SSLH: Hide SSH / HTTPS / OpenVPN / Telegram behind a single port 443
- Tutorial

SSH / HTTPS / OpenVPN / Telegram and everything on one port ?! What?!
- Yes!
- Do you want to hide some services?
- In a public wi-fi network, everything is blocked except for 443 (https) ports?
- Have you set up a Telegram Proxy / OpenVPN and do not want to “shine” it?
- SSH connection to your server from censored countries?
There is one answer to all these questions - Multiplexing SSL / TLS connections, or SSLH.
In the post we will look at how to hide a bunch of services behind 1 port in 1 command .
Why?
With the recent release of Telegram Proxy which almost completely looks like SSL traffic, an interesting question has appeared in the comments to the post :
Newton :
I have a pretty noob question - isn't it real to start this together with sslh?After a quick check of the sslh application's capabilities, it seemed to me that it would not be possible to “get”, but I was very interested in this application, and, as it turned out, it is still possible to
How?
Appendix SSLH - multipleksor, in other words, it is analyzing the traffic (in fact, doing the work mini-DPI) and depending on the type of traffic, sends it to a local port 8443/999/991 or whatever ...
That allows us
Task
For the example of using SSLH we will set the task:
The following applications are installed on the server - Telegram Proxy, Apache, SSH and we want to let all these services into the world through port 443.
The server in our example is Ubuntu 16.04.4 LTS, Apache2 + LetsEncrypt, SSH, Telegram Proxy in Docker.
At the moment, it works, as expected, Apache.
Installation & Setup
Install SSLH:
sudo apt-get install --no-install-recommends sslhWhen installing, you will be asked about the usage mode, there are two of them:
- stable but more resource intensive
- fast but with loss of connections when the process drops
I am for the second option, you, of course, can choose another.
Check if our miracle works with the following command:
sudo sslh-select -f --listen IP:8443 --tls 127.0.0.1:443 --ssh 127.0.0.1:22 --anyprot 127.0.0.1:9443
IP - external IP of the server
8443 - the port on which our multiplexer
443 will be launched - where Apache lives
Pay attention to the anyprot option - this is where our Telegram Proxy will live, in other words, if the traffic did not fit any type - send there.
Attention! If your configuration does not have Telegram or SSH - remove unnecessary startup keys.
Check?
Open your browser at the address of your server with port 8443 - you should see the response from Apache, then try connecting via SSH or via Telegram Proxy.
Moving Apache to another port
To transfer Apache from a standard port (443) to another, for example on 7443, visit the following files:
sudo nano /etc/apache2/ports.conf
sudo nano /etc/apache2/sites-enabled/000-default-le-ssl.conf
In the example Apache + SSL / HTTPS was installed using LetsEncrypt with a different certificate, the configuration files can be in different ways.
Autostart
It's time to set up autostart.
Edit the file:
sudo nano /etc/default/sslh
In the DAEMON_OPTS = field, add attributes when running the sslh-select command, set RUN to = yes.
Run:
sudo systemctl start sslh
Make sure everything is fine:
sudo systemctl status sslh
What is the result?
After going through this tutorial, you should have a server that has several services available via a single port (which are your choice) .
And how are things with OpenVPN? What protocols can the application still have?
At the time of writing, sslh is able to identify and multiplex the following protocols:
[--ssh <addr>]
[--openvpn <addr>]
[--tinc <addr>]
[--xmpp <addr>]
[--http <addr>]
[--ssl <addr>]
[--tls <addr>]
[--anyprot <addr>]
Before using, it is better to make sure which protocols your version supports (suddenly it is newer) using:
sslh-select -hLinks
SSLH development takes place on github, in this repository: github.com/yrutschle/sslh
Docker
I did not succeed in collecting a working version of sslh in the docker, along with all the other services, in my opinion there will be an interesting docker-compose file that can be raised on port 443:
- Apache + LetsEncrypt
- Telegram Proxy
- OpenVPN (optional)
- Use local SSH
If someone succeeds - write in the comments - add to the article, in my opinion, it will be useful.