search

yrutschle / sslh

Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)
https://www.rutschle.net/tech/sslh/README.html
GNU General Public License v2.0
4.59k stars 366 forks source link

[Question] sslh running in host mode blocks apt update #413

Closed scmanjarrez closed 10 months ago

scmanjarrez commented 1 year ago

Hi, First of all, thanks for your program, it's an amazing tool!! I'd like to ask if is it normal that running sslh under docker compose (network_mode: host) blocks the traffic from apt? When sslh is enabled, apt update gets stuck in:

Err:1 https://download.docker.com/linux/debian bullseye InRelease
  Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 18.67.240.19 443]
Err:2 http://security.debian.org/debian-security bullseye-security InRelease
  Connection failed [IP: 151.101.134.132 80]
Err:3 http://deb.debian.org/debian bullseye InRelease
  Connection failed [IP: 151.101.134.132 80]
Err:4 http://archive.raspberrypi.org/debian bullseye InRelease
  Connection failed [IP: 93.93.135.117 80]
0% [Waiting for headers]^C
yrutschle commented 10 months ago

What is your architecture? sslh is supposed to be on the server side, treating incoming connections; apt is a client that performs outgoing connections; unless you configured apt to go through a proxy that uses sslh, I don't see how sslh would be on apt's path?

scmanjarrez commented 10 months ago

Hi, thanks for your response. I'm running sslh in my raspberry (aarch64), which I use as a server for a bunch of services (http server, openvpn, etc).

This is my sslh configuration:

version: "3"

services:
  sslh:
    build: https://github.com/yrutschle/sslh.git
    container_name: sslh
    environment:
      - TZ="Europe/Madrid"
    cap_add:
      - NET_ADMIN
      - NET_RAW
      - NET_BIND_SERVICE
    # must be set manually
    #sysctls:
    #  - net.ipv4.conf.default.route_localnet=1
    #  - net.ipv4.conf.all.route_localnet=1
    command: --transparent --foreground --listen=0.0.0.0:443 --tls=localhost:8443 --openvpn=localhost:4443
    network_mode: host
    restart: always

If sslh container is up, I'm not able to run apt, it just freezes until timeout. 

❯ uname -a
Linux pi4 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr  3 17:24:16 BST 2023 aarch64 GNU/Linux
❯ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye
❯ docker compose up -d
[+] Running 1/0
 ✔ Container sslh  Running                                                                                                                                                                                    0.0s
❯ sudo apt update
Err:1 https://download.docker.com/linux/debian bullseye InRelease
  Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 3.160.231.103 443]
Err:2 http://deb.debian.org/debian bullseye InRelease
  Connection failed [IP: 151.101.134.132 80]
Err:3 http://security.debian.org/debian-security bullseye-security InRelease
  Connection failed [IP: 151.101.134.132 80]
Err:4 http://archive.raspberrypi.org/debian bullseye InRelease
  Connection failed [IP: 93.93.135.117 80]
0% [Waiting for headers]^C
❯ docker compose down
[+] Running 1/1
 ✔ Container sslh  Removed                                                                                                                                                                                    0.4s
❯ sudo apt update
Hit:1 http://deb.debian.org/debian bullseye InRelease
Get:2 http://security.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 http://archive.raspberrypi.org/debian bullseye InRelease [23.6 kB]
Get:5 https://download.docker.com/linux/debian bullseye InRelease [43.3 kB]
Get:6 http://security.debian.org/debian-security bullseye-security/main Sources [165 kB]
Get:7 http://security.debian.org/debian-security bullseye-security/main arm64 Packages [260 kB]
Get:8 http://security.debian.org/debian-security bullseye-security/main armhf Packages [261 kB]
Get:9 http://archive.raspberrypi.org/debian bullseye/main armhf Packages [313 kB]
Get:10 http://archive.raspberrypi.org/debian bullseye/main arm64 Packages [307 kB]
Fetched 1,465 kB in 2s (740 kB/s)
^Cading package lists... 9%
  ~/sslh                                                                                                                                                                                          INT ✘  4s 
❯
yrutschle commented 10 months ago

Maybe try without --transparent and especially the iptables rules that go with it? (Maybe it interferes with unexpected traffic?)

5 janv. 2024 14:09:40 Sergio C @.***>:

Hi, thanks for your response. I'm running sslh in my raspberry (aarch64), which I use as a server for a bunch of services (http server, openvpn, etc).

This is my sslh configuration:

version: "3"

services: sslh: build: https://github.com/yrutschle/sslh.git container_name: sslh environment:

  • TZ="Europe/Madrid" cap_add:
  • NET_ADMIN
  • NET_RAW
  • NET_BIND_SERVICE

    must be set manually

    sysctls:

    - net.ipv4.conf.default.route_localnet=1

    - net.ipv4.conf.all.route_localnet=1

    command: --transparent --foreground --listen=0.0.0.0:443 --tls=localhost:8443 --openvpn=localhost:4443 network_mode: host restart: always

If sslh container is up, I'm not able to run apt, it just freezes until timeout.

❯ uname -a Linux pi4 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux ❯ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 11 (bullseye) Release: 11 Codename: bullseye ❯ docker compose up -d [+] Running 1/0 ✔ Container sslh Running 0.0s ❯ sudo apt update Err:1 https://download.docker.com/linux/debian bullseye InRelease Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 3.160.231.103 443] Err:2 http://deb.debian.org/debian bullseye InRelease Connection failed [IP: 151.101.134.132 80] Err:3 http://security.debian.org/debian-security bullseye-security InRelease Connection failed [IP: 151.101.134.132 80] Err:4 http://archive.raspberrypi.org/debian bullseye InRelease Connection failed [IP: 93.93.135.117 80] 0% [Waiting for headers]^C ❯ docker compose down [+] Running 1/1 ✔ Container sslh Removed 0.4s ❯ sudo apt update Hit:1 http://deb.debian.org/debian bullseye InRelease Get:2 http://security.debian.org/debian-security bullseye-security InRelease [48.4 kB] Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB] Get:4 http://archive.raspberrypi.org/debian bullseye InRelease [23.6 kB] Get:5 https://download.docker.com/linux/debian bullseye InRelease [43.3 kB] Get:6 http://security.debian.org/debian-security bullseye-security/main Sources [165 kB] Get:7 http://security.debian.org/debian-security bullseye-security/main arm64 Packages [260 kB] Get:8 http://security.debian.org/debian-security bullseye-security/main armhf Packages [261 kB] Get:9 http://archive.raspberrypi.org/debian bullseye/main armhf Packages [313 kB] Get:10 http://archive.raspberrypi.org/debian bullseye/main arm64 Packages [307 kB] Fetched 1,465 kB in 2s (740 kB/s) ^Cading package lists... 9%  ~/sslh   INT ✘  4s  ❯

— Reply to this email directly, view it on GitHub[https://github.com/yrutschle/sslh/issues/413#issuecomment-1878637523], or unsubscribe[https://github.com/notifications/unsubscribe-auth/ABGAU73INR7ENBUEVZR2RVDYM73Q7AVCNFSM6AAAAAA7DMXD4KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZYGYZTONJSGM]. You are receiving this because you commented. [Image de pistage][https://github.com/notifications/beacon/ABGAU7Z5MTB3KD4OST3YJDDYM73Q7A5CNFSM6AAAAAA7DMXD4KWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTP7G55G.gif]

scmanjarrez commented 10 months ago

That did the trick! Why was that happening? I found "transparent" in the examples when used with host network_mode.