sslh – ssl/ssh multiplexer

Sponsored Link
sslh accepts connections on specified ports, and forwards them further based on tests performed on the first data packet sent by the remote client.

Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other protocol that can be tested using a regular expression, can be recognised. A typical use case is to allow serving several services on port 443 (e.g. to connect to ssh from inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port.

Hence sslh acts as a protocol demultiplexer, or a switchboard. Its name comes from its original function to serve SSH and HTTPS on the same port.

One drawback of sslh is that the ssh and httpd servers do not see the original IP address of the client anymore, as the connection is forwarded through sslh. sslh provides enough logging to circumvent that problem. However it is common to limit access to ssh using libwrap or tcpd. For this reason, sslh can be compiled to check SSH accesses against SSH access lists as defined in /etc/hosts.allow and /etc/hosts.deny.

Install sslh in ubuntu

Open the terminal and run the following command

sudo apt-get install sslh

sslh Syntax

sslh [ -t num ] [-p listening address] [-l target address for SSL] [-s target address for SSH] [-u username] [-P pidfile] [-v] [-i] [-V] [-f]


-t num
Timeout before a connection is considered to be SSH. Default is 2s.
-p listening address
Interface and port on which to listen, e.g. foobar:443, where foobar is the name of an interface (typically the IP address on which the Internet connection ends up).

Defaults to (listen to port 443 on all available interfaces).
-l target address for SSL
Interface and port on which to forward SSL connection, typically localhost:443.

Defaults to localhost:443 (this assumes you would configure your httpd process to listen to port 443).

Note that you can set sslh to listen on ext_ip:443 and httpd to listen on localhost:443: this allows clients inside your network to just connect directly to httpd.
-s target address for SSH
Interface and port on which to forward SSH connection, defaults to localhost:22.
Increase verboseness.
Prints sslh version.
-u username
Requires to run under the specified username. Defaults to nobody (which is not perfect --- ideally sslh should run under its own UID).
-P pidfile
Specifies the file in which to write the PID of the main server. Defaults to /var/run/
Runs as an inetd server. Options -P (PID file), -p (listen address), -u (user) are ignored.
Runs in foreground. The server will not fork and will remain connected to the terminal. Messages normally sent to syslog will also be sent to stderr.


Start-up script. The standard actions start, stop and restart are supported.
Server configuration. These are environment variables loaded by the start-up script and passed to sslh as command-line arguments. Refer to the OPTIONS section for a detailed explanation of the variables used by sslh.


one can use it to access both a SSH server and a secure web server via a corporate proxy that only accepts to relay connections to port 443. Creating a tunnel that passes SSH connection through a CONNECT-enabled web proxy is easy with connect-tunnel (also included in the "Net::Proxy" distribution).

The proxy will let both SSH and HTTPS connections out (since they all point to port 443), and the home server will connect those incoming connections to the appropriate server. This only requires to run the HTTPS server on a non standard port (not 443).

Sponsored Link

You may also like...

1 Response

  1. JohnP says:

    While hosts.allow and .deny are neat, using Fail2Ban for ssh blocking … wait a minute … Fail2Ban would lockout all remote connections too.

    I guess blocking all password-based ssh logins would be the best solution along with the “Match” option inside the sshd_config file.

    Interesting problem.

Leave a Reply

Your email address will not be published. Required fields are marked *