...
For transparent
mode to work we also need to modify iptables
. To ease configuration I created a one-off scriptscript which will set the requisite ip table rules. Note that these settings won't survive a reboot so once we're happy we're going to make these settings persistent.
Copy the following to a file in your path (I suggest /usr/loca/sbin
), make it executable, and execute with sudo.sudo:
Code Block | ||
---|---|---|
| ||
cd /usr/local/sbin
sudo vim sslh-transparent |
and copy/paste the following:
Code Block | ||
---|---|---|
| ||
#!/bin/bash iptables -t mangle -N SSLH iptables -t mangle -A OUTPUT --protocol tcp --out-interface enp0s25 --sport 4443 --jump SSLH iptables -t mangle -A OUTPUT --protocol tcp --out-interface enp0s25 --sport 1194 --jump SSLH iptables -t mangle -A SSLH --jump MARK --set-mark 0x1 iptables -t mangle -A SSLH --jump ACCEPT ip rule add fwmark 0x1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 ip6tables -t mangle -N SSLH ip6tables -t mangle -A OUTPUT --protocol tcp --out-interface enp0s25 --sport 4443 --jump SSLH ip6tables -t mangle -A OUTPUT --protocol tcp --out-interface enp0s25 --sport 1194 --jump SSLH ip6tables -t mangle -A SSLH --jump MARK --set-mark 0x1 ip6tables -t mangle -A SSLH --jump ACCEPT ip -6 rule add fwmark 0x1 lookup 100 ip -6 route add local ::/0 dev lo table 100 |
...
Info |
---|
NOTE: you'll need to replace |
Make it executable:
Code Block | ||
---|---|---|
| ||
sudo chmod +x /usr/local/bin/sslh-transparent |
You should now be able to set the iptables by executing our created script.
Making the iptable settings needed for SSLH persistent
The iptables set from our script won't survive a reboot. Let's make it persistent (note I assume a systemd
enabled distro here):
Create a simple systemd service which will execute our script on boot (after our network interfaces are online):
Code Block | ||
---|---|---|
| ||
sudo vim /etc/systemd/system/sslh-transparent.service |
and copy/paste the following, then save a quit vim
:
Code Block |
---|
[Unit]
Description=sslh transparent (see /usr/local/sbin/ssl-transparent)
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
ExecStart=/usr/local/sbin/sslh-transparent
[Install]
WantedBy=multi-user.target |
now, let's enable it on our system:
Code Block | ||
---|---|---|
| ||
sudo systemctl daemon-reload
sudo systemctl enable sslh-transparent |
Now these rules will be applied to our system on reboot.
Restart Apache, start sslh, and test...
...
Code Block | ||
---|---|---|
| ||
sudo systemctl enable sslh |
...
References
- https://stackoverflow.com/questions/34304022/change-ssl-port-of-apache2-server-err-ssl-protocol-error
- http://www.rutschle.net/tech/sslh/README.html
...