Sslh: Difference between revisions

Latest revision as of 05:52, 15 October 2022

This article or section is a candidate for merging with List of applications/Security.

Notes: Roughly duplicates upstream documentation, does not even explain in which use case this is interesting or applicable. (Discuss in Talk:Sslh)

sslh is a ssl/ssh multiplexer.

Installation

Install the sslh package.

Configuration

The default configuration file is located at /etc/sslh.cfg, which supports ssh, openvpn, xmpp, http, ssl, and anyprot protocols.

2 additional configuration files are included in the package:

/usr/share/doc/sslh/basic.cfg, which is a basic configuration file that should provide sensible values for "standard" setup.
/usr/share/doc/sslh/example.cfg, which is provided as documentation to show what is possible. It should not be used as-is, and probably should not be used as a starting point for a working configuration.

Usage

Start/enable sslh-fork.service or sslh-select.service, depending on which option is right for your server:

sslh-fork forks a new process for each incoming connection. It is well-tested and very reliable, but incurs the overhead of many processes. If you're going to use sslh for a "small" setup (less than a dozen SSH connections and a low-traffic HTTPS server), then sslh-fork is probably the best option for you.
sslh-select uses only one thread, which monitors all connections at once. It is more recent and less tested, but the main process only incurs a 16 byte overhead per connection. However, if it stops then you will lose all non-forked connections, which means you can only upgrade it remotely if the necessary connections are set to fork mode. If you're going to use sslh on a "medium" setup (a few thousand SSH connections, and another few thousand SSL connections), sslh-select will be the most suitable option.
sslh-ev is the most recent option, introduced in version 2.0. It's almost functionally identical to sslh-select, but uses libev to scale much higher, making it ideal if you have a very large site (tens of thousands of connections). Currently not available through the official sslh package, as 2.0 has not reached a stable release yet.

Notes

Difference between sslh-fork and sslh-select

basic.cfg

example.cfg

@@ Line 1: / Line 1: @@
 [[Category:Networking]]
 [[zh-hans:Sslh]]
+{{Merge|List of applications/Security|Roughly duplicates [https://www.rutschle.net/tech/sslh/README.html upstream documentation], does not even explain in which use case this is interesting or applicable.}}
 [https://www.rutschle.net/tech/sslh/README.html sslh] is a ssl/ssh multiplexer.
@@ Line 15: / Line 16: @@
 * {{ic|/usr/share/doc/sslh/example.cfg}}, which is provided as documentation to show what is possible. It should not be used as-is, and probably should not be used as a starting point for a working configuration.
-== Running ==
+== Usage ==
-[[Start/enable]] {{ic|sslh-fork.service}} or {{ic|sslh-select.service}}.
+[[Start/enable]] {{ic|sslh-fork.service}} or {{ic|sslh-select.service}}, depending on which option is right for your server:
+* {{ic|sslh-fork}} forks a new process for each incoming connection. It is well-tested and very reliable, but incurs the overhead of many processes. If you're going to use {{ic|sslh}} for a "small" setup (less than a dozen SSH connections and a low-traffic HTTPS server), then {{ic|sslh-fork}} is probably the best option for you.
+* {{ic|sslh-select}} uses only one thread, which monitors all connections at once. It is more recent and less tested, but the main process only incurs a 16 byte overhead per connection. However, if it stops then you will lose all non-forked connections, which means you can only upgrade it remotely if the necessary connections are set to fork mode. If you're going to use {{ic|sslh}} on a "medium" setup (a few thousand SSH connections, and another few thousand SSL connections), {{ic|sslh-select}} will be the most suitable option.
+* {{ic|sslh-ev}} is the most recent option, introduced in version 2.0. It's almost functionally identical to {{ic|sslh-select}}, but uses {{Pkg|libev}} to scale much higher, making it ideal if you have a very large site (tens of thousands of connections). Currently not available through the official {{Pkg|sslh}} package, as 2.0 has not reached a stable release yet.
-{{ic|sslh-fork}} forks a new process for each incoming connection. It is well-tested and very reliable, but incurs the overhead of many processes.
+== Notes ==
-If you are going to use {{ic|sslh}} for a "small" setup (less than a dozen ssh connections and a low-traffic https server) then {{ic|sslh-fork}} is probably more suited for you.
-{{ic|sslh-select}} uses only one thread, which monitors all connections at once. It is more recent and less tested, but only incurs a 16 byte overhead per connection. Also, if it stops, you'll lose all connections, which means you can't upgrade it remotely.
-If you are going to use {{ic|sslh}} on a "medium" setup (a few thousand ssh connections, and another few thousand ssl connections), {{ic|sslh-select}} will be better.
-If you have a very large site (tens of thousands of connections), you'll need a vapourware version that would use libevent or something like that.
-==Notes==
 [https://github.com/yrutschle/sslh/blob/master/doc/INSTALL.md#binaries Difference between sslh-fork and sslh-select]