How to Install the SSLH Multiplexer

You are here:
< All Topics

My server is using the sslh multiplexer daemon, this uses incoming port 443 for both ssh and https.

 

Reason for this is to avoid ssh connection problems when trying to connect to the server from outgoing routers which do not permit outgoing ssh port 22 connections.

 

If you have administrator access to the router you can modify this, but if you don’t have access, eg when using a router in a residential or commercial building complex to which you don’t have admin access yourself, then a viable workaround is to use port 443 for outgoing ssh connections.

 

This is because port 443 is hardly ever blocked by routers and can thus be relied upon to be accessible.

 

On my server, incoming port 443 ssh connections are therefore redirected to sshd on port 22, while incoming https 443 connections are redirected to https port 444 on apache.

 

Apache must then be configured to listen on port 444 instead of the default 443.

 

First, install sslh:

 

apt install sslh

 

then in /etc/default/sslh

 

change:

 

#RUN=no
RUN=yes

 

and set the DAEMON_OPS to use the desired port for sslh and to forward to ssh:

 

Here we want incoming ssh connections to come in on port 444, and forward ssh calls to 22 and all other calls (which will be https for apache) to be forwarded to 444:

 

DAEMON_OPTS=”–user sslh –listen 0.0.0.0:443 –ssh 127.0.0.1:22 –ssl 127.0.0.1:444 –pidfile /var/run/sslh/sslh.pid”

 

so it will look like this:

 

root@gemini:/# cat /etc/default/sslh
# Default options for sslh initscript
# sourced by /etc/init.d/sslh

# Disabled by default, to force yourself
# to read the configuration:
# – /usr/share/doc/sslh/README.Debian (quick start)
# – /usr/share/doc/sslh/README, at “Configuration” section
# – sslh(8) via “man sslh” for more configuration details.
# Once configuration ready, you *must* set RUN to yes here
# and try to start sslh (standalone mode only)

#RUN=no
RUN=yes

# binary to use: forked (sslh) or single-thread (sslh-select) version
# systemd users: don’t forget to modify /lib/systemd/system/sslh.service
DAEMON=/usr/sbin/sslh

#DAEMON_OPTS=”–user sslh –listen <change-me>:443 –ssh 127.0.0.1:22 –ssl 127.0.0.1:443 –pidfile /var/run/sslh/sslh.pid”
DAEMON_OPTS=”–user sslh –listen 0.0.0.0:443 –ssh 127.0.0.1:22 –ssl 127.0.0.1:444 –pidfile /var/run/sslh/sslh.pid”
root@gemini:/#

 

then config systemctl to autostart sslh, then start sslh:

 

systemctl enable sslh
systemctl start sslh

 

Check that its running and listening correctly:

 

root@gemini:/# ps -ef | grep sslh
sslh 611 1 0 Jun28 ? 00:00:00 /usr/sbin/sslh –foreground –user sslh –listen 0.0.0.0 443 –ssh 127.0.0.1 22 –tls 127.0.0.1 444 –pidfile /var/run/sslh/sslh.pid
sslh 612 611 0 Jun28 ? 00:00:00 /usr/sbin/sslh –foreground –user sslh –listen 0.0.0.0 443 –ssh 127.0.0.1 22 –tls 127.0.0.1 444 –pidfile /var/run/sslh/sslh.pid
sslh 937 612 0 Jun28 ? 00:00:00 /usr/sbin/sslh –foreground –user sslh –listen 0.0.0.0 443 –ssh 127.0.0.1 22 –tls 127.0.0.1 444 –pidfile /var/run/sslh/sslh.pid
sslh 1073 612 0 Jun28 ? 00:00:00 /usr/sbin/sslh –foreground –user sslh –listen 0.0.0.0 443 –ssh 127.0.0.1 22 –tls 127.0.0.1 444 –pidfile /var/run/sslh/sslh.pid
sslh 9093 612 0 19:22 ? 00:00:00 /usr/sbin/sslh –foreground –user sslh –listen 0.0.0.0 443 –ssh 127.0.0.1 22 –tls 127.0.0.1 444 –pidfile /var/run/sslh/sslh.pid
root 9503 9199 0 20:00 pts/2 00:00:00 grep –color=auto sslh
root@gemini:/# netstat -tulpn | grep sslh
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 611/sslh
root@gemini:/#

 

then, you can access ssh by using:

 

ssh -p 443 username@server-ip

 

and sslh will forward the ssh connection to sshd on port 22 on the server

 

Don’t forget also you must reconfigure apache to listen on port 444 (/etc/apache2/ports.conf and the appropriate sites-enabled conf file – and restart apache after modifying the files).

 

 

A Note Regarding Apache and sslh

 

Note also that some programs, such as Lets Encrypt’s SSL Certbot SSL certificate sourcing program automatically define the https port as the default 443, so you then need to remove this and set it to 444, otherwise apache will not start.

 

Apache ports.conf needs to look like this. Note that port 443 is not used:

 

root@gemini:/etc/apache2# cat ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule mod_ssl.c>
#Listen 443
Listen 444
</IfModule>

 

The sites-enabled will also use 444 instead of 443 for virtual host definitions:

 

<VirtualHost 127.0.0.1:444>

ServerName kevwells.com
ServerAlias www.kevwells.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

 

Include /etc/letsencrypt/options-ssl-apache.conf

 

SSLCertificateFile /etc/letsencrypt/live/kevwells.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kevwells.com/privkey.pem

 

</VirtualHost>
</IfModule>

 

 

Table of Contents

To continue using this site, you must agree to the use of cookies and to the terms and conditions of our privacy policy. more information

Cookie settings on this website are set to "allow cookies" to give you the best browsing experience. By using this website without changing your cookie settings or by clicking on "No Problem" below, you agree to these settings as well as to the terms of use for this website. Usage of this site is conditional on your acceptance of our Privacy Policy. For more information click on the Privacy Page.

Close