sslh
Overview
sslh is a protocol multiplexer that accepts incoming connections on a single port and routes them to appropriate backends based on protocol detection. This allows running multiple services (HTTPS, SSH, OpenVPN, etc.) on the same port 443.
Key Features
- Multiplex multiple protocols on single port
- Transparent protocol detection
- Load balancing capabilities
- IPv4 and IPv6 support
- TLS/SSL certificate forwarding
- HTTPS, SSH, OpenVPN, Xmpp support
- Lightweight and efficient
- Systemd integration
- ACL-based routing
Use Cases
- Unified port access for multiple services
- Firewall policy compliance (single port)
- Network security with limited open ports
- Accessing services through restrictive firewalls
- Server consolidation
- Penetration testing from restricted networks
Installation
Linux/Debian-based
sudo apt-get update
sudo apt-get install sslhmacOS
brew install sslhCentOS/RHEL
sudo yum install sslhBuild from Source
git clone https://github.com/yob/sslh.git
cd sslh
make
sudo make installConfiguration
Basic Configuration File
Default location: /etc/sslh/sslh.cfg
# sslh configuration file
verbose: false;
foreground: false;
inetd: false;
numeric: true;
# Listen on port 443 for all incoming connections
listen:
(
{ host: "0.0.0.0"; port: "443"; }
);
# Protocol-specific backends
protocols:
(
# HTTPS traffic to Apache
{ name: "https"; host: "localhost"; port: "8443"; },
# SSH traffic to SSH server
{ name: "ssh"; host: "localhost"; port: "22"; },
# OpenVPN
{ name: "openvpn"; host: "localhost"; port: "1194"; },
# XMPP
{ name: "xmpp"; host: "localhost"; port: "5222"; }
);
# Logging
logfile: "/var/log/sslh/sslh.log";
pidfile: "/var/run/sslh.pid";Listen on Multiple Ports
listen:
(
{ host: "0.0.0.0"; port: "443"; },
{ host: "0.0.0.0"; port: "8443"; },
{ host: "::"; port: "443"; } # IPv6
);SSL/TLS Pass-through Configuration
protocols:
(
{
name: "https";
host: "localhost";
port: "8443";
sni_hostnames: [ "example.com", "www.example.com" ];
},
{ name: "ssh"; host: "localhost"; port: "22"; }
);Basic Usage
Start sslh Service
sudo systemctl start sslhEnable on Boot
sudo systemctl enable sslhCheck Service Status
sudo systemctl status sslhView Service Logs
sudo journalctl -u sslh -fRunning sslh Manually
Foreground Mode (Debugging)
sudo sslh -f -v -c /etc/sslh/sslh.cfgFlags:
-f: Foreground (don’t daemonize)-v: Verbose output-c: Configuration file path
Background Mode
sudo sslh -c /etc/sslh/sslh.cfgTest Configuration
sudo sslh -t -c /etc/sslh/sslh.cfgValidates configuration without starting service.
Routing Configurations
HTTPS + SSH on Port 443
protocols:
(
{ name: "https"; host: "localhost"; port: "8443"; },
{ name: "ssh"; host: "localhost"; port: "22"; }
);Upstream services needed:
- HTTPS web server on port 8443
- SSH server on port 22
HTTPS + SSH + OpenVPN + XMPP
protocols:
(
{ name: "https"; host: "localhost"; port: "8443"; },
{ name: "ssh"; host: "localhost"; port: "22"; },
{ name: "openvpn"; host: "localhost"; port: "1194"; },
{ name: "xmpp"; host: "localhost"; port: "5222"; }
);Remote Server Routing
protocols:
(
{
name: "https";
host: "10.0.0.5";
port: "8443";
},
{
name: "ssh";
host: "10.0.0.6";
port: "22";
}
);Route to different backend servers by protocol.
Load Balanced HTTPS
protocols:
(
{
name: "https";
host: "localhost";
port: "8443";
},
{
name: "https";
host: "localhost";
port: "8444";
}
);Round-robin between multiple web servers.
Client Connection Methods
Connect via SSH Through sslh
# Server running sslh on port 443
ssh -p 443 user@example.com
# Or with specific config
ssh -p 443 -o "StrictHostKeyChecking=no" user@example.comConnect via HTTPS
curl https://example.com:443/
# Web browser: https://example.com:443OpenVPN Through sslh
Configure OpenVPN client to connect to:
remote example.com 443
proto tcpStunnel Integration (for non-TLS Protocols)
Some protocols need encapsulation in TLS:
# stunnel wrapper for SSH through HTTPS port
[ssh-over-https]
client = yes
accept = localhost:2222
connect = example.com:443Advanced Configurations
SNI-Based Routing
protocols:
(
{
name: "https";
host: "localhost";
port: "8443";
sni_hostnames: [ "api.example.com" ];
},
{
name: "https";
host: "localhost";
port: "8445";
sni_hostnames: [ "www.example.com" ];
}
);Routes based on SNI hostname in TLS ClientHello.
Alpha Protocol (Fallback)
protocols:
(
{ name: "https"; host: "localhost"; port: "8443"; },
{ name: "ssh"; host: "localhost"; port: "22"; },
{ name: "tls"; host: "localhost"; port: "443"; } # Catch-all
);User-Based ACLs
protocols:
(
{
name: "https";
host: "localhost";
port: "8443";
user_filter: [ "user1", "user2" ];
},
{ name: "ssh"; host: "localhost"; port: "22"; }
);Inetd Mode (xinetd Integration)
inetd: true;
protocols:
(
{ name: "https"; host: "localhost"; port: "8443"; },
{ name: "ssh"; host: "localhost"; port: "22"; }
);Setting Up Backend Services
Configure HTTPS Listener
# Apache HTTPS on 8443
sudo a2enmod ssl
sudo a2enmod rewrite
# Create SSL config pointing to port 8443
# in /etc/apache2/sites-available/ssl.conf
<VirtualHost *:8443>
ServerName example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
</VirtualHost>sudo systemctl restart apache2SSH Server Setup
# Ensure SSH runs on default port 22
sudo nano /etc/ssh/sshd_config
# Port 22
sudo systemctl restart sshOpenVPN Backend Configuration
# /etc/openvpn/server.conf
port 1194
proto tcp
ca ca.crt
cert server.crt
key server.key
dh dh.pem
# Point clients to port 443Certificate Management
# Self-signed certificate for sslh
sudo openssl req -x509 -newkey rsa:2048 \
-keyout /etc/ssl/private/sslh.key \
-out /etc/ssl/certs/sslh.crt \
-days 365 -nodesNetwork Configuration
Firewall Rules (iptables)
# Allow incoming on port 443
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH and HTTPS backends
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
# Save rules
sudo iptables-save > /etc/iptables/rules.v4UFW Rules
sudo ufw allow 443/tcp
sudo ufw allow 22/tcp
sudo ufw allow 8443/tcp
sudo ufw enableIPv6 Support
listen:
(
{ host: "0.0.0.0"; port: "443"; }, # IPv4
{ host: "::"; port: "443"; } # IPv6
);Monitoring and Logging
View Real-time Logs
sudo journalctl -u sslh -fCheck Process Status
ps aux | grep sslhMonitor Connections
sudo netstat -antp | grep 443
# or
sudo ss -antp | grep 443Enable Verbose Logging
# In /etc/sslh/sslh.cfg
verbose: true;
logfile: "/var/log/sslh/sslh.log";Log Analysis
# Count connections by protocol
sudo grep "Accepted" /var/log/sslh/sslh.log | \
awk '{print $NF}' | sort | uniq -c
# Monitor in real-time
sudo tail -f /var/log/sslh/sslh.logTroubleshooting
Connection Refused
Issue: Clients can’t connect to multiplexed port.
Solution:
# 1. Check sslh is running
sudo systemctl status sslh
# 2. Verify configuration
sudo sslh -t -c /etc/sslh/sslh.cfg
# 3. Check backend services
sudo netstat -antp | grep 8443
sudo netstat -antp | grep 22
# 4. Verify port binding
sudo netstat -antp | grep 443Protocol Detection Fails
Issue: Traffic routing to wrong backend.
Solution:
# Test with verbose logging
sudo systemctl stop sslh
sudo sslh -f -v -c /etc/sslh/sslh.cfg
# Attempt connection and watch output
# Modify protocol detection if neededBackend Service Not Responding
Issue: Service exists but sslh can’t route to it.
Solution:
# Test backend connectivity
nc -zv localhost 8443 # HTTPS backend
ssh -p 22 localhost # SSH backend
# Verify firewall allows traffic
sudo iptables -L -n | grep 8443
# Check backend service configuration
sudo lsof -i :8443High CPU Usage
Issue: sslh consuming excessive CPU.
Solution:
# Check for connection storms
sudo netstat -antp | grep 443 | wc -l
# Implement rate limiting
sudo iptables -A INPUT -p tcp --dport 443 \
-m limit --limit 100/second --limit-burst 200 -j ACCEPT
# Monitor process
top -p $(pidof sslh)Performance Optimization
Connection Limits
# Increase file descriptor limit
sudo ulimit -n 65536
# Make permanent in /etc/security/limits.conf
* soft nofile 65536
* hard nofile 65536TCP Tuning
# Optimize for connection multiplexing
sudo sysctl -w net.core.somaxconn=4096
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=4096Multiple sslh Instances
# Run multiple multiplexers for load distribution
sudo sslh -l localhost:1443 &
sudo sslh -l localhost:1444 &
# Load balance with nginx upstream
upstream sslh {
server localhost:1443;
server localhost:1444;
}Security Best Practices
| Practice | Reason |
|---|---|
| Use firewall rules | Restrict access to multiplexer |
| Monitor logs | Detect suspicious patterns |
| Validate certificates | Ensure backend authenticity |
| Rate limit connections | Prevent DoS attacks |
| Keep updated | Security patches and bug fixes |
Restrict Backend Access
# Only allow sslh to connect to backends
sudo iptables -A INPUT -p tcp --dport 8443 \
-s localhost -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8443 -j DROPIntegration Examples
With nginx
upstream http_backend {
server localhost:8443;
}
server {
listen 8443 ssl;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
location / {
proxy_pass https://http_backend;
}
}With Docker
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y sslh
COPY sslh.cfg /etc/sslh/sslh.cfg
EXPOSE 443
CMD ["sslh", "-f", "-c", "/etc/sslh/sslh.cfg"]Docker Compose
version: '3'
services:
sslh:
image: sslh:latest
ports:
- "443:443"
volumes:
- ./sslh.cfg:/etc/sslh/sslh.cfg
depends_on:
- web
- ssh
web:
image: nginx:latest
expose:
- "8443"
ssh:
image: linux:ssh
expose:
- "22"References
- GitHub: yob/sslh
- Documentation: sslh README
- Man Page:
man sslh - Protocol Detection: SSLH Protocols
Quick Reference
# Start service
sudo systemctl start sslh
# Test configuration
sudo sslh -t -c /etc/sslh/sslh.cfg
# Run in foreground with verbose output
sudo sslh -f -v -c /etc/sslh/sslh.cfg
# Connect via SSH (multiplexed)
ssh -p 443 user@server
# Connect via HTTPS
curl https://server:443/
# View logs
sudo journalctl -u sslh -f
# Monitor connections
sudo ss -antp | grep 443