[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-6561":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":27,"readmeContent":28,"aiSummary":29,"trendingCount":16,"starSnapshotCount":16,"syncStatus":18,"lastSyncTime":30,"discoverSource":31},6561,"sslh","yrutschle\u002Fsslh","yrutschle","Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)","https:\u002F\u002Fwww.rutschle.net\u002Ftech\u002Fsslh\u002FREADME.html",null,"C",5080,396,92,41,0,1,2,15,3,38.8,"GNU General Public License v2.0",false,"master",true,[],"2026-06-12 02:01:26","sslh -- A ssl\u002Fssh multiplexer\n=============================\n\n`sslh` accepts connections on specified ports, and forwards\nthem further based on tests performed on the first data\npacket sent by the remote client.\n\nProbes for HTTP, TLS\u002FSSL (including SNI and ALPN), SSH,\nOpenVPN, tinc, XMPP, SOCKS5, are implemented, and any other\nprotocol that can be tested using a regular expression, can\nbe recognised. A typical use case is to allow serving\nseveral services on port 443 (e.g. to connect to SSH from\ninside a corporate firewall, which almost never block port\n443) while still serving HTTPS on that port.\n\nHence `sslh` acts as a protocol demultiplexer, or a\nswitchboard. With the SNI and ALPN probe, it makes a good\nfront-end to a virtual host farm hosted behind a single IP\naddress.\n\n`sslh` has the bells and whistles expected from a mature\ndaemon: privilege and capabilities dropping, inetd support,\nsystemd support, transparent proxying, support for HAProxy's\nproxyprotocol, chroot, logging, IPv4 and IPv6, TCP and UDP,\na fork-based, a select-based model, and yet another based on\nlibev for larger installations.\n\nInstall\n=======\n\nPlease refer to the [install guide](doc\u002FINSTALL.md).\n\nSecurity\n========\n\nMatthias Gerstner from OpenSUSE has performed a code review\nof `sslh` from a security point of view, which revealed a\nnumber of problems, including two CVE. His findings have\nalready been taken partly into account for the more critical\nones. The [full\nreview](https:\u002F\u002Fsecurity.opensuse.org\u002F2025\u002F06\u002F13\u002Fsslh-denial-of-service-vulnerabilities.html)\nis well worth reading if you are using `sslh` in production.\n\nPart of the securing your installation involves configuring\nconnection limits. This is described in [this\nguide](doc\u002Fmax_connections.md).\n\nConfiguration\n=============\n\nPlease refer to the [configuration guide](doc\u002Fconfig.md).\n\nTransparent proxying\n--------------------\n\nTransparent proxying allows the target server to see the\noriginal client IP address, i.e. `sslh` becomes invisible.\n\nThe same result can be achieved more easily by using\n`proxyprotocol` if the backend server supports it. This is a\nsimple setting to add to the `sslh` protocol configuration,\nusually with an equivalently simple setting to add in\nthe backend server configuration, so try that first. This is\nexplained in a [separate document](doc\u002Fproxyprotocol.md).\n\nThis means services behind `sslh` (Apache, `sshd` and so on)\nwill see the external IP and ports as if the external world\nconnected directly to them. This simplifies IP-based access\ncontrol (or makes it possible at all), and makes it possible\nto use IP-based banning tools such as `fail2ban`.\n\nThere are two methods. One uses additional virtual network\ninterfaces. The principle and basic setup is described\n[here](doc\u002Fsimple_transparent_proxy.md), with further\nscenarios described [there](doc\u002Fscenarios-for-simple-transparent-proxy.md).\n\nThere is also a guide to use [podman](doc\u002Fpodman.md).\n\nAnother method uses iptable packet marking features, and is\nhighly dependent on your network environment and\ninfrastructure setup. There is no known generic approach,\nand if you do not find directions for your exact setup, you\nwill probably need an extensive knowledge of network\nmanagement and iptables setup\".\n\nIt is described in its own [document](doc\u002Ftproxy.md).\nIn most cases, you will be better off following the first\nmethod.\n\n\nDocker image\n------------\n\nHow to use\n\n---\n\n\n```bash\ndocker run \\\n  --cap-add CAP_NET_RAW \\\n  --cap-add CAP_NET_BIND_SERVICE \\\n  --rm \\\n  -it \\\n  ghcr.io\u002Fyrutschle\u002Fsslh:latest \\\n  --foreground \\\n  --listen=0.0.0.0:443 \\\n  --ssh=hostname:22 \\\n  --tls=hostname:443\n```\n\ndocker-compose example\n\n```yaml\nversion: \"3\"\n\nservices:\n  sslh:\n    image: ghcr.io\u002Fyrutschle\u002Fsslh:latest\n    hostname: sslh\n    ports:\n      - 443:443\n    command: --foreground --listen=0.0.0.0:443 --tls=nginx:443 --openvpn=openvpn:1194\n    depends_on:\n      - nginx\n      - openvpn\n\n  nginx:\n    image: nginx\n\n  openvpn:\n    image: openvpn\n```\n\nTransparent mode 1: using sslh container for networking\n\n_Note: For transparent mode to work, the sslh container must be able to reach your services via **localhost**_\n```yaml\nversion: \"3\"\n\nservices:\n  sslh:\n    build: https:\u002F\u002Fgithub.com\u002Fyrutschle\u002Fsslh.git\n    container_name: sslh\n    environment:\n      - TZ=${TZ}\n    cap_add:\n      - NET_ADMIN\n      - NET_RAW\n      - NET_BIND_SERVICE\n    sysctls:\n      - net.ipv4.conf.default.route_localnet=1\n      - net.ipv4.conf.all.route_localnet=1\n    command: --transparent --foreground --listen=0.0.0.0:443 --tls=localhost:8443 --openvpn=localhost:1194\n    ports:\n      - 443:443 #sslh\n\n      - 80:80 #nginx\n      - 8443:8443 #nginx\n\n      - 1194:1194 #openvpn\n    extra_hosts:\n      - localbox:host-gateway\n    restart: unless-stopped\n\n  nginx:\n    image: nginx:latest\n    .....\n    network_mode: service:sslh #set nginx container to use sslh networking.\n    # ^^^ This is required. This makes nginx reachable by sslh via localhost\n  \n  openvpn:\n    image: openvpn:latest\n    .....\n    network_mode: service:sslh #set openvpn container to use sslh networking\n```\n\nTransparent mode 2: using host networking\n\n```yaml\nversion: \"3\"\n\nservices:\n  sslh:\n    build: https:\u002F\u002Fgithub.com\u002Fyrutschle\u002Fsslh.git\n    container_name: sslh\n    environment:\n      - TZ=${TZ}\n    cap_add:\n      - NET_ADMIN\n      - NET_RAW\n      - NET_BIND_SERVICE\n    # must be set manually\n    #sysctls:\n    #  - net.ipv4.conf.default.route_localnet=1\n    #  - net.ipv4.conf.all.route_localnet=1\n    command: --transparent --foreground --listen=0.0.0.0:443 --tls=localhost:8443 --openvpn=localhost:1194\n    network_mode: host\n    restart: unless-stopped\n  \n  nginx:\n    image: nginx:latest\n    .....\n    ports:\n      - 8443:8443 # bind to docker host on port 8443\n\n  openvpn:\n    image: openvpn:latest\n    .....\n    ports:\n      - 1194:1194 # bind to docker host on port 1194\n```\n\nComments? Questions?\n====================\n\nYou can subscribe to the `sslh` mailing list here:\n\u003Chttps:\u002F\u002Flists.rutschle.net\u002Fmailman\u002Flistinfo\u002Fsslh>\n\nThis mailing list should be used for discussion, feature\nrequests, and will be the preferred channel for announcements.\n\nOf course, check the [FAQ](doc\u002FFAQ.md) first!\n\n","sslh 是一个应用协议多路复用器，能够在同一端口上同时处理SSH和HTTPS等多种协议。它通过检测客户端发送的第一个数据包来判断并转发到相应的服务。支持HTTP、TLS\u002FSSL（含SNI和ALPN）、SSH、OpenVPN等协议识别，并且可以自定义正则表达式来识别其他协议。适用于需要在单一端口如443上运行多种服务的场景，尤其适合于那些网络环境限制严格，只允许特定端口开放的情况。此外，sslh具备成熟的守护进程特性，包括权限降级、inetd支持、systemd集成、透明代理等功能，确保了其在生产环境中的稳定性和安全性。","2026-06-11 03:07:38","top_language"]