好用的 sslh - Applicative protocol multiplexer

官方網站說明

sslh accepts connections on specified ports, and forwards them further based on tests performed on the first data packet sent by the remote client.

Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other protocol that can be tested using a regular expression, can be recognised. A typical use case is to allow serving several services on port 443 (e.g. to connect to ssh from inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port.

Hence sslh acts as a protocol demultiplexer, or a switchboard. Its name comes from its original function to serve SSH and HTTPS on the same port.

最讓我覺得好玩的是 LinuxJournal 的看到 One Port to Rule Them All! 的一段描述:

...blocking an SSH port for a Linux user is like taking a mouse away from a Windows user! ...

當我人在 Toyoko-Inn 的時候,有很大的體會,我都是用 ssh -p 443 -D 1080 -N 的方式解決,但總覺得有點浪費port。于是乎看到這個文章,應該要來試試看。簡單的理解就是他會幫你判斷protocol,然後ssh的走sshd,https的走到apache2,這樣就可以並存。而且,也不一定要走https,還有其他protocol可選,妙阿!

Debian 安裝就是簡單

apt-get install sslh

設定

vi /etc/default/sslh

...
RUN=yes

# binary to use: forked (sslh) or single-thread (sslh-select) version
# systemd users: don't forget to modify /lib/systemd/system/sslh.service
DAEMON=/usr/sbin/sslh

DAEMON_OPTS="--user sslh --listen 172.17.0.108:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"

再去設定 apache2

vi /etc/apache2/ports

Listen 127.0.0.1:443

重新啟動 apache2 and sslh

/etc/init.d/apache2 restart
/etc/init.d/sslh restart

檢查一下 netstat

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 172.17.0.108:443        0.0.0.0:*               LISTEN      -               
tcp        0      0 127.0.0.1:443           0.0.0.0:*               LISTEN      2934/apache2    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1791/sshd

找飯店測試看看吧!

reference: HOWTO connect to SSH via SSL with sslh

Comments