Provided by: sslh_1.9-1_amd64 bug


        sslh - ssl/ssh multiplexer


       sslh [ -t num ] [-p listening address [-p listening address ...] [-l target address for
       SSL] [-s target address for SSH] [-o target address for OpenVPN] [-u username] [-P
       pidfile] [-v] [-i] [-V] [-f] [-n]


       sslh accepts HTTPS, SSH and OpenVPN connections on the same port. This makes it possible
       to connect to an SSH server or an OpenVPN on port 443 (e.g. from inside a corporate
       firewall, which almost never block port 443) while still serving HTTPS on that port.

       The idea is to have sslh listen to the external 443 port, accept the incoming connections,
       work out what type of connection it is, and then fordward to the appropriate server.

   Protocol detection
       The protocol detection is made based on the first bytes sent by the client: SSH
       connections start by identifying each other's versions using clear text "SSH-2.0" strings
       (or equivalent version strings). This is defined in RFC4253, 4.2. Meanwhile, OpenVPN
       clients start with 0x00 0x0D 0x38.

       Additionally, two kind of SSH clients exist: the client waits for the server to send its
       version string ("Shy" client, which is the case of OpenSSH and Putty), or the client sends
       its version first ("Bold" client, which is the case of Bitvise Tunnelier and ConnectBot).

       sslh waits for some time for the incoming connection to send data. If it stays quiet after
       the timeout period, it is assumed to be a shy SSH client, and is connected to the SSH
       server. Otherwise, sslh reads the first packet the client provides, and connects it to the
       SSH server if it starts with "SSH-", or connects it to the SSL server otherwise.

   Libwrap support
       One drawback of sslh is that the ssh and httpd servers do not see the original IP address
       of the client anymore, as the connection is forwarded through sslh.  sslh provides enough
       logging to circumvent that problem.  However it is common to limit access to ssh using
       libwrap or tcpd. For this reason, sslh can be compiled to check SSH accesses against SSH
       access lists as defined in /etc/hosts.allow and /etc/hosts.deny.


       -t num, --timeout num
           Timeout before a connection is considered to be SSH. Default is 2s.

       -p listening address, --listen listening address
           Interface and port on which to listen, e.g. foobar:443, where foobar is the name of an
           interface (typically the IP address on which the Internet connection ends up).

           This can be specified several times to bind sslh to several addresses.

       --ssl target address
           Interface and port on which to forward SSL connection, typically localhost:443.

           Note that you can set sslh to listen on ext_ip:443 and httpd to listen on
           localhost:443: this allows clients inside your network to just connect directly to

       --ssh target address
           Interface and port on which to forward SSH connections, typically localhost:22.

       --openvpn target address
           Interface and port on which to forward OpenVPN connections, typically localhost:1194.

       --tinc target address
           Interface and port on which to forward tinc connections, typically localhost:655.

           This is experimental. If you use this feature, please report the results (even if it

       -v, --verbose
           Increase verboseness.

       -n, --numeric
           Do not attempt to resolve hostnames: logs will contain IP addresses. This is mostly
           useful if the system's DNS is slow and running the sslh-select variant, as DNS
           requests will hang all connections.

       -V  Prints sslh version.

       -u username, --user username
           Requires to run under the specified username. Defaults to nobody (which is not perfect
           -- ideally sslh should run under its own UID).

       -P pidfile, --pid-file pidfile
           Specifies the file in which to write the PID of the main server. Defaults to

       -i, --inetd
           Runs as an inetd server. Options -P (PID file), -p (listen address), -u (user) are

       -f, --foreground
           Runs in foreground. The server will not fork and will remain connected to the
           terminal. Messages normally sent to syslog will also be sent to stderr.


           Start-up script. The standard actions start, stop and restart are supported.

           Server configuration. These are environment variables loaded by the start-up script
           and passed to sslh as command-line arguments. Refer to the OPTIONS section for a
           detailed explanation of the variables used by sslh.


       Last version available from <>, and can be tracked from


       Written by Yves Rutschle