sslh
sslh is an applicative protocol multiplexer that accepts HTTPS, SSH, OpenVPN, tinc, and XMPP connections on the same port. It enables connecting to these services on port 443, bypassing corporate firewalls that rarely block it, while still serving HTTPS.
Description
sslh allows multiple protocols to share a single port, primarily port 443, which is commonly open for HTTPS traffic. This is particularly useful in environments like corporate networks where outbound connections to standard SSH or VPN ports are blocked, but HTTPS is permitted. By multiplexing protocols on port 443, users can securely access SSH, OpenVPN, tinc, or XMPP servers without altering firewall rules.
The tool acts as a front-end proxy that inspects incoming connections and forwards them to the appropriate backend service based on protocol detection. It supports a range of protocols including SSL/TLS, SSH, OpenVPN, tinc, WireGuard, XMPP, HTTP, and others. This setup maintains HTTPS availability on the same port for web servers.
sslh comes in variants like sslh (default), sslh-ev, and sslh-select, with the main binary providing extensive configuration options for logging, verbosity, and protocol forwarding.
How It Works
sslh operates as a protocol demultiplexer, listening on a specified port (e.g., 443) and probing incoming packets to identify the protocol. It uses techniques like packet inspection (hexdump for probing) to distinguish between HTTPS/SSL/TLS, SSH, OpenVPN, tinc, XMPP, and other supported protocols. Once identified, it forwards the connection transparently to the designated backend host:port for that protocol. Internals include support for UDP, syslog integration, timeout handling, and verbose logging at various levels for connections, packets, and errors.
Installation
sudo apt install sslhFlags
Examples
sslh -hsslh -F /etc/sslh.cfgsslh --verbose-connections=1sslh -p 0.0.0.0:443 --ssh=127.0.0.1:22 --tls=127.0.0.1:443sslh --openvpn=127.0.0.1:1194 --xmpp=127.0.0.1:5222 -p 443sslh --config=/etc/sslh.cfg --syslogsslh-ev -hsslh-select -h