Home > Apache, Linux, Nginx, SSH, SSL > Accepting SSL and SSH traffic on the same port with sslh

Accepting SSL and SSH traffic on the same port with sslh

October 12th, 2011 Leave a comment Go to comments

Sometimes you need to SSH to a server, but port 22 is blocked by a firewall in your path. Typically in these situations you can set sshd service to listen on port 443, and bypass the firewalls, which are generally open on this port. But what if the same machine is also hosting your websites, which need to listen on port 443 for HTTPS traffic? Do you have to choose one or the other – your website running secure or your machine being accessible from behind firewalls?

Fortunately there is a fix for this situation, written by Yves Rutschle named sslh (http://www.rutschle.net/tech/sslh). It is a unix service which is able to listen and redirect requests based on their type. This way all requests can come in on port 443 and be forwarded to SSH or SSL services as needed. In my configuration I am using CentOS 5.x, sshd running on standard port 22, and Nginx web server to handle SSL requests.

Installing sslh



1. Create folders to download and build sslh.

$ mkdir -p sslh/temp

2. Get the latest available sources from http://www.rutschle.net/tech/sslh.shtml:

$ cd sslh && wget http://www.rutschle.net/tech/sslh-1.10-rc1.tar.gz

3. Extract the sources

$ cd temp && gtar -zxf ../sslh-1.10-rc1.tar.gz && cd *

4. Build and install

$ sudo make install

5. Verify binary installed properly

$ ls -l /usr/local/sbin/sslh

6. Copy necessary files

$ sudo cp scripts/etc.rc.d.init.d.sslh.centos /etc/rc.d/init.d/sslh
$ sudo cp scripts/etc.default.sslh /etc/default/sslh  #Optional if using services setup


Configuring sslh



1. There is one main file to edit, /etc/rc.d/init.d/sslh, a service wrapper for CentOS we copied earlier. replace:

OPTIONS="-p  0.0.0.0:8443 --ssl 127.0.0.1:443 --ssh 127.0.0.1:22"

with:

 OPTIONS="-p  my.external-dns.com:443 --ssl 127.0.0.1:443 --ssh 127.0.0.1:22"

where “my.external-dns.com” is the name or ip which you will be using to connect to your server from outside the network.
2. Add sslh as a service in CentOS and check that levels 2, 3, 4, and 5 are set to on.

$ sudo /sbin/chkconfig --level 2345 sslh on
$ sudo /sbin/chkconfig --list | grep sslh



Configuring web server



1. Update web server configuration to listen on localhost:443 instead of *.443 for SSL servers. We want to make sure that web server does not bind to all interfaces (0.0.0.0:443) and allows sslh to listen on my.external-dns.com:443 address.
2. Restart your web server.

Configuring sshd service



* No changes are necessary for sshd to work. We are keeping the default port of 22 available to redirect requests to.

Starting sslh service



1. Check current ports to make sure you don’t have anything listening on my.external-dns.com:443.

$ sudo lsof -i TCP:443

2. Start sslh service

$ sudo service sslh start

3. Check the status of sslh service

$ sudo service sslh status



Testing



If everything goes well, at this point you should be able to perform the following:

  • Access website with https://my.external-dns.com/
  • SSH to the server with 
    ssh -p 443 my.external-dns.com


Categories: Apache, Linux, Nginx, SSH, SSL Tags:
  1. No comments yet.
  1. No trackbacks yet.