Sslh: Difference between revisions
NetSysFire (talk | contribs) m (→Configuration: - minor rewording, this is the ArchWiki, we do not need to mention that this is arch-specific) |
(→Usage: mention sslh-ev, in preparation for the eventual 2.0 update) |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
[[Category:Networking]] | [[Category:Networking]] | ||
[[zh-hans:Sslh]] | [[zh-hans:Sslh]] | ||
{{Merge|List of applications/Security|Roughly duplicates [https://www.rutschle.net/tech/sslh/README.html upstream documentation], does not even explain in which use case this is interesting or applicable.}} | |||
[https://www.rutschle.net/tech/sslh/README.html sslh] is a ssl/ssh multiplexer. | [https://www.rutschle.net/tech/sslh/README.html sslh] is a ssl/ssh multiplexer. | ||
Line 15: | Line 16: | ||
* {{ic|/usr/share/doc/sslh/example.cfg}}, which is provided as documentation to show what is possible. It should not be used as-is, and probably should not be used as a starting point for a working configuration. | * {{ic|/usr/share/doc/sslh/example.cfg}}, which is provided as documentation to show what is possible. It should not be used as-is, and probably should not be used as a starting point for a working configuration. | ||
== | == Usage == | ||
[[Start/enable]] {{ic|sslh-fork.service}} or {{ic|sslh-select.service}}. | [[Start/enable]] {{ic|sslh-fork.service}} or {{ic|sslh-select.service}}, depending on which option is right for your server: | ||
* {{ic|sslh-fork}} forks a new process for each incoming connection. It is well-tested and very reliable, but incurs the overhead of many processes. If you're going to use {{ic|sslh}} for a "small" setup (less than a dozen SSH connections and a low-traffic HTTPS server), then {{ic|sslh-fork}} is probably the best option for you. | |||
* {{ic|sslh-select}} uses only one thread, which monitors all connections at once. It is more recent and less tested, but the main process only incurs a 16 byte overhead per connection. However, if it stops then you will lose all non-forked connections, which means you can only upgrade it remotely if the necessary connections are set to fork mode. If you're going to use {{ic|sslh}} on a "medium" setup (a few thousand SSH connections, and another few thousand SSL connections), {{ic|sslh-select}} will be the most suitable option. | |||
* {{ic|sslh-ev}} is the most recent option, introduced in version 2.0. It's almost functionally identical to {{ic|sslh-select}}, but uses {{Pkg|libev}} to scale much higher, making it ideal if you have a very large site (tens of thousands of connections). Currently not available through the official {{Pkg|sslh}} package, as 2.0 has not reached a stable release yet. | |||
== Notes == | |||
==Notes== | |||
[https://github.com/yrutschle/sslh/blob/master/doc/INSTALL.md#binaries Difference between sslh-fork and sslh-select] | [https://github.com/yrutschle/sslh/blob/master/doc/INSTALL.md#binaries Difference between sslh-fork and sslh-select] |
Latest revision as of 05:52, 15 October 2022
sslh is a ssl/ssh multiplexer.
Installation
Configuration
The default configuration file is located at /etc/sslh.cfg
, which supports ssh
, openvpn
, xmpp
, http
, ssl
, and anyprot
protocols.
2 additional configuration files are included in the package:
/usr/share/doc/sslh/basic.cfg
, which is a basic configuration file that should provide sensible values for "standard" setup./usr/share/doc/sslh/example.cfg
, which is provided as documentation to show what is possible. It should not be used as-is, and probably should not be used as a starting point for a working configuration.
Usage
Start/enable sslh-fork.service
or sslh-select.service
, depending on which option is right for your server:
sslh-fork
forks a new process for each incoming connection. It is well-tested and very reliable, but incurs the overhead of many processes. If you're going to usesslh
for a "small" setup (less than a dozen SSH connections and a low-traffic HTTPS server), thensslh-fork
is probably the best option for you.sslh-select
uses only one thread, which monitors all connections at once. It is more recent and less tested, but the main process only incurs a 16 byte overhead per connection. However, if it stops then you will lose all non-forked connections, which means you can only upgrade it remotely if the necessary connections are set to fork mode. If you're going to usesslh
on a "medium" setup (a few thousand SSH connections, and another few thousand SSL connections),sslh-select
will be the most suitable option.sslh-ev
is the most recent option, introduced in version 2.0. It's almost functionally identical tosslh-select
, but uses libev to scale much higher, making it ideal if you have a very large site (tens of thousands of connections). Currently not available through the official sslh package, as 2.0 has not reached a stable release yet.