Home

SSLH, ssh&co though Proxies

During my intership, I wanted to access my server, to continue using IRC in my irssi. I need for that to ssh to libskia.so, but the problem came from the proxy that provide my Internet connection, because it's blocking everything except ports 80 and 443.

First thought: easy, I just have to set SSH to listen on port 443!

Problem: we (Piké and I), are running website with HTTPS enabled, and it's running, of course, on port 443.

From there, I had many solutions. I could put in place a VPN using some option like port-share but it was a bit heavy for just an SSH connection... Moreover, VPNs are stictly forbidden by the local policy, so it wasn't a really good idea.

I also could have used GoTTY, to get a shell in my browser, but I didn't really like this solution, especially for IRC notifications, that are forwarded though screen to my terminal, to have a little "beep" when someone highlights me.

I finally found a far better solution: SSLH. It's a small SSL multiplexer that, once set to listen on $PUBLIC_IP:443, can forward many protocols to their respective interfaces.

Here is how I call SSLH. You can of course set it in /etc/default/sslh and run it as a daemon.

sslh --user sslh --listen 91.121.195.132:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --openvpn 127.0.0.1:1194

That way, I have SSH, HTTPS, and even OpenVPN that can pass through port 443, and that's very useful when you work behind weird restrictive proxies!

Bonus: that works in both sides, so when you have server in a DMZ where, for security reasons, the network admin blocked SSH port, but allowed, say, HTTPS for example, you can have a direct secure shell without any weird reverse tunnel with SSLH.