Updated to make transparency proxy work for sslh. Fix the “setsockopt: Operation not permitted when using init.d” error. No need to run as root.
Git Clone
1 |
git clone https://github.com/yrutschle/sslh |
Prepare compile environment
1 |
sudo apt-get install libwrap0-dev libconfig8-dev libcap-dev |
Compile sslh
1 2 |
make USELIBCAP=1 sudo make install |
Copy startup and configuration files into target location
1 2 3 4 |
sudo cp sslh-fork /usr/local/sbin/sslh sudo mkdir -p /etc/sslh sudo cp basic.cfg /etc/sslh/sslh.cfg sudo cp scripts/etc.init.d.sslh /etc/init.d/sslh |
Modify the startup file: /etc/init.d/sslh
1 2 3 4 5 6 7 8 |
PREFIX=/usr start() { echo "Start services: sslh" $DAEMON -c nobody setcap cap_net_bind_service,cap_net_admin+pe /usr/local/sbin/sslh -F/etc/sslh/sslh.cfg logger -t ${tag} -p ${facility} -i 'Started sslh' } |
Modify the configuration file: /etc/sslh/sslh.cfg
1 2 3 4 5 6 7 8 9 10 |
transparent: true<span class="pl-c">;</span> listen: ( { host: "0.0.0.0"; port: "443"; } ); ... #do not use localhost or 127.0.0.1, use the internal ip, try ifconfig to get it. { name: "ssl"; host: "192.168.1.3"; port: "4433"; } |
Update Firewall
1 2 3 4 5 6 7 |
iptables -t mangle -N SSLH iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 22 --jump SSLH iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4443 --jump SSLH iptables -t mangle -A SSLH --jump MARK --set-mark 0x1 iptables -t mangle -A SSLH --jump ACCEPT ip rule add fwmark 0x1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 |
1 2 3 4 5 6 7 8 |
iptables-save > /etc/iptables.rules cat << EOF > /etc/network/if-pre-up.d/iptablesload #!/bin/sh iptables-restore < /etc/iptables.rules exit 0 EOF chmod +x /etc/network/if-pre-up.d/iptablesload |
Add the following 2 lines to startup:
1 2 3 4 5 |
# nano /etc/rc.local ip rule add fwmark 0x1 lookup 100 ip rule add fwmark 0x1 lookup 100 exit 0 |
References:
hi, 我想 80 同时访问 22 和 nginx,环境是 centos rpm 安装 1.18,没有你说的这些文件,也找不到。官方说明文档就一句话….
可以告诉我,你找不到的是哪个文件吗?
cfg 文件是自己创建的,执行文件 sslh 也是自己放进去的。
然后修改启动脚本就可以。
cfg 自建就 ok 多谢我尝试一下