Provided by: sslh_1.15-1_amd64 bug

NAME

        sslh - protocol demultiplexer

SYNOPSIS

       sslh [-F config file] [ -t num ] [-p listening address [-p listening address ...] [--ssl
       target address for SSL] [--ssh target address for SSH] [--openvpn target address for
       OpenVPN] [--http target address for HTTP] [--anyprot default target address] [--on-timeout
       protocol name] [-u username] [-P pidfile] [-v] [-i] [-V] [-f] [-n]

DESCRIPTION

       sslh accepts connections on specified ports, and forwards them further based on tests
       performed on the first data packet sent by the remote client.

       Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other protocol
       that can be tested using a regular expression, can be recognised. A typical use case is to
       allow serving several services on port 443 (e.g. to connect to ssh from inside a corporate
       firewall, which almost never block port 443) while still serving HTTPS on that port.

       Hence sslh acts as a protocol demultiplexer, or a switchboard. Its name comes from its
       original function to serve SSH and HTTPS on the same port.

   Libwrap support
       One drawback of sslh is that the servers do not see the original IP address of the client
       anymore, as the connection is forwarded through sslh.

       For this reason, sslh can be compiled with libwrap to check accesses defined in
       /etc/hosts.allow and /etc/hosts.deny.  Libwrap services can be defined using the
       configuration file.

   Configuration file
       A configuration file can be supplied to sslh. Command line arguments override file
       settings. sslh uses libconfig to parse the configuration file, so the general file format
       is indicated in <http://www.hyperrealm.com/libconfig/libconfig_manual.html>.  Please refer
       to the example configuration file provided with sslh for the specific format (Options have
       the same names as on the command line, except for the list of listen ports and the list of
       protocols).

       The configuration file makes it possible to specify protocols using regular expressions: a
       list of regular expressions is given as the probe parameter, and if the first packet
       received from the client matches any of these expressions, sslh connects to that protocol.

       Alternatively, the probe parameter can be set to "builtin", to use the compiled probes
       which are much faster than regular expressions.

   Probing protocols
       When receiving an incoming connection, sslh will read the first bytes sent be the
       connecting client. It will then probe for the protocol in the order specified on the
       command line (or the configuration file). Therefore --anyprot should alway be used last,
       as it always succeeds and further protocols will never be tried.

       If no data is sent by the client, sslh will eventually time out and connect to the
       protocol specified with --on-timeout, or ssh if none is specified.

OPTIONS

       -t num, --timeout num
           Timeout before forwarding the connection to the timeout protocol (which should usually
           be SSH). Default is 2s.

       --on-timeout protocol name
           Name of the protocol to connect to after the timeout period is over. Default is 'ssh'.

       -p listening address, --listen listening address
           Interface and port on which to listen, e.g. foobar:443, where foobar is the name of an
           interface (typically the IP address on which the Internet connection ends up).

           This can be specified several times to bind sslh to several addresses.

       --ssl target address =item --tls target address
           Interface and port on which to forward SSL connection, typically localhost:443.

           Note that you can set sslh to listen on ext_ip:443 and httpd to listen on
           localhost:443: this allows clients inside your network to just connect directly to
           httpd.

           Also, sslh probes for SSLv3 (or TLSv1) handshake and will reject connections from
           clients requesting SSLv2. This is compliant to RFC6176 which prohibits the usage of
           SSLv2. If you wish to accept SSLv2, use --default instead.

       --ssh target address
           Interface and port on which to forward SSH connections, typically localhost:22.

       --openvpn target address
           Interface and port on which to forward OpenVPN connections, typically localhost:1194.

       --xmpp target address
           Interface and port on which to forward XMPP connections, typically localhost:5222.

       --http target address
           Interface and port on which to forward HTTP connections, typically localhost:80.

       --tinc target address
           Interface and port on which to forward tinc connections, typically localhost:655.

           This is experimental. If you use this feature, please report the results (even if it
           works!)

       --anyprot target address
           Interface and port on which to forward if no other protocol has been found. Because
           sslh tries protocols in the order specified on the command line, this should be
           specified last. If no default is specified, sslh will forward unknown protocols to the
           first protocol specified.

       -v, --verbose
           Increase verboseness.

       -n, --numeric
           Do not attempt to resolve hostnames: logs will contain IP addresses. This is mostly
           useful if the system's DNS is slow and running the sslh-select variant, as DNS
           requests will hang all connections.

       -V  Prints sslh version.

       -u username, --user username
           Requires to run under the specified username.

       -P pidfile, --pidfile pidfile
           Specifies a file in which to write the PID of the main server.

       -i, --inetd
           Runs as an inetd server. Options -P (PID file), -p (listen address), -u (user) are
           ignored.

       -f, --foreground
           Runs in foreground. The server will not fork and will remain connected to the
           terminal. Messages normally sent to syslog will also be sent to stderr.

       --background
           Runs in background. This overrides foreground if set in the configuration file (or on
           the command line, but there is no point setting both on the command line unless you
           have a personality disorder).

FILES

       /etc/init.d/sslh
           Start-up script. The standard actions start, stop and restart are supported.

       /etc/default/sslh
           Server configuration. These are environment variables loaded by the start-up script
           and passed to sslh as command-line arguments. Refer to the OPTIONS section for a
           detailed explanation of the variables used by sslh.

SEE ALSO

       Last version available from <http://www.rutschle.net/tech/sslh>, and can be tracked from
       <http://freecode.com/projects/sslh>.

AUTHOR

       Written by Yves Rutschle