sslh - protocol demultiplexer
sslh [ -F config file
] [ -t num
] [ -p listening address
...] [ --ssl target address for SSL
[--ssh target address for SSH
] [--openvpn target
address for OpenVPN
] [ --http target address for HTTP
[--anyprot default target address
] [ -u username
] [-P pidfile
[-v] [-i] [-V] [-f] [-n]
accepts connections on specified ports, and forwards them further
based on tests performed on the first data packet sent by the remote client.
Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other
protocol that can be tested using a regular expression, can be recognised. A
typical use case is to allow serving several services on port 443 (e.g. to
connect to ssh from inside a corporate firewall, which almost never block port
443) while still serving HTTPS on that port.
acts as a protocol demultiplexer, or a switchboard. Its name
comes from its original function to serve SSH and HTTPS on the same port.
One drawback of sslh
is that the servers do not see the original IP
address of the client anymore, as the connection is forwarded through
For this reason, sslh
can be compiled with libwrap
accesses defined in /etc/hosts.allow
Libwrap services can be defined using the configuration file.
A configuration file can be supplied to sslh
. Command line arguments
override file settings. sslh
to parse the
configuration file, so the general file format is indicated in
refer to the example configuration file provided with sslh
specific format (Options have the same names as on the command line, except
for the list of listen ports and the list of protocols).
The configuration file makes it possible to specify protocols using regular
expressions: a list of regular expressions is given as the
parameter, and if the first packet received from the
client matches any of these expressions, sslh
connects to that
When receiving an incoming connection, sslh
will read the first bytes
sent be the connecting client. It will then probe for the protocol in the
order specified on the command line (or the configuration file). Therefore
should alway be used last, as it always succeeds and further
protocols will never be tried.
If no data is sent by the client, sslh
will eventually time out and
connect to the protocol specified with --on-timeout
, or ssh
none is specified.
As a security/authorization program, sslh
logs to the LOG_AUTH facility,
with priority LOG_INFO for normal connections and LOG_ERR for failures.
- -F filename, --config
- Uses filename has configuration file. If other
command-line options are specified, they will override the configuration
- -t num, --timeout num
- Timeout before forwarding the connection to the timeout
protocol (which should usually be SSH). Default is 2s.
- --on-timeout protocol name
- Name of the protocol to connect to after the timeout period
is over. Default is 'ssh'.
- Makes sslh behave as a transparent proxy, i.e. the
receiving service sees the original client's IP address. This works on
Linux only and involves iptables settings. Refer to the README for
- -p listening address, --listen
- Interface and port on which to listen, e.g.
foobar:443, where foobar is the name of an interface
(typically the IP address on which the Internet connection ends up).
This can be specified several times to bind sslh to several
- --ssl target address
- --tls target address
- Interface and port on which to forward SSL connection,
Note that you can set sslh to listen on ext_ip:443 and
httpd to listen on localhost:443: this allows clients inside
your network to just connect directly to httpd.
Also, sslh probes for SSLv3 (or TLSv1) handshake and will reject
connections from clients requesting SSLv2. This is compliant to RFC6176
which prohibits the usage of SSLv2. If you wish to accept SSLv2, use
- --ssh target address
- Interface and port on which to forward SSH connections,
- --openvpn target address
- Interface and port on which to forward OpenVPN connections,
- --xmpp target address
- Interface and port on which to forward XMPP connections,
- --http target address
- Interface and port on which to forward HTTP connections,
- --tinc target address
- Interface and port on which to forward tinc connections,
This is experimental. If you use this feature, please report the results
(even if it works!)
- --anyprot target address
- Interface and port on which to forward if no other protocol
has been found. Because sslh tries protocols in the order specified
on the command line, this should be specified last. If no default is
specified, sslh will forward unknown protocols to the first
- -v, --verbose
- Increase verboseness.
- -n, --numeric
- Do not attempt to resolve hostnames: logs will contain IP
addresses. This is mostly useful if the system's DNS is slow and running
the sslh-select variant, as DNS requests will hang all
- Prints sslh version.
- -u username, --user
- Requires to run under the specified username.
- -P pidfile, --pidfile
- Specifies a file in which to write the PID of the main
- -i, --inetd
- Runs as an inetd server. Options -P (PID
file), -p (listen address), -u (user) are ignored.
- -f, --foreground
- Runs in foreground. The server will not fork and will
remain connected to the terminal. Messages normally sent to syslog
will also be sent to stderr.
- Runs in background. This overrides foreground if set
in the configuration file (or on the command line, but there is no point
setting both on the command line unless you have a personality
- Start-up script. The standard actions start,
stop and restart are supported.
- Server configuration. These are environment variables
loaded by the start-up script and passed to sslh as command-line
arguments. Refer to the OPTIONS section for a detailed explanation of the
variables used by sslh.
Last version available from <http://www.rutschle.net/tech/sslh>, and can
be tracked from <http://freecode.com/projects/sslh>.
Written by Yves Rutschle