.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSLH 8"
.TH SSLH 8 "2023-03-23" "1.20-1+b2" " "
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
.Vb 1
\& sslh \- protocol demultiplexer
.Ve
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
sslh [\fB\-F\fR\fIconfig file\fR] [\fB\-t\fR \fInum\fR] [\fB\-\-transparent\fR] [\fB\-p\fR \fIlistening address\fR [\fB\-p\fR \fIlistening address\fR ...] [\fB\-\-ssl\fR \fItarget address for \s-1SSL\s0\fR] [\fB\-\-tls\fR \fItarget address for \s-1TLS\s0\fR] [\fB\-\-ssh\fR \fItarget address for \s-1SSH\s0\fR] [\fB\-\-openvpn\fR \fItarget address for OpenVPN\fR] [\fB\-\-http\fR \fItarget address for \s-1HTTP\s0\fR] [\fB\-\-xmpp\fR \fItarget address for \s-1XMPP\s0\fR] [\fB\-\-tinc\fR \fItarget address for \s-1TINC\s0\fR] [\fB\-\-anyprot\fR \fIdefault target address\fR] [\fB\-\-on\-timeout\fR \fIprotocol name\fR] [\fB\-u\fR \fIusername\fR] [\fB\-C\fR \fIchroot\fR] [\fB\-P\fR \fIpidfile\fR] [\-v] [\-i] [\-V] [\-f] [\-n]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBsslh\fR accepts connections on specified ports, and forwards
them further based on tests performed on the first data
packet sent by the remote client.
.PP
Probes for \s-1HTTP, SSL, SSH,\s0 OpenVPN, tinc, \s-1XMPP\s0 are
implemented, and any other protocol that can be tested using
a regular expression, can be recognised. A typical use case
is to allow serving several services on port 443 (e.g. to
connect to ssh from inside a corporate firewall, which
almost never block port 443) while still serving \s-1HTTPS\s0 on
that port.
.PP
Hence \fBsslh\fR acts as a protocol demultiplexer, or a
switchboard. Its name comes from its original function to
serve \s-1SSH\s0 and \s-1HTTPS\s0 on the same port.
.SS "Libwrap support"
.IX Subsection "Libwrap support"
One drawback of \fBsslh\fR is that the servers do not see the
original \s-1IP\s0 address of the client anymore, as the connection
is forwarded through \fBsslh\fR.
.PP
For this reason, \fBsslh\fR can be compiled with \fBlibwrap\fR to
check accesses defined in \fI/etc/hosts.allow\fR and
\&\fI/etc/hosts.deny\fR.  Libwrap services can be defined using
the configuration file.
.SS "Configuration file"
.IX Subsection "Configuration file"
A configuration file can be supplied to \fBsslh\fR. Command
line arguments override file settings. \fBsslh\fR uses
\&\fBlibconfig\fR to parse the configuration file, so the general
file format is indicated in
<http://www.hyperrealm.com/libconfig/libconfig_manual.html>.
Please refer to the example configuration file provided with
\&\fBsslh\fR for the specific format (Options have the same names
as on the command line, except for the list of listen ports
and the list of protocols).
.PP
The configuration file makes it possible to specify
protocols using regular expressions: a list of regular
expressions is given as the \fIregex_patterns\fR parameter, and if the
first packet received from the client matches any of these
expressions, \fBsslh\fR connects to that protocol.
.SS "Probing protocols"
.IX Subsection "Probing protocols"
When receiving an incoming connection, \fBsslh\fR will read the
first bytes sent by the connecting client. It will then
probe for the protocol in the order specified on the command
line (or the configuration file). Therefore \fB\-\-anyprot\fR
should alway be used last, as it always succeeds and further
protocols will never be tried.
.PP
If no data is sent by the client, \fBsslh\fR will eventually
time out and connect to the protocol specified with
\&\fB\-\-on\-timeout\fR, or \fIssh\fR if none is specified.
.SS "Logging"
.IX Subsection "Logging"
As a security/authorization program, \fBsslh\fR logs to the
\&\s-1LOG_AUTH\s0 facility, with priority \s-1LOG_INFO\s0 for normal
connections and \s-1LOG_ERR\s0 for failures.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-F\fR\fIfilename\fR, \fB\-\-config\fR \fIfilename\fR" 4
.IX Item "-Ffilename, --config filename"
Uses \fIfilename\fR as configuration file. If other
command-line options are specified, they will override the
configuration file's settings.
.Sp
When using the shorthand version, make sure there should be
no space between \fB\-F\fR and the \fIfilename\fR.
.IP "\fB\-t\fR \fInum\fR, \fB\-\-timeout\fR \fInum\fR" 4
.IX Item "-t num, --timeout num"
Timeout before forwarding the connection to the timeout
protocol (which should usually be \s-1SSH\s0). Default is 2s.
.IP "\fB\-\-on\-timeout\fR \fIprotocol name\fR" 4
.IX Item "--on-timeout protocol name"
Name of the protocol to connect to after the timeout period
is over. Default is to forward to the first specified
protocol. It usually makes sense to specify 'ssh' as the
timeout protocol, as the \s-1SSH\s0 specification does not tell
who is supposed to speak first and a large number of \s-1SSH\s0
clients wait for the server to send its banner.
.IP "\fB\-\-transparent\fR" 4
.IX Item "--transparent"
Makes \fBsslh\fR behave as a transparent proxy, i.e. the
receiving service sees the original client's \s-1IP\s0 address.
This works on Linux only and involves \fBiptables\fR settings.
Refer to the \s-1README\s0 for more information.
.IP "\fB\-p\fR \fIlistening address\fR, \fB\-\-listen\fR \fIlistening address\fR" 4
.IX Item "-p listening address, --listen listening address"
Interface and port on which to listen, e.g. \fIfoobar:443\fR,
where \fIfoobar\fR is the name of an interface (typically the
\&\s-1IP\s0 address on which the Internet connection ends up).
.Sp
This can be specified several times to bind \fBsslh\fR to
several addresses.
.IP "\fB\-\-ssl\fR \fItarget address\fR" 4
.IX Item "--ssl target address"
.PD 0
.IP "\fB\-\-tls\fR \fItarget address\fR" 4
.IX Item "--tls target address"
.PD
Interface and port on which to forward \s-1SSL\s0 connection,
typically \fIlocalhost:443\fR.
.Sp
Note that you can set \fBsslh\fR to listen on \fIext_ip:443\fR and
\&\fBhttpd\fR to listen on \fIlocalhost:443\fR: this allows clients
inside your network to just connect directly to \fBhttpd\fR.
.Sp
Also, \fBsslh\fR probes for SSLv3 (or TLSv1) handshake and will
reject connections from clients requesting SSLv2. This is
compliant with \s-1RFC6176\s0 which prohibits the usage of SSLv2. If
you wish to accept SSLv2, use \fB\-\-default\fR instead.
.IP "\fB\-\-ssh\fR \fItarget address\fR" 4
.IX Item "--ssh target address"
Interface and port on which to forward \s-1SSH\s0 connections,
typically \fIlocalhost:22\fR.
.IP "\fB\-\-openvpn\fR \fItarget address\fR" 4
.IX Item "--openvpn target address"
Interface and port on which to forward OpenVPN connections,
typically \fIlocalhost:1194\fR.
.IP "\fB\-\-xmpp\fR \fItarget address\fR" 4
.IX Item "--xmpp target address"
Interface and port on which to forward \s-1XMPP\s0 connections,
typically \fIlocalhost:5222\fR.
.IP "\fB\-\-http\fR \fItarget address\fR" 4
.IX Item "--http target address"
Interface and port on which to forward \s-1HTTP\s0 connections,
typically \fIlocalhost:80\fR.
.IP "\fB\-\-tinc\fR \fItarget address\fR" 4
.IX Item "--tinc target address"
Interface and port on which to forward tinc connections,
typically \fIlocalhost:655\fR.
.Sp
This is experimental. If you use this feature, please report
the results (even if it works!)
.IP "\fB\-\-anyprot\fR \fItarget address\fR" 4
.IX Item "--anyprot target address"
Interface and port on which to forward if no other protocol
has been found. Because \fBsslh\fR tries protocols in the order
specified on the command line, this should be specified
last. If no default is specified, \fBsslh\fR will forward
unknown protocols to the first protocol specified.
.IP "\fB\-v\fR, \fB\-\-verbose\fR" 4
.IX Item "-v, --verbose"
Increase verboseness.
.IP "\fB\-n\fR, \fB\-\-numeric\fR" 4
.IX Item "-n, --numeric"
Do not attempt to resolve hostnames: logs will contain \s-1IP\s0
addresses. This is mostly useful if the system's \s-1DNS\s0 is slow
and running the \fIsslh-select\fR variant, as \s-1DNS\s0 requests will
hang all connections.
.IP "\fB\-V\fR" 4
.IX Item "-V"
Prints \fBsslh\fR version.
.IP "\fB\-u\fR \fIusername\fR, \fB\-\-user\fR \fIusername\fR" 4
.IX Item "-u username, --user username"
Requires to run under the specified username.
.IP "\fB\-C\fR \fIchroot\fR, \fB\-\-chroot\fR \fIchroot\fR" 4
.IX Item "-C chroot, --chroot chroot"
Requires to run under the specified chroot.
.IP "\fB\-P\fR \fIpidfile\fR, \fB\-\-pidfile\fR \fIpidfile\fR" 4
.IX Item "-P pidfile, --pidfile pidfile"
Specifies a file in which to write the \s-1PID\s0 of the main
server.
.IP "\fB\-i\fR, \fB\-\-inetd\fR" 4
.IX Item "-i, --inetd"
Runs as an \fIinetd\fR server. Options \fB\-P\fR (\s-1PID\s0 file), \fB\-p\fR
(listen address), \fB\-u\fR (user) are ignored.
.IP "\fB\-f\fR, \fB\-\-foreground\fR" 4
.IX Item "-f, --foreground"
Runs in foreground. The server will not fork and will remain connected
to the terminal. Messages normally sent to \fBsyslog\fR will also be sent
to \fIstderr\fR.
.IP "\fB\-\-background\fR" 4
.IX Item "--background"
Runs in background. This overrides \fBforeground\fR if set in
the configuration file (or on the command line, but there is
no point setting both on the command line unless you have a
personality disorder).
.SH "FILES"
.IX Header "FILES"
.IP "\fI/etc/init.d/sslh\fR" 4
.IX Item "/etc/init.d/sslh"
Start-up script. The standard actions \fBstart\fR, \fBstop\fR and
\&\fBrestart\fR are supported.
.IP "\fI/etc/default/sslh\fR" 4
.IX Item "/etc/default/sslh"
Server configuration. These are environment variables
loaded by the start-up script and passed to \fBsslh\fR as
command-line arguments. Refer to the \s-1OPTIONS\s0 section for a
detailed explanation of the variables used by \fBsslh\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
The latest version is available from
<http://www.rutschle.net/tech/sslh>, and can be tracked
from <http://freecode.com/projects/sslh>.
.SH "AUTHOR"
.IX Header "AUTHOR"
Written by Yves Rutschle.