SSH / HTTPS / OpenVPN / Telegram and everything on one port ?! What?!
- Yes!
- Do you want to hide some services?
- In a public wi-fi network, everything is blocked except for 443 (https) ports?
- Have you set up a Telegram Proxy / OpenVPN and do not want to “shine” it?
- SSH connection to your server from censored countries?
There is one answer to all these questions -
Multiplexing of SSL / TLS connections, or SSLH.In the post, we will look at how
to hide a bunch of services behind 1 port in 1 command .
Why?
With the recent release of Telegram Proxy which
almost completely looks like SSL traffic, an interesting question has appeared in the comments to the
post :
Newton :
I have a pretty noob question - isn't it real to start this together with sslh?
After a quick check of the sslh application's capabilities, it seemed to me that it would not be possible to “start”, but I was very interested in this application, and, as it turned out, it is still possible to
cross it with a hedgehog .
How?
The SSLH application is a multiplexer, in other words, it analyzes traffic
(actually performing mini-DPI operation) and, depending on the type of traffic, sends it to the local port 8443/999/991 or any other ...
That allows us
to use DPI technology
for the first time .
Task
For an example of using SSLH, we set the task:
The following applications are installed on the server - Telegram Proxy, Apache, SSH and we want to let all these services into the world through port 443.
The server in our example is Ubuntu 16.04.4 LTS, Apache2 + LetsEncrypt, SSH, Telegram Proxy in Docker.At the moment, it works, as expected, Apache.
Installation & Setup
Install SSLH:
sudo apt-get install --no-install-recommends sslh
When installing, you will be asked about the usage mode, there are two of them:
- stable but more resource intensive
- fast but with loss of connections when the process drops
I am for the second option, you, of course, can choose another.
Check if our miracle works with the following command:
sudo sslh-select -f --listen IP:8443 --tls 127.0.0.1:443 --ssh 127.0.0.1:22 --anyprot 127.0.0.1:9443
IP - external server IP
8443 - the port on which our multiplexer will be launched
443 - where Apache lives
Pay attention to the option of anyprot - this is where our Telegram Proxy will live, in other words, if the traffic did not fit under any type - send there.
Attention! If your configuration does not have Telegram or SSH - remove the extra startup keys.Check?
Open your browser at the address of your server with port 8443 - you should see the response from Apache, then try connecting via SSH or via Telegram Proxy.
Moving Apache to another port
To transfer Apache from a standard port (443) to another, for example, to 7443, visit the following files:
sudo nano /etc/apache2/ports.conf sudo nano /etc/apache2/sites-enabled/000-default-le-ssl.conf
In the example Apache + SSL / HTTPS was installed using LetsEncrypt with a different certificate, the configuration files can be in different ways.Autostart
It's time to set up autostart.
Edit the file:
sudo nano /etc/default/sslh
In the
DAEMON_OPTS = field, add attributes when you run the sslh-select command, set RUN to = yes.
Run:
sudo systemctl start sslh
Make sure everything is fine:
sudo systemctl status sslh
What is the result?
After going through this tutorial, you should have a server that can access several services at once through a single port
(which you can choose from) .
And how are things with OpenVPN? What protocols can the application still have?
At the time of writing, sslh is able to identify and multiplex the following protocols:
[--ssh <addr>] [--openvpn <addr>] [--tinc <addr>] [--xmpp <addr>] [--http <addr>] [--ssl <addr>] [--tls <addr>] [--anyprot <addr>]
Before using, it is better to make sure which protocols
your version supports
(suddenly it is newer) using:
sslh-select -h
Links
SSLH development takes place on github, in this repository:
github.com/yrutschle/sslhDocker
I did not succeed in assembling the working version of sslh in the docker, along with all the other services, in my opinion there will be an interesting
docker-compose file that can be raised on port 443:
- Apache + LetsEncrypt
- Telegram Proxy
- OpenVPN (optional)
- Use local SSH
If someone succeeds - write in the comments - add to the article, in my opinion, it will be useful.
You may also be interested.