search

yrutschle / sslh

Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)
https://www.rutschle.net/tech/sslh/README.html
GNU General Public License v2.0
4.58k stars 367 forks source link

sni_hostname matching multiple times for same endpoint #432

Closed Karbust closed 8 months ago

Karbust commented 8 months ago

Hello,

I'm having issues with connecting to an endpoint that sslh is configured to use.

It seems that it matches the same endpoint with multiple rules for some reason, making the application that matches teamcity to load, the plex endpoint only matches the correct line. If I swap lines then it reverses, plex starts matching both lines and teamcity only matches the correct one.

Output when I try to access teamcity.example.com:

matching [teamcity.example.com] with [plex.example.com]
matching [teamcity.example.com] with [teamcity.example.com]

My config:

foreground: true;
inetd: false;
numeric: false;
transparent: false;
timeout: 2;

verbose-fd: 0;
verbose-packets: 0;

listen:
(
    { host: "0.0.0.0"; port: "80"; },
    { host: "0.0.0.0"; port: "443"; }
);

protocols:
(
    { name: "openvpn"; service: "tcp"; host: "192.168.1.150"; port: "1194"; },
    { name: "tls"; service: "tcp"; host: "plex.ix-plex.svc.cluster.local"; port: "32400"; sni_hostnames: [ "plex.example.com" ]; log_level: 0; tfo_ok: true; },
    { name: "tls"; service: "tcp"; host: "192.168.1.161"; port: "6942"; sni_hostnames: [ "teamcity.example.com" ]; log_level: 0; tfo_ok: true; },
    { name: "tls"; service: "tcp"; host: "192.168.1.150"; port: "443"; },
    { name: "http"; service: "tcp"; host: "192.168.1.150"; port: "80"; }
);

I'm running SSLH as a docker application on TrueNAS SCALE. The application is using a static IP. The container is running in priviledge mode with CAP_NET_BIND_SERVICE and CAP_NET_RAW.

yrutschle commented 8 months ago

I am not sure what your issue is. The logs:

matching [teamcity.example.com] with [plex.example.com]
matching [teamcity.example.com] with [teamcity.example.com]

means: "an incoming connection wants to connect to teamcity.example.com. Is this the same as plex.example.com? No, I'll move to the next one. Is teamcity.example.com the same as teamcity.example.com? Yes. I'll connect there then". And I'd expect it connects to host: "192.168.1.161"; port: "6942".

You need to add what you're trying to do, what you're expecting, what you're getting and why is what you're getting not what you're expecting (although that part should be obvious).

Karbust commented 8 months ago

I’m sorry, I thought it only logged the lines when it matched, not when it tried to match them.

Thank you for information.