Versions Compared

Old Version 2

changes.mady.by.user Jay Ta'ala

Saved on

compared with

New Version 3

changes.mady.by.user Jay Ta'ala

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For transparent mode to work we also need to modify iptables.  To ease configuration I created a one-off scriptscript which will set the requisite ip table rules.  Note that these settings won't survive a reboot so once we're happy we're going to make these settings persistent.

Copy the following to a file in your path (I suggest /usr/loca/sbin), make it executable, and execute with sudo.sudo:

Code Block
languagebash
cd /usr/local/sbin
sudo vim sslh-transparent

and copy/paste the following: 

Code Block
languagebash
#!/bin/bash

iptables -t mangle -N SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface enp0s25 --sport 4443 --jump SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface enp0s25 --sport 1194 --jump SSLH
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
iptables -t mangle -A SSLH --jump ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

ip6tables -t mangle -N SSLH
ip6tables -t mangle -A OUTPUT --protocol tcp --out-interface enp0s25 --sport 4443 --jump SSLH
ip6tables -t mangle -A OUTPUT --protocol tcp --out-interface enp0s25 --sport 1194 --jump SSLH
ip6tables -t mangle -A SSLH --jump MARK --set-mark 0x1
ip6tables -t mangle -A SSLH --jump ACCEPT
ip -6 rule add fwmark 0x1 lookup 100
ip -6 route add local ::/0 dev lo table 100

...

Info

NOTE: you'll need to replace enp0s25 with the main network interface of your server.

Make it executable:

Code Block
languagebash
sudo chmod +x /usr/local/bin/sslh-transparent

You should now be able to set the iptables by executing our created script.

Making the iptable settings needed for SSLH persistent

The iptables set from our script won't survive a reboot.  Let's make it persistent (note I assume a systemd enabled distro here):

Create a simple systemd service which will execute our script on boot (after our network interfaces are online):

Code Block
languagebash
sudo vim /etc/systemd/system/sslh-transparent.service

and copy/paste the following, then save a quit vim:

Code Block
[Unit]
Description=sslh transparent (see /usr/local/sbin/ssl-transparent)
Wants=network-online.target
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/sbin/sslh-transparent

[Install]
WantedBy=multi-user.target

now, let's enable it on our system:

Code Block
languagebash
sudo systemctl daemon-reload
sudo systemctl enable sslh-transparent

Now these rules will be applied to our system on reboot.

Restart Apache, start sslh, and test...

...

Code Block
languagebash
sudo systemctl enable sslh

...

References
  1. https://stackoverflow.com/questions/34304022/change-ssl-port-of-apache2-server-err-ssl-protocol-error
  2. http://www.rutschle.net/tech/sslh/README.html
...