port: "9003"; },
      { name: "openvpn";  host: "localhost"; port: "9004"; },
      { name: "xmpp";  host: "localhost"; port: "9009"; },
@@ -53,6 +54,7 @@ protocols:
      { name: "regex"; host: "ip4-localhost"; is_udp: true; port: "9020";
          udp_timeout: 30;
          regex_patterns: [ "^foo" ];
+         resolve_on_forward: true;
      },
      { name: "regex"; host: "localhost"; port: "9011";
         regex_patterns: [ "^foo", "^bar" ];

tls.c

@@ -224,7 +224,7 @@ parse_server_name_extension(const struct TLSProtocol *tls_data, const char *data
         switch (data[pos]) { /* name type */
             case 0x00: /* host_name */
                 if(has_match(tls_data->sni_hostname_list, tls_data->sni_list_len, data + pos + 3, len)) {
-                    return len;
+                    return (int)len;
                 } else {
                     return TLS_ENOEXT;
                 }
@@ -253,7 +253,7 @@ parse_alpn_extension(const struct TLSProtocol *tls_data, const char *data, size_
             return TLS_EPROTOCOL;
 
         if (len > 0 && has_match(tls_data->alpn_protocol_list, tls_data->alpn_list_len, data + pos + 1, len)) {
-            return len;
+            return (int)len;
         } else if (len > 0) {
             print_message(msg_probe_error, "Unknown ALPN name: %.*s\n", (int)len, data + pos + 1);
         }
@@ -301,11 +301,11 @@ struct TLSProtocol *
 tls_data_set_list(struct TLSProtocol *tls_data, int alpn, const char** list, size_t list_len) {
     if (alpn) {
         tls_data->alpn_protocol_list = list;
-        tls_data->alpn_list_len = list_len;
+        tls_data->alpn_list_len = (int)list_len;
         tls_data->match_mode.tls_match_alpn = 1;
     } else {
         tls_data->sni_hostname_list = list;
-        tls_data->sni_list_len = list_len;
+        tls_data->sni_list_len = (int)list_len;
         tls_data->match_mode.tls_match_sni = 1;
     }
 

udp-listener.c

@@ -36,10 +36,10 @@
 
 static int cnx_cmp(struct connection* cnx1, struct connection* cnx2)
 {
-    struct sockaddr* addr1 = &cnx1->client_addr;
+    struct sockaddr_storage* addr1 = &cnx1->client_addr;
     socklen_t addrlen1 = cnx1->addrlen;
 
-    struct sockaddr* addr2 = &cnx2->client_addr;
+    struct sockaddr_storage* addr2 = &cnx2->client_addr;
     socklen_t addrlen2 = cnx2->addrlen;
 
     if (addrlen1 != addrlen2) return -1;
@@ -52,13 +52,13 @@ static int cnx_cmp(struct connection* cnx1, struct connection* cnx2)
  * lowest bytes of remote port */
 static int hash_make_key(hash_item new)
 {
-    struct sockaddr* addr = &new->client_addr;
+    struct sockaddr_storage* addr = &new->client_addr;
     //socklen_t addrlen = new->addrlen;
     struct sockaddr_in* addr4;
     struct sockaddr_in6* addr6;
     int out;
 
-    switch (addr->sa_family) {
+    switch (((struct sockaddr*)addr)->sa_family) {
     case AF_INET:
         addr4 = (struct sockaddr_in*)addr;
         out = addr4->sin_port;
@@ -225,8 +225,16 @@ static void mark_active(struct connection* cnx)
 /* Creates a new non-blocking socket */
 static int nonblocking_socket(struct sslhcfg_protocols_item* proto)
 {
+    int res;
+
+    if (proto->resolve_on_forward) {
+        res = resolve_split_name(&(proto->saddr), proto->host,
+                                 proto->port);
+        if (res) return -1;
+    }
+
     int out = socket(proto->saddr->ai_family, SOCK_DGRAM, 0);
-    int res = set_nonblock(out);
+    res = set_nonblock(out);
     if (res == -1) {
         print_message(msg_system_error, "%s:%d:%s:%d:%s\n", __FILE__, __LINE__, "udp:socket:nonblock", errno, strerror(errno));
         close(out);
@@ -251,7 +259,8 @@ struct connection* udp_c2s_forward(int sockfd, struct loop_info* fd_info)
     struct connection* cnx;
     ssize_t len;
     socklen_t addrlen;
-    int res, target, out = -1;
+    ssize_t res;
+    int target, out = -1;
     char data[65536]; /* Theoretical max is 65507 (https://en.wikipedia.org/wiki/User_Datagram_Protocol).
                          This will do.  Dynamic allocation is possible with the MSG_PEEK flag in recvfrom(2), but that'd imply
                          malloc/free overhead for each packet, when really 64K is not that much */
@@ -272,7 +281,7 @@ struct connection* udp_c2s_forward(int sockfd, struct loop_info* fd_info)
                   len, target, sprintaddr(addr_str, sizeof(addr_str), &addrinfo));
 
     if (target == -1) {
-        res = probe_buffer(data, len, udp_protocols, udp_protocols_len, &proto);
+        res = probe_buffer(data, (int)len, udp_protocols, udp_protocols_len, &proto);
         /* First version: if we can't work out the protocol from the first
          * packet, drop it. Conceivably, we could store several packets to
          * run probes on packet sets */
@@ -316,13 +325,13 @@ void udp_s2c_forward(struct connection* cnx)
 {
     int sockfd = cnx->target_sock;
     char data[65536];
-    int res;
+    ssize_t res;
 
     res = recvfrom(sockfd, data, sizeof(data), 0, NULL, NULL);
     if ((res == -1) && ((errno == EAGAIN) || (errno == EWOULDBLOCK))) return;
     CHECK_RES_DIE(res, "udp_listener/recvfrom");
     res = sendto(cnx->local_endpoint, data, res, 0,
-                 &cnx->client_addr, cnx->addrlen);
+                 (struct sockaddr*)&cnx->client_addr, cnx->addrlen);
     mark_active(cnx);
 }
 

version.h

@@ -0,0 +1,5 @@
+#ifndef VERSION_H 
+#define VERSION_H 
+
+#define VERSION "v2.2.0-dirty"
+#endif