diff --git a/scripts/etc-init.d-sslh-debian-modified.sslh b/scripts/etc-init.d-sslh-debian-modified.sslh new file mode 100644 index 0000000..81a8183 --- /dev/null +++ b/scripts/etc-init.d-sslh-debian-modified.sslh @@ -0,0 +1,186 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: sslh +# Required-Start: $remote_fs $syslog $network +# Required-Stop: $remote_fs $syslog $network +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: ssl/ssh multiplexer +# Description: sslh lets one accept both HTTPS and SSH connections on the +# same port. It makes it possible to connect to an SSH server +# on port 443 (e.g. from inside a corporate firewall) while +# still serving HTTPS on that port. +### END INIT INFO + +# Original Author: Guillaume Delacour +# modified and optimized for current sslh-fork + +# Do NOT "set -e" + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="ssl/ssh multiplexer" +NAME=sslh +DAEMON=/usr/sbin/$NAME +DAEMON_OPTS="" +PIDFILE=/var/run/sslh/$NAME.pid +SCRIPTNAME=/etc/init.d/$NAME +RUN=yes + + +# If you want to use a configuration file, put -F/path/to/sslh.cfg +# into /etc/default/sslh DAEMON_OPTS +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + + + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +# Exit if the package is not installed +if [ -x "$DAEMON" ] +then + echo "Can not start \"$DAEMON\", path not available" + log_failure_msg "Can not start \"$DAEMON\", path not available" +fi + + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + + # Use this if you want the user to explicitly set 'RUN' in + # /etc/default/ + if [ "$RUN" != "yes" ] + then + echo "$NAME disabled, please adjust the configuration to your needs " + log_failure_msg "and then set RUN to 'yes' in /etc/default/$NAME to enable it." + return 2 + fi + + # sslh write the pid as sslh user + if [ ! -d /var/run/sslh/ ] + then + mkdir -p /var/run/sslh + chown sslh:sslh /var/run/sslh + fi + + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_OPTS \ + || return 2 + # Add code here, if necessary, that waits for the process to be ready + # to handle requests from services started subsequently which depend + # on this one. As a last resort, sleep for some time. +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/45/KILL/5 --pidfile $PIDFILE --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # As long, as the started sslh is sslh-fork, don't kill the still existing + # connections. You may need the following construct for sslh-ev and sslh-select, + # as sslh has currently no function reloading its configuration. + + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + #start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + #[ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# don't activate this, as this kills only the leading process +# of sslh-fork, and the spawned worker stays connected listening. +# After that, the Owner of the PID from PIDFILE is gone, the +# listening connection is still blocked +# sslh can't reload its configuration as of Aug 2024 +#do_reload() { + # + # If the daemon can reload its configuration without + # restarting (for example, when it is sent a SIGHUP), + # then implement that here. + # +# start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME +# return 0 +#} + +case "$1" in + start) + # check if sslh is launched via inetd + if [ -f /etc/inetd.conf ] && [ $(egrep -q "^https.*/usr/sbin/sslh" /etc/inetd.conf|wc -l) -ne 0 ] + then + echo "sslh is started from inetd." + exit 1 + fi + + log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) log_end_msg 0 ;; + 2) log_end_msg 1 ;; + esac + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) log_end_msg 0 ;; + 2) log_end_msg 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + restart|force-reload) + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2 + exit 3 + ;; +esac \ No newline at end of file diff --git a/sslh-main.c b/sslh-main.c index 388a383..f5c625a 100644 --- a/sslh-main.c +++ b/sslh-main.c @@ -289,9 +289,9 @@ int main(int argc, char *argv[], char* envp[]) if (fork() > 0) exit(0); /* Detach */ // close stdin, stderr, stdout int newfd; - // duplicating a handle connected to /dev/null to stdout and stderr - // so we don't run in any problems, when a control-job wor whats-o-ever will - // grab stdout and stderr + // duplicating a handle connected to /dev/null to stdin, stdout and stderr + // so we don't run in any problems, when a control-job or whats-o-ever will + // grab the those handles. if ((newfd = open("/dev/null", O_RDWR))) { dup2 (newfd, STDIN_FILENO); dup2 (newfd, STDOUT_FILENO); diff --git a/sslh.pod b/sslh.pod index e8cf43a..0e23f15 100644 --- a/sslh.pod +++ b/sslh.pod @@ -102,8 +102,10 @@ clients wait for the server to send its banner. Makes B behave as a transparent proxy, i.e. the receiving service sees the original client's IP address. -This works on Linux only and involves B settings. -Refer to the README for more information. +This works on Linux only and involves B settings. +In some cases also B settings are needed. +Refer to the README or L +for more information. =item B<-p> I, B<--listen> I @@ -123,10 +125,11 @@ Note that you can set B to listen on I and B to listen on I: this allows clients inside your network to just connect directly to B. -Also, B probes for SSLv3 (or TLSv1) handshake and will +Also, B probes for TLS handshakes and will reject connections from clients requesting SSLv2. This is -compliant with RFC6176 which prohibits the usage of SSLv2. If -you wish to accept SSLv2, use B<--anyprot> instead. +compliant with RFC6176 which prohibits the usage of SSLv2. +If you wish to accept SSLv2, use B<--anyprot> instead. + =item B<--ssh> I @@ -234,8 +237,8 @@ detailed explanation of the variables used by B. =head1 SEE ALSO The latest version is available from -L, and can be tracked -from L. +L. There you can find a more +detailed and recent documentation. =head1 AUTHOR