search

yrutschle / sslh

Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)
https://www.rutschle.net/tech/sslh/README.html
GNU General Public License v2.0
4.58k stars 367 forks source link

HTTP3 - QUIC connection could not be established #466

Open stanthewizzard opened 3 months ago

stanthewizzard commented 3 months ago

Hello

I have an issu with sslh.

With this settings:

pidfile:"/var/run/sslh.pid";
user: "nobody";

verbose:0;
numeric:false;
on_timeout:"tls";
listen:
(
    { host: "0.0.0.0"; is_udp: true; port: "443" },
    { host: "0.0.0.0"; port: "443" }
);

protocols:
(
     { name: "openvpn";                 host: "0.0.0.0"; port: "1194"; },
     { name: "tls";                     host: "192.168.0.30"; is_udp: true; port: "443"; regex_patterns: [  "\x51\x30\x35\x30" ]; },
     { name: "tls";                     host: "192.168.0.30"; port: "443"; },
);

Using https://http3check.net/

I got QUIC connection could not be established

HTTP/1.1 200 OK
Alt-Svc: h3=":443"; ma=2592000
Content-Encoding: gzip
Content-Security-Policy: default-src 'self'; frame-src 'none'; object-src 'none'; style-src 'self' 'nonce-DeFXWWkg7pcGQhdd781ggpOuXU6at7qP'; frame-ancestors 'none'; base-uri 'self'
Content-Type: text/html; charset=utf-8
Date: Wed, 07 Aug 2024 09:23:37 GMT
Permissions-Policy: accelerometer=(), autoplay=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), sync-xhr=(), xr-spatial-tracking=(), interest-cohort=()
Referrer-Policy: no-referrer;
Strict-Transport-Security: max-age=31536000;
Vary: Accept-Encoding
X-Content-Type-Options: nosniff;
X-Dns-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN;
X-Robots-Tag: none;
X-Xss-Protection: 1; mode=block;
Content-Length: 557

Thanks for help

yrutschle commented 3 months ago

I don't know QUIC and the RFCs are too long for me to delve into right now, but it does not look like QUIC is simply "TLS over UDP", so the TLS probe would not work.

That said, if you're not share UDP 443 with another protocol, why not simply have your Web server listen to UDP 443, while sslh listens to TCP 443?

stanthewizzard commented 3 months ago

Good idea !

EDIT:
on FW (opnsense) IP UDP directly to caddy ... HTTP3 is OK ! IP TCP to sshl ... also working Very clever and I didn't have the idea THANK YOU !!!!

JoshuaPettus commented 1 month ago

I'll do that myself, but if you ever do come up with a specific probe, that would be better

stanthewizzard commented 1 month ago

you do that yourself ?

JoshuaPettus commented 1 month ago

Lol appologies, it was late when I saw this and responded. I mean to say yrutschle's solution does indeed work for the time being, but of course means I cant leverage udp for coturn or something else as well.