Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Having trouble enabling transparent-mode #380

Open
hopperelec opened this issue Apr 28, 2023 · 0 comments
Open

Having trouble enabling transparent-mode #380

hopperelec opened this issue Apr 28, 2023 · 0 comments

Comments

@hopperelec
Copy link

hopperelec commented Apr 28, 2023
edited
Loading

Sorry if GitHub Issues aren't a suitable place to ask about this, but I can't find a more suitable place to ask.

I have SSLH working to listen for traffic on 443 and forward it, as appropriate, to Apache (7443) or SSHD (22). However, I currently have transparent-mode off, so any HTTPS requests are showing as coming from 127.0.0.1 in my Apache logs.

I understand enabling transparent-mode is a complex process, but I believe I have the simplest setup for this since everything is on one host. After following all the steps in your guide, SSLH seems to stop picking up on any requests (both HTTPS and SSH; the journal just shows stopping/starting) although it is still listening on 443 so that isn't the issue. Turning transparent-mode back off fixes the issue and the journal shows all the requests and they are successfully forwarded.

SSLH has the following capabilities:
/usr/sbin/sslh = cap_net_bind_service,cap_net_raw+ep

My working DEFAULT_OPTS (I add --transparent):
--user sslh --listen 0.0.0.0:443 --ssh localhost:22 --tls localhost:7443 --pidfile /var/run/sslh/sslh.pid

My ipconfig 
>>> sudo iptables -t raw -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             localhost/8

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
>>> sudo iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
CONNMARK   tcp  --  anywhere             anywhere             connmark match  0x1/0xf CONNMARK restore mask 0xf

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  localhost/8          anywhere
>>> sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
CONNMARK   tcp  --  anywhere             anywhere             owner UID match sslh tcp flags:FIN,SYN,RST,ACK/SYN CONNMARK xset 0x1/0xf

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

What might I be doing wrong?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hopperelec