...
How this works is we'll change our Apache reverse-proxy listening port to something else (like 4443), then bind port 443 to SSLH. SSLH will analyse traffic incoming to port 443, and if it's standard https then it transparently forwards this traffic to port 4443, and if it's OpenVPN traffic then it forwards it to our standard server-side OpenVPN port 1194.
SSLH also supports SSH traffic as well, so you could also route SSH traffic through port 443. This means having https, openvpn, and SSH traffic all going through a single port (443) on your server (although we won't cover adding SSH here - leave a comment if you have issues also adding SSH traffic to SSLH).
Guide
The steps outlined here assumes you've setup an Apache reverse-proxy in which you take care of SSL termination with the relevant SSL certs within said reverse-proxy which listens (is binded) to port 443. It also assumes that you've setup OpenVPN as outlined previously in this article and are using port 1194 for OpenVPN.
...
Table of Contents | ||
---|---|---|
|
Change OpenVPN to tcp-server mode
First let's make a small change to our OpenVPN by replacing
...
Info |
---|
Note that with this change you'll also need to change your .ovpn client configuration to use |
Change Apache SSL listening port and update any vhosts directives
Next, we're going to change our Apache SSL listening port to 4443 (you should check that this port is free - if not choose another valid arbitrary port number).
...
Don't restart Apache2 just yet...
Install and configure sslh
Next we're let's install SSLHinstall SSLH using distro's package manager. If you're running a Debian or Ubuntu Server you would do:
Code Block |
---|
sudo apt install sslh |
and select Select standalone mode when asked to select a mode.
...
Info |
---|
NOTE: you'll need to replace |
Restart Apache, start sslh, and test...
Right, it's time to test the setup. To do so we need to restart Apache, start SSLH:
...
If all went well you should be able to still access your webserver AND connect to OpenVPN on port 443.
Finalise configuration
We'll finalise the configuration (once you've tested it) by enabling sslh (so it starts on boot) and by making the iptable rules (above) persistent.
...
See the this article to make the current iptable rules (after you've executed the iptable script above) persistent.
References
- https://stackoverflow.com/questions/34304022/change-ssl-port-of-apache2-server-err-ssl-protocol-error
- http://www.rutschle.net/tech/sslh/README.html
Related articles
Content by Label | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...