Skip to main content

SSLH – Share A Same Port For HTTPS And SSH

Some Internet service providers and corporate companies might have blocked most of the ports, and allowed only a few specific ports such as port 80 and 443 to tighten their security. In such cases, we have no choice, but use a same port for multiple programs, say the HTTPS Port 443, which is rarely blocked. Here is where SSLH, a SSL/SSH multiplexer, comes in help. It will listen for incoming connections on a port 443. To put this more simply, SSLH allows us  to run several programs/services on port 443 on a Linux system. So, you can use both SSL and SSH using a same port at the same time. If you ever been in a situation where most ports are blocked by the firewalls, you can use SSLH to access your remote server. This brief tutorial describes how to share a same port for https, ssh using SSLH in Unix-like operating systems.

SSLH – Share A Same Port For HTTPS, SSH, And OpenVPN

Install SSLH

SSLH is packaged for most Linux distributions, so you can install it using the default package managers.

On DebianUbuntu, and derivatives, run:

$ sudo apt-get install sslh

While installing SSLH, you will prompted whether you want to run sslh as a service from inetd, or as a standalone server. Each choice has its own benefits. With only a few connection per day, it is probably better to run sslh from inetd in order to save resources. On the other hand, with many connections, sslh should run as a standalone server to avoid spawning a new process for each incoming connection.

install sslh

Install sslh

On Arch Linux and derivatives like Antergos, Manjaro Linux, install it using Pacman as shown below.

$ sudo pacman -S sslh

On RHELCentOS, you need to add EPELrepository and then install SSLH as shown below.

$ sudo yum install epel-release
$ sudo yum install sslh

On Fedora:

$ sudo dnf install sslh

If it is not available on default repositories, you can manually compile and install SSLH as described here.

Configure Apache or Nginx webservers

As you already know, Apache and Nginx webservers will listen on all network interfaces (i.e 0.0.0.0:443) by default. We need to change this setting to tell the webserver to listen on the localhost interface only (i.e 127.0.0.1:443 or localhost:443).

To do so, edit the webserver (nginx or apache) configuration file and find the following line:

listen 443 ssl;

And, change it to:

listen 127.0.0.1:443 ssl;

If you’re using Virutalhosts in Apache, make sure you have changed that it too.

VirtualHost 127.0.0.1:443

Save and close the config files. Do not restart the services. We haven’t finished yet.

Configure SSLH

Once you have made the webservers to listen on local interface only, edit SSLH config file:

$ sudo vi /etc/default/sslh

Find the following line:

Run=no

And, change it to:

Run=yes

Then, scroll a little bit down and modify the following line to allow SSLH to listen on port 443 on all available interfaces (Eg. 0.0.0.0:443).

DAEMON_OPTS="--user sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"

Where,

  • –user sslh : Requires to run under this specified username.
  • –listen 0.0.0.0:443 : SSLH is listening on port 443 on all available interfaces.

  • –sshs 127.0.0.1:22 : Route SSH traffic to port 22 on the localhost.
  • –ssl 127.0.0.1:443 : Route HTTPS/SSL traffic to port 443 on the localhost.

Save and close the file.

Finally, enable and start sslh service to update the changes.

$ sudo systemctl enable sslh
$ sudo systemctl start sslh

Testing

Check if the SSLH daemon is listening to 443.

$ ps -ef | grep sslh 
sslh 2746 1 0 15:51 ? 00:00:00 /usr/sbin/sslh --foreground --user sslh --listen 0.0.0.0 443 --ssh 127.0.0.1 22 --ssl 127.0.0.1 443 --pidfile /var/run/sslh/sslh.pid
sslh 2747 2746 0 15:51 ? 00:00:00 /usr/sbin/sslh --foreground --user sslh --listen 0.0.0.0 443 --ssh 127.0.0.1 22 --ssl 127.0.0.1 443 --pidfile /var/run/sslh/sslh.pid
sk 2754 1432 0 15:51 pts/0 00:00:00 grep --color=auto sslh

Now, you can access your remote server via SSH using port 443:

$ ssh -p 443 sk@192.168.225.50

Sample output:

sk@192.168.225.50's password: 
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-55-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Wed Aug 14 13:11:04 IST 2019

System load: 0.23 Processes: 101
Usage of /: 53.5% of 19.56GB Users logged in: 0
Memory usage: 9% IP address for enp0s3: 192.168.225.50
Swap usage: 0% IP address for enp0s8: 192.168.225.51

* Keen to learn Istio? It's included in the single-package MicroK8s.

https://snapcraft.io/microk8s

61 packages can be updated.
22 updates are security updates.


Last login: Wed Aug 14 13:10:33 2019 from 127.0.0.1
Access remote systems via SSH using port 443

Access remote systems via SSH using port 443

See? I can now be able to access the remote server via SSH even if the default SSH port 22 is blocked. As you see in the above example, I have used the https port 443 for SSH connection. Also, we can use the same port 443 for openVPN connections too.

Comments

Post a Comment

Popular posts from this blog

4 Ways to Communicate Across Browser Tabs in Realtime

1. Local Storage Events You might have already used LocalStorage, which is accessible across Tabs within the same application origin. But do you know that it also supports events? You can use this feature to communicate across Browser Tabs, where other Tabs will receive the event once the storage is updated. For example, let’s say in one Tab, we execute the following JavaScript code. window.localStorage.setItem("loggedIn", "true"); The other Tabs which listen to the event will receive it, as shown below. window.addEventListener('storage', (event) => { if (event.storageArea != localStorage) return; if (event.key === 'loggedIn') { // Do something with event.newValue } }); 2. Broadcast Channel API The Broadcast Channel API allows communication between Tabs, Windows, Frames, Iframes, and  Web Workers . One Tab can create and post to a channel as follows. const channel = new BroadcastChannel('app-data'); channel.postMessage(data); And oth...
Post a Comment
Read more

Certbot SSL configuration in ubuntu

  Introduction Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free  TLS/SSL certificates , thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx. In this tutorial, you will use Certbot to obtain a free SSL certificate for Apache on Ubuntu 18.04 and set up your certificate to renew automatically. This tutorial will use a separate Apache virtual host file instead of the default configuration file.  We recommend  creating new Apache virtual host files for each domain because it helps to avoid common mistakes and maintains the default files as a fallback configuration. Prerequisites To follow this tutorial, you will need: One Ubuntu 18.04 server set up by following this  initial ...
Post a Comment
Read more

Working with Node.js streams

  Introduction Streams are one of the major features that most Node.js applications rely on, especially when handling HTTP requests, reading/writing files, and making socket communications. Streams are very predictable since we can always expect data, error, and end events when using streams. This article will teach Node developers how to use streams to efficiently handle large amounts of data. This is a typical real-world challenge faced by Node developers when they have to deal with a large data source, and it may not be feasible to process this data all at once. This article will cover the following topics: Types of streams When to adopt Node.js streams Batching Composing streams in Node.js Transforming data with transform streams Piping streams Error handling Node.js streams Types of streams The following are four main types of streams in Node.js: Readable streams: The readable stream is responsible for reading data from a source file Writable streams: The writable stream is re...
Post a Comment
Read more