SSLH:让HTTPS和SSH共享同一个端口

SSLH:让HTTPS和SSH共享同一个端口

一些 ISP 和公司可能已经阻止了大多数端口,并且只允许少数特定端口(如端口 80 和 443)访问来加强其安全性。在这种情况下,我们别无选择,但同一个端口可以用于多个程序,比如 HTTPS 端口 443,很少被阻止。通过 SSL/SSH 多路复用器 SSLH 的帮助,它可以侦听端口 443 上的传入连接。更简单地说,SSLH 允许我们在 Linux 系统上的端口 443 上运行多个程序/服务。因此,你可以同时通过同一个端口同时使用 SSL 和 SSH。如果你遇到大多数端口被防火墙阻止的情况,你可以使用 SSLH 访问远程服务器。这个简短的教程描述了如何在类 Unix 操作系统中使用 SSLH 让 https、ssh 共享相同的端口。

SSLH:让 HTTPS、SSH 共享端口

安装 SSLH

大多数 Linux 发行版上 SSLH 都有软件包,因此你可以使用默认包管理器进行安装。

在 Debian、Ubuntu 及其衍生品上运行:

  1. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> </span><span class="kwd">apt-get</span><span class="pln"> install sslh</span>

安装 SSLH 时,将提示你是要将 sslh 作为从 inetd 运行的服务,还是作为独立服务器运行。每种选择都有其自身的优点。如果每天只有少量连接,最好从 inetd 运行 sslh 以节省资源。另一方面,如果有很多连接,sslh 应作为独立服务器运行,以避免为每个传入连接生成新进程。

SSLH:让HTTPS和SSH共享同一个端口

安装 sslh

在 Arch Linux 和 Antergos、Manjaro Linux 等衍生品上,使用 Pacman 进行安装,如下所示:

  1. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> pacman </span><span class="pun">-</span><span class="pln">S sslh</span>

在 RHEL、CentOS 上,你需要添加 EPEL 存储库,然后安装 SSLH,如下所示:

  1. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> </span><span class="kwd">yum</span><span class="pln"> install epel</span><span class="pun">-</span><span class="pln">release</span>
  2. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> </span><span class="kwd">yum</span><span class="pln"> install sslh</span>

在 Fedora:

  1. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> dnf install sslh</span>

如果它在默认存储库中不可用,你可以如这里所述手动编译和安装 SSLH。

配置 Apache 或 Nginx Web 服务器

如你所知,Apache 和 Nginx Web 服务器默认会监听所有网络接口(即 0.0.0.0:443)。我们需要更改此设置以告知 Web 服务器仅侦听 localhost 接口(即 127.0.0.1:443 或 localhost:443)。

为此,请编辑 Web 服务器(nginx 或 apache)配置文件并找到以下行:

  1. <span class="pln">listen </span><span class="lit">443</span><span class="pln"> ssl</span><span class="pun">;</span>

将其修改为:

  1. <span class="pln">listen </span><span class="lit">127.0</span><span class="pun">.</span><span class="lit">0.1</span><span class="pun">:</span><span class="lit">443</span><span class="pln"> ssl</span><span class="pun">;</span>

如果你在 Apache 中使用虚拟主机,请确保你也修改了它。

  1. <span class="typ">VirtualHost</span><span class="pln"> </span><span class="lit">127.0</span><span class="pun">.</span><span class="lit">0.1</span><span class="pun">:</span><span class="lit">443</span>

保存并关闭配置文件。不要重新启动该服务。我们还没有完成。

配置 SSLH

使 Web 服务器仅在本地接口上侦听后,编辑 SSLH 配置文件:

  1. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> </span><span class="kwd">vi</span><span class="pln"> </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="kwd">default</span><span class="pun">/</span><span class="pln">sslh</span>

找到下列行:

  1. <span class="typ">Run</span><span class="pun">=</span><span class="kwd">no</span>

将其修改为:

  1. <span class="typ">Run</span><span class="pun">=</span><span class="kwd">yes</span>

然后,向下滚动一点并修改以下行以允许 SSLH 在所有可用接口上侦听端口 443(例如 0.0.0.0:443)。

  1. <span class="pln">DAEMON_OPTS</span><span class="pun">=</span><span class="str">"--user sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"</span>

这里,

  • –user sslh:要求在这个特定的用户身份下运行。
  • –listen 0.0.0.0:443:SSLH 监听于所有可用接口的 443 端口。
  • –sshs 127.0.0.1:22 : 将 SSH 流量路由到本地的 22 端口。
  • –ssl 127.0.0.1:443 : 将 HTTPS/SSL 流量路由到本地的 443 端口。

保存并关闭文件。

最后,启用并启动 sslh 服务以更新更改。

  1. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> </span><span class="kwd">systemctl</span><span class="pln"> enable sslh</span>
  2. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> </span><span class="kwd">systemctl</span><span class="pln"> start sslh</span>

测试

检查 SSLH 守护程序是否正在监听 443。

  1. <span class="pln">$ </span><span class="kwd">ps</span><span class="pln"> </span><span class="pun">-</span><span class="pln">ef </span><span class="pun">|</span><span class="pln"> </span><span class="kwd">grep</span><span class="pln"> sslh</span>
  2. <span class="pln">sslh </span><span class="lit">2746</span><span class="pln"> </span><span class="lit">1</span><span class="pln"> </span><span class="lit">0</span><span class="pln"> </span><span class="lit">15</span><span class="pun">:</span><span class="lit">51</span><span class="pln"> </span><span class="pun">?</span><span class="pln"> </span><span class="lit">00</span><span class="pun">:</span><span class="lit">00</span><span class="pun">:</span><span class="lit">00</span><span class="pln"> </span><span class="pun">/</span><span class="pln">usr</span><span class="pun">/</span><span class="pln">sbin</span><span class="pun">/</span><span class="pln">sslh </span><span class="pun">--</span><span class="pln">foreground </span><span class="pun">--</span><span class="pln">user sslh </span><span class="pun">--</span><span class="pln">listen </span><span class="lit">0.0</span><span class="pun">.</span><span class="lit">0.0</span><span class="pln"> </span><span class="lit">443</span><span class="pln"> </span><span class="pun">--</span><span class="kwd">ssh</span><span class="pln"> </span><span class="lit">127.0</span><span class="pun">.</span><span class="lit">0.1</span><span class="pln"> </span><span class="lit">22</span><span class="pln"> </span><span class="pun">--</span><span class="pln">ssl </span><span class="lit">127.0</span><span class="pun">.</span><span class="lit">0.1</span><span class="pln"> </span><span class="lit">443</span><span class="pln"> </span><span class="pun">--</span><span class="pln">pidfile </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">run</span><span class="pun">/</span><span class="pln">sslh</span><span class="pun">/</span><span class="pln">sslh</span><span class="pun">.</span><span class="pln">pid</span>
  3. <span class="pln">sslh </span><span class="lit">2747</span><span class="pln"> </span><span class="lit">2746</span><span class="pln"> </span><span class="lit">0</span><span class="pln"> </span><span class="lit">15</span><span class="pun">:</span><span class="lit">51</span><span class="pln"> </span><span class="pun">?</span><span class="pln"> </span><span class="lit">00</span><span class="pun">:</span><span class="lit">00</span><span class="pun">:</span><span class="lit">00</span><span class="pln"> </span><span class="pun">/</span><span class="pln">usr</span><span class="pun">/</span><span class="pln">sbin</span><span class="pun">/</span><span class="pln">sslh </span><span class="pun">--</span><span class="pln">foreground </span><span class="pun">--</span><span class="pln">user sslh </span><span class="pun">--</span><span class="pln">listen </span><span class="lit">0.0</span><span class="pun">.</span><span class="lit">0.0</span><span class="pln"> </span><span class="lit">443</span><span class="pln"> </span><span class="pun">--</span><span class="kwd">ssh</span><span class="pln"> </span><span class="lit">127.0</span><span class="pun">.</span><span class="lit">0.1</span><span class="pln"> </span><span class="lit">22</span><span class="pln"> </span><span class="pun">--</span><span class="pln">ssl </span><span class="lit">127.0</span><span class="pun">.</span><span class="lit">0.1</span><span class="pln"> </span><span class="lit">443</span><span class="pln"> </span><span class="pun">--</span><span class="pln">pidfile </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">run</span><span class="pun">/</span><span class="pln">sslh</span><span class="pun">/</span><span class="pln">sslh</span><span class="pun">.</span><span class="pln">pid</span>
  4. <span class="pln">sk </span><span class="lit">2754</span><span class="pln"> </span><span class="lit">1432</span><span class="pln"> </span><span class="lit">0</span><span class="pln"> </span><span class="lit">15</span><span class="pun">:</span><span class="lit">51</span><span class="pln"> pts</span><span class="pun">/</span><span class="lit">0</span><span class="pln"> </span><span class="lit">00</span><span class="pun">:</span><span class="lit">00</span><span class="pun">:</span><span class="lit">00</span><span class="pln"> </span><span class="kwd">grep</span><span class="pln"> </span><span class="pun">--</span><span class="pln">color</span><span class="pun">=</span><span class="kwd">auto</span><span class="pln"> sslh</span>

现在,你可以使用端口 443 通过 SSH 访问远程服务器:

  1. <span class="pln">$ </span><span class="kwd">ssh</span><span class="pln"> </span><span class="pun">-</span><span class="pln">p </span><span class="lit">443</span><span class="pln"> </span><span class="pun">[</span><span class="pln">email </span><span class="kwd">protected</span><span class="pun">]</span>

示例输出:

  1. <span class="pun">[</span><span class="pln">email </span><span class="kwd">protected</span><span class="pun">]</span><span class="str">'s password:</span>
  2. <span class="str">Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-55-generic x86_64)</span>
  3.  
  4. <span class="str">* Documentation: https://help.ubuntu.com</span>
  5. <span class="str">* Management: https://landscape.canonical.com</span>
  6. <span class="str">* Support: https://ubuntu.com/advantage</span>
  7.  
  8. <span class="str">System information as of Wed Aug 14 13:11:04 IST 2019</span>
  9.  
  10. <span class="str">System load: 0.23 Processes: 101</span>
  11. <span class="str">Usage of /: 53.5% of 19.56GB Users logged in: 0</span>
  12. <span class="str">Memory usage: 9% IP address for enp0s3: 192.168.225.50</span>
  13. <span class="str">Swap usage: 0% IP address for enp0s8: 192.168.225.51</span>
  14.  
  15. <span class="str">* Keen to learn Istio? It'</span><span class="pln">s included </span><span class="kwd">in</span><span class="pln"> the single</span><span class="pun">-</span><span class="kwd">package</span><span class="pln"> </span><span class="typ">MicroK8s</span><span class="pun">.</span>
  16.  
  17. <span class="pln">https</span><span class="pun">:</span><span class="com">//snapcraft.io/microk8s</span>
  18.  
  19. <span class="lit">61</span><span class="pln"> packages can be updated</span><span class="pun">.</span>
  20. <span class="lit">22</span><span class="pln"> updates are security updates</span><span class="pun">.</span>
  21.  
  22.  
  23. <span class="typ">Last</span><span class="pln"> </span><span class="kwd">login</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Wed</span><span class="pln"> </span><span class="typ">Aug</span><span class="pln"> </span><span class="lit">14</span><span class="pln"> </span><span class="lit">13</span><span class="pun">:</span><span class="lit">10</span><span class="pun">:</span><span class="lit">33</span><span class="pln"> </span><span class="lit">2019</span><span class="pln"> </span><span class="kwd">from</span><span class="pln"> </span><span class="lit">127.0</span><span class="pun">.</span><span class="lit">0.1</span> 

SSLH:让HTTPS和SSH共享同一个端口

通过 SSH 使用 443 端口访问远程系统

看见了吗?即使默认的 SSH 端口 22 被阻止,我现在也可以通过 SSH 访问远程服务器。正如你在上面的示例中所看到的,我使用 https 端口 443 进行 SSH 连接。

我在我的 Ubuntu 18.04 LTS 服务器上测试了 SSLH,它如上所述工作得很好。我在受保护的局域网中测试了 SSLH,所以我不知道是否有安全问题。如果你在生产环境中使用它,请在下面的评论部分中告诉我们使用 SSLH 的优缺点。

相关推荐