SSLH automatically exits (or does not start)

[mxmvncnt]

Hello,

I am trying to set up SSLH on my Ubuntu 22.04.1 server to use port 443 and 80 with XMPP to bypass restrictive firewalls as well as a web server, but I am having a lot of trouble. Initially, nothing worked, the program started and the ports all looked good, SSLH was listening on the host's ip, and the rest were listening on 127.0.0.1 on their respective ports. I suspected that is because the version on the debian repos is, expectedly, 4 years out of date... So I checked the github tags and saw there was a much newer release, so I try that, compile it and the version is good, the configs seem to work as there are no errors.

Here are my configuration files (click to expand them)

/etc/sslh.cfg (expand)

This one is from the Debian.org page explaining how to use the Prosody XMPP server.

ubuntu@ubuntu-24go:~$ cat /etc/sslh.cfg 
verbose: 1;
foreground: false;
inetd: false;
numeric: false;
transparent: false;
timeout: 2;
user: "nobody";
#pidfile: "/var/run/sslh/sslh.pid";
listen:

(

{ host: ""; port: "443"; }

);
protocols:

(

{ name: "tls"; host: "localhost"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; log_level: 0;},

{ name: "tls"; host: "localhost"; port: "443";},

{ name: "xmpp";    host: "localhost"; port: "5222"; },

{ name: "timeout"; host: "localhost"; port: "443";}

);
on-timeout: "timeout";

/etc/default/sslh (expand)

ubuntu@ubuntu-24go:~$ cat /etc/default/sslh 
RUN=yes
DAEMON=/usr/local/sbin/sslh
DAEMON_OPTS="-F /etc/sslh.cfg" 

/etc/nginx/sites-available/ (expand)

ubuntu@ubuntu-24go:~$ cat /etc/nginx/sites-available/
server {
	if ($host = ) {
		return 301 https://$host$request_uri;
	} # managed by Certbot
listen 80 ;
listen [::]:80 ;

root /var/www/html;

index index.html;
server_name <my.cool.site>; 

location / {
	try_files $uri $uri/ =404;
}

}
server {

root /var/www/html;

index index.html;

server_name <my.cool.site>;
location / {
	try_files $uri $uri/ =404;
}

listen [::1]:443 ssl;
listen 127.0.0.1:443 ssl;

    (here would be the SSL certificates managed by certbot)

}

So that is where I am at. For now, the only way to make my website work is by disabling SSLH and making Nginx listen to port 443 on the normal address. Would really love this setup to work as my school blocks the ports used by XMPP...

p.s. sorry if this does not belong here, it may be an Nginx issue, but I cannot really diagnose stuff since everything is all in green and says it works.

[licaon-kter]

nginx should use a different port like 8443 in sites-available.

And in sslh.cfg modify to point to that port.

[mxmvncnt]

nginx should use a different port like 8443 in sites-available.

And in sslh.cfg modify to point to that port.

Hi, thank you for your answer, unfortunately that too does not seem to work... I changed the ports in sslh.cfg in the "protocols" section. When running netstat, here is what I get, I think this configuration should work, but when navigating to my website it does not load.

sudo netstat -ntpl4 | grep -E "nginx|443|lua"

tcp        0      0 0.0.0.0:80                0.0.0.0:*               LISTEN      4479/nginx: master  
tcp        0      0 0.0.0.0:5000              0.0.0.0:*               LISTEN      942/lua             
tcp        0      0 <serv. ext. ip>:443       0.0.0.0:*               LISTEN      4473/usr/local/sbin 
tcp        0      0 0.0.0.0:5222              0.0.0.0:*               LISTEN      942/lua             
tcp        0      0 0.0.0.0:5269              0.0.0.0:*               LISTEN      942/lua             
tcp        0      0 0.0.0.0:5281              0.0.0.0:*               LISTEN      942/lua             
tcp        0      0 127.0.0.1:5280            0.0.0.0:*               LISTEN      942/lua             
tcp        0      0 127.0.0.1:8443            0.0.0.0:*               LISTEN      4479/nginx: master  

[licaon-kter]

What does systemctl status sslh output?

[mxmvncnt]

systemctl status sslh

From what I understand, it also looks fine.
In the meantime I tried your prior suggestion with my nginx file but not on localhost, that did not work so I switched it back

ubuntu@ubuntu-24go:~$ systemctl status sslh

● sslh.service - LSB: sslh proxy ssl & ssh connections
     Loaded: loaded (/etc/init.d/sslh; generated)
     Active: active (running) since Mon 2022-08-29 09:50:21 EDT; 1s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 4594 ExecStart=/etc/init.d/sslh start (code=exited, status=0/SUCCESS)
      Tasks: 2 (limit: 28701)
     Memory: 376.0K
        CPU: 5ms
     CGroup: /system.slice/sslh.service
             ├─4596 usr/local/sbin/sslh -F/etc/sslh.cfg
             └─4598 usr/local/sbin/sslh -F/etc/sslh.cfg

Aug 29 09:50:21 ubuntu-24go sslh[4595]: xmpp addr: localhost:xmpp-client. libwrap service: (null) log_level: 1 family 2 2 [] [] []
Aug 29 09:50:21 ubuntu-24go sslh[4595]: timeout addr: localhost:8443. libwrap service: (null) log_level: 1 family 2 2 [] [] []
Aug 29 09:50:21 ubuntu-24go sslh[4595]: timeout: 2
Aug 29 09:50:21 ubuntu-24go sslh[4595]: on-timeout: timeout
Aug 29 09:50:21 ubuntu-24go sslh[4595]: Listening to:
Aug 29 09:50:21 ubuntu-24go sslh[4595]: 3:        <external_ip>:https        [] []
Aug 29 09:50:21 ubuntu-24go sslh[4596]: sslh-fork 1.22c started
Aug 29 09:50:21 ubuntu-24go sslh[4596]: turning into nobody
Aug 29 09:50:21 ubuntu-24go sslh[4597]: Started sslh
Aug 29 09:50:21 ubuntu-24go systemd[1]: Started LSB: sslh proxy ssl & ssh connections.

[utoni]

What's the output of journalctl -u sslh.service ?

[mxmvncnt]

What's the output of journalctl -u sslh.service ?

The output is very long, yesterday it looks like I had silent issues, but there was so many that I could not go to today

Aug 28 15:46:35 ubuntu-24go sslh[68672]: tls:connection from localhost:55782 to localhost:https forwarded from localhost:56104 to localhost:https
Aug 28 15:46:35 ubuntu-24go sslh[68667]: timeout:connection from localhost:55546 to localhost:https forwarded from localhost:56142 to localhost:https
Aug 28 15:46:35 ubuntu-24go sslh[68675]: tls:connection from localhost:56104 to localhost:https forwarded from localhost:56158 to localhost:https
Aug 28 15:46:35 ubuntu-24go sslh[68676]: timeout:connection from localhost:56142 to localhost:https forwarded from localhost:56168 to localhost:https
Aug 28 15:46:35 ubuntu-24go sslh[68664]: tls:connection from localhost:55436 to localhost:https forwarded from localhost:56206 to localhost:https
Aug 28 15:46:35 ubuntu-24go sslh[68677]: tls:connection from localhost:56158 to localhost:https forwarded from localhost:56258 to localhost:https

[utoni]

Houston, we have a connection loop:

Aug 28 15:46:35 ubuntu-24go sslh[68672]: tls:connection from localhost:55782 to localhost:https forwarded from localhost:56104 to localhost:https
Aug 28 15:46:35 ubuntu-24go sslh[68675]: tls:connection from localhost:56104 to localhost:https forwarded from localhost:56158 to localhost:https
Aug 28 15:46:35 ubuntu-24go sslh[68677]: tls:connection from localhost:56158 to localhost:https forwarded from localhost:56258 to localhost:https

[mxmvncnt]

Houston, we have a connection loop:

Aug 28 15:46:35 ubuntu-24go sslh[68672]: tls:connection from localhost:55782 to localhost:https forwarded from localhost:56104 to localhost:https
Aug 28 15:46:35 ubuntu-24go sslh[68675]: tls:connection from localhost:56104 to localhost:https forwarded from localhost:56158 to localhost:https
Aug 28 15:46:35 ubuntu-24go sslh[68677]: tls:connection from localhost:56158 to localhost:https forwarded from localhost:56258 to localhost:https

Does that mean that my nginx listens to sslh and vice versa? So my configurations are wrong then, but I can't figure out what or why

[utoni]

Try:

listen:
(
{ host: ""; port: "443"; }
);
protocols:
(
{ name: "tls"; host: "localhost"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; log_level: 0;},
{ name: "tls"; host: "localhost"; port: "8443";},
{ name: "xmpp";    host: "localhost"; port: "5222"; },
{ name: "timeout"; host: "localhost"; port: "8443";}
);
on-timeout: "timeout";

Instead of:

listen:
(
{ host: ""; port: "443"; }
);
protocols:
(
{ name: "tls"; host: "localhost"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; log_level: 0;},
{ name: "tls"; host: "localhost"; port: "443";},
{ name: "xmpp"; host: "localhost"; port: "5222"; },
{ name: "timeout"; host: "localhost"; port: "443";}
);
on-timeout: "timeout";

[mxmvncnt]

Try:

listen:
(
{ host: ""; port: "443"; }
);
protocols:
(
{ name: "tls"; host: "localhost"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; log_level: 0;},
{ name: "tls"; host: "localhost"; port: "8443";},
{ name: "xmpp";    host: "localhost"; port: "5222"; },
{ name: "timeout"; host: "localhost"; port: "8443";}
);
on-timeout: "timeout";

That does not seem to work, still does not work without errors. My site is unreachable.

When running journalctl -fu sslh.service, to get the end of the logfile this is what I get:

ubuntu@ubuntu-24go:~$ journalctl -fu sslh.service 
Aug 29 12:36:25 ubuntu-24go sslh[5650]: xmpp addr: localhost:xmpp-client. libwrap service: (null) log_level: 1 family 2 2 [] [] []
Aug 29 12:36:25 ubuntu-24go sslh[5650]: timeout addr: localhost:8443. libwrap service: (null) log_level: 1 family 2 2 [] [] []
Aug 29 12:36:25 ubuntu-24go sslh[5650]: timeout: 2
Aug 29 12:36:25 ubuntu-24go sslh[5650]: on-timeout: timeout
Aug 29 12:36:25 ubuntu-24go sslh[5650]: Listening to:
Aug 29 12:36:25 ubuntu-24go sslh[5650]: 3:        <external_ip>:https        [] []
Aug 29 12:36:25 ubuntu-24go sslh[5653]: Started sslh
Aug 29 12:36:25 ubuntu-24go systemd[1]: Started LSB: sslh proxy ssl & ssh connections.
Aug 29 12:36:25 ubuntu-24go sslh[5652]: turning into nobody
Aug 29 12:36:25 ubuntu-24go sslh[5652]: sslh-fork 1.22c started

Tried your proposed config and changing my nginx/sites-available to these 4, but none worked:

• listen localhost:8443 ssl;
• listen localhost:443 ssl;
• listen 8443 ssl;
• listen 443 ssl; (this one expectedly has conflicts)

[utoni]

Tried your proposed config and changing my nginx/sites-available to these 4, but none worked:

* `listen localhost:8443 ssl;` 
* `listen localhost:443 ssl;`
* `listen 8443 ssl;`
* `listen 443 ssl;` (this one expectedly has conflicts)

Yes, tcp port server_ip:443 is already used by sslh.
Did you try to manually run sslh in the foreground with: /usr/local/sbin/sslh -F/etc/sslh.cfg -f -v3 ?

[mxmvncnt]

Yes, tcp port server_ip:443 is already used by sslh. Did you try to manually run sslh in the foreground with: /usr/local/sbin/sslh -F/etc/sslh.cfg -f -v3 ?

Hi, yes, I tried this, but it seems it closes immediately, as it does not stay open. Right after typing that command, it shows some info, but it closes and I can type regular commands again.

ubuntu@ubuntu-24go:~$ /usr/local/sbin/sslh -F/etc/sslh.cfg -f -v3
tls addr: localhost:5223. libwrap service: (null) log_level: 0 family 2 2 [] [] []
tls addr: localhost:8443. libwrap service: (null) log_level: 1 family 2 2 [] [] []
xmpp addr: localhost:xmpp-client. libwrap service: (null) log_level: 1 family 2 2 [] [] []
timeout addr: localhost:8443. libwrap service: (null) log_level: 1 family 2 2 [] [] []
timeout: 2
on-timeout: timeout
Listening to:
<external_ip>:https:bind: Success
ubuntu@ubuntu-24go:~$ 

[utoni]

Now we're talking. There are two issues here.

1. bind() fails
2. check_res_dump() should save errno before calling any other libc function

Please disable alll other tcp port 443 listeners and try again.

[mxmvncnt]

Now we're talking. There are two issues here.

1. `bind()` fails

2. `check_res_dump()` should save errno before calling any other libc function

Please disable alll other tcp port 443 listeners and try again.

I should disable everything that listens to port 443 except sslh then? Normally thats already the case as nginx is on port 8443 on localhost and SSLH is listening on port 443 on the external ip.

ubuntu@ubuntu-24go:~$ sudo netstat -ntpl4 | grep -E "443"
tcp        0      0 <external_ip>:443      0.0.0.0:*               LISTEN      5811/usr/local/sbin 
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      5815/nginx: master 

[utoni]

Did you try to run sslh as root since 443 is a privileged port?

[AntonOfTheWoods]

@Adaoh2 , would you mind letting us know how you compiled and what libraries you installed? I am also trying and failing to compile and run on Ubuntu 22.04.1, but with a different error message.

[mxmvncnt]

Did you try to run sslh as root since 443 is a privileged port?

I did not try that, but even when changing the user in my .cfg to root, it does not seem to work.

[mxmvncnt]

@Adaoh2 , would you mind letting us know how you compiled and what libraries you installed? I am also trying and failing to compile and run on Ubuntu 22.04.1, but with a different error message.

To compile I simply followed the build from source instructions, I only needed to install libpcre2-dev instead of the one that was in the guide as I think it is no longer in the repos. After that the compilation went fine. Maybe you could add your error message here?

[AntonOfTheWoods]

Maybe you could add your error message here?

#346

[mxmvncnt]

Oh well, it turns out that everything was fine, no bugs or anything, just that I was listening to my external IP, instead of my internal IP of the server (can see this with the ifconfig command. Maybe that is due to Oracle being weird or this is the case for every server. Sorry for the trouble caused, at least I learned something new and I hope someone can find this and figure out their issue.

Also, a quick notice in the systemctl status text to notify that the address listed in ifconfig should be the one to use would be helpful for beginners like me. Maybe something to add!

[AntonOfTheWoods]

@Adaoh2 , the docs definitely need some work. I will try and spend quite a bit of time in a couple of weeks when I get a moment. Please leave any suggestions on the ticket I opened! #350