* [PATCH] sslh: Update to version 1.20
@ 2019-04-23 7:06 Erik Kapfer
2019-04-23 7:09 ` ummeegge
` (2 more replies)
0 siblings, 3 replies; 11+ messages in thread
From: Erik Kapfer @ 2019-04-23 7:06 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 7123 bytes --]
- Added USELIBCAP=1 to enable the possibility for transparent option.
- Wrote configuration directives in initscript into variable for better overview.
- Introduce chroot directive in start parameter.
- Added new user and group sslh (will be deleted if uninstall).
- Changed EXTERNAL_IP_FUNCT to serve data also for configuration block but use it also as check as before.
- Added symlinks in sslh paks since the initscripts LFS do not serves it in old installation (a reboot does not started sslh again).
- Deleted sslh symlinks in initscripts LFS since they are served via sslh paks and are not needed anymore.
Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
---
lfs/initscripts | 3 --
lfs/sslh | 12 ++++----
src/initscripts/packages/sslh | 65 +++++++++++++++++++++++++++++++++----------
src/paks/sslh/install.sh | 13 +++++++++
src/paks/sslh/uninstall.sh | 9 ++++++
5 files changed, 79 insertions(+), 23 deletions(-)
diff --git a/lfs/initscripts b/lfs/initscripts
index 055e106d0..3173a04e4 100644
--- a/lfs/initscripts
+++ b/lfs/initscripts
@@ -136,9 +136,6 @@ $(TARGET) :
ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175
ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175
ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175
- ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh
- ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh
- ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh
ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin
ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin
ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin
diff --git a/lfs/sslh b/lfs/sslh
index 100cec065..dedd10272 100644
--- a/lfs/sslh
+++ b/lfs/sslh
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 1.7a
+VER = 1.20
THISAPP = sslh-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = sslh
-PAK_VER = 5
+PAK_VER = 6
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d
+$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912
install : $(TARGET)
@@ -77,8 +77,8 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBWRAP=
- cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin
+ cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBCAP=1 USELIBWRAP=
+ cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh
#install initscripts
$(call INSTALL_INITSCRIPT,sslh)
diff --git a/src/initscripts/packages/sslh b/src/initscripts/packages/sslh
index 43e58f392..0935b1114 100644
--- a/src/initscripts/packages/sslh
+++ b/src/initscripts/packages/sslh
@@ -3,31 +3,68 @@
# Based on sysklogd script from LFS-3.1 and earlier.
# Rewritten by Gerard Beekmans - gerard(a)linuxfromscratch.org
+#
+# $LastChangedBy: ummeegge - ummeegge(a)ipfire.org $
+# $Date: 2019-04-04 04:35:09 -0500 (Thu, 04 Apr 2019) $
+#
+#############################################################
+#
. /etc/sysconfig/rc
. $rc_functions
+DAEMON="/usr/sbin/sslh"
+
+# Check for external IP address and provide it to listening option
+EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"
+EXTERNAL_IP_FUNCT() {
+ if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then
+ echo_failure
+ boot_mesg -n "FAILURE:\n\nCould not determine" ${FAILURE}
+ boot_mesg -n " your external IP address."
+ boot_mesg "" ${NORMAL}
+ exit 1
+ fi
+}
+
+# Loopback interface
+LO="127.0.0.1"
+# Used TCP ports
+LISTENPORT="443"
+SSHPORT="222"
+TLSPORT="444"
+OPENVPNPORT="1194"
+
+# Configuration options
+DAEMON_OPTS="
+--user sslh
+--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT}
+--ssh ${LO}:${SSHPORT}
+--tls ${LO}:${TLSPORT}
+--openvpn ${LO}:${OPENVPNPORT}
+--pidfile /var/run/sslh.pid
+-C /var/empty
+"
+
+# Check for binary
+if ! [ -x "$(command -v ${DAEMON})" ]; then
+ echo "Error: could not find ${DAEMON}" >&2
+ exit 1
+fi
+
+# Check for external IP
+EXTERNAL_IP_FUNCT
+
case "$1" in
start)
boot_mesg "Starting SSLH Deamon..."
-
- LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"
- if [ -z "${LOCAL_IP_ADDRESS}" ]; then
- echo_failure
- boot_mesg -n "FAILURE:\n\nCould not determine" ${FAILURE}
- boot_mesg -n " your external IP address."
- boot_mesg "" ${NORMAL}
- exit 1
- fi
-
- loadproc /usr/sbin/sslh -u nobody \
- -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 -l localhost:444
+ loadproc ${DAEMON} ${DAEMON_OPTS}
evaluate_retval
;;
stop)
boot_mesg "Stopping SSLH Deamon..."
- killproc /usr/sbin/sslh
+ killproc ${DAEMON}
evaluate_retval
;;
@@ -38,7 +75,7 @@ case "$1" in
;;
status)
- statusproc /usr/sbin/sslh
+ statusproc ${DAEMON}
;;
*)
diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh
index 626884bdd..df7cafc78 100644
--- a/src/paks/sslh/install.sh
+++ b/src/paks/sslh/install.sh
@@ -23,5 +23,18 @@
#
. /opt/pakfire/lib/functions.sh
extract_files
+
+# Add user and group for sslh if not already done
+if ! grep -q sslh /etc/passwd; then
+ groupadd sslh;
+ useradd -g sslh -M -s /sbin/nologin sslh
+fi
+
ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh
+
+# Set symlink for runlevels
+ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh
+ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh
+ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh
+
start_service --background ${NAME}
diff --git a/src/paks/sslh/uninstall.sh b/src/paks/sslh/uninstall.sh
index dca34ccbd..05bb27945 100644
--- a/src/paks/sslh/uninstall.sh
+++ b/src/paks/sslh/uninstall.sh
@@ -23,5 +23,14 @@
#
. /opt/pakfire/lib/functions.sh
stop_service ${NAME}
+
+# Delete user and group sslh
+if grep -q sslh /etc/passwd; then
+ userdel sslh
+ groupdel sslh
+fi
+
remove_files
rm -f /etc/rc.d/init.d/networking/red.up/50-sslh
+# Delete initscript symlinks
+rm -f /etc/rc.d/rc?.d/???sslh
--
2.12.2
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: [PATCH] sslh: Update to version 1.20 2019-04-23 7:06 [PATCH] sslh: Update to version 1.20 Erik Kapfer @ 2019-04-23 7:09 ` ummeegge 2019-04-24 11:04 ` Michael Tremer 2019-05-12 4:24 ` [PATCH v2] sslh: update to 1.20 Erik Kapfer 2 siblings, 0 replies; 11+ messages in thread From: ummeegge @ 2019-04-23 7:09 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 7552 bytes --] Testing reference can be found in here --> https://forum.ipfire.org/viewtopic.php?f=52&t=9843&start=15#p123503 . Best, UE On Di, 2019-04-23 at 09:06 +0200, Erik Kapfer wrote: > - Added USELIBCAP=1 to enable the possibility for transparent option. > - Wrote configuration directives in initscript into variable for > better overview. > - Introduce chroot directive in start parameter. > - Added new user and group sslh (will be deleted if uninstall). > - Changed EXTERNAL_IP_FUNCT to serve data also for configuration > block but use it also as check as before. > - Added symlinks in sslh paks since the initscripts LFS do not serves > it in old installation (a reboot does not started sslh again). > - Deleted sslh symlinks in initscripts LFS since they are served via > sslh paks and are not needed anymore. > > Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> > --- > lfs/initscripts | 3 -- > lfs/sslh | 12 ++++---- > src/initscripts/packages/sslh | 65 > +++++++++++++++++++++++++++++++++---------- > src/paks/sslh/install.sh | 13 +++++++++ > src/paks/sslh/uninstall.sh | 9 ++++++ > 5 files changed, 79 insertions(+), 23 deletions(-) > > diff --git a/lfs/initscripts b/lfs/initscripts > index 055e106d0..3173a04e4 100644 > --- a/lfs/initscripts > +++ b/lfs/initscripts > @@ -136,9 +136,6 @@ $(TARGET) : > ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 > ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175 > ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175 > - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin > ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin > ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin > diff --git a/lfs/sslh b/lfs/sslh > index 100cec065..dedd10272 100644 > --- a/lfs/sslh > +++ b/lfs/sslh > @@ -1,7 +1,7 @@ > #################################################################### > ########### > # > # > # IPFire.org - A linux based > firewall # > -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> > # > +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> > # > # > # > # This program is free software: you can redistribute it and/or > modify # > # it under the terms of the GNU General Public License as published > by # > @@ -24,7 +24,7 @@ > > include Config > > -VER = 1.7a > +VER = 1.20 > > THISAPP = sslh-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > DIR_APP = $(DIR_SRC)/$(THISAPP) > TARGET = $(DIR_INFO)/$(THISAPP) > PROG = sslh > -PAK_VER = 5 > +PAK_VER = 6 > > DEPS = "" > > @@ -44,7 +44,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d > +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912 > > install : $(TARGET) > > @@ -77,8 +77,8 @@ $(subst %,%_MD5,$(objects)) : > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf > $(DIR_DL)/$(DL_FILE) > - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > USELIBWRAP= > - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin > + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > USELIBCAP=1 USELIBWRAP= > + cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh > > #install initscripts > $(call INSTALL_INITSCRIPT,sslh) > diff --git a/src/initscripts/packages/sslh > b/src/initscripts/packages/sslh > index 43e58f392..0935b1114 100644 > --- a/src/initscripts/packages/sslh > +++ b/src/initscripts/packages/sslh > @@ -3,31 +3,68 @@ > > # Based on sysklogd script from LFS-3.1 and earlier. > # Rewritten by Gerard Beekmans - gerard(a)linuxfromscratch.org > +# > +# $LastChangedBy: ummeegge - ummeegge(a)ipfire.org $ > +# $Date: 2019-04-04 04:35:09 -0500 (Thu, 04 Apr 2019) $ > +# > +############################################################# > +# > > . /etc/sysconfig/rc > . $rc_functions > > +DAEMON="/usr/sbin/sslh" > + > +# Check for external IP address and provide it to listening option > +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" > +EXTERNAL_IP_FUNCT() { > + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then > + echo_failure > + boot_mesg -n "FAILURE:\n\nCould not determine" > ${FAILURE} > + boot_mesg -n " your external IP address." > + boot_mesg "" ${NORMAL} > + exit 1 > + fi > +} > + > +# Loopback interface > +LO="127.0.0.1" > +# Used TCP ports > +LISTENPORT="443" > +SSHPORT="222" > +TLSPORT="444" > +OPENVPNPORT="1194" > + > +# Configuration options > +DAEMON_OPTS=" > +--user sslh > +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} > +--ssh ${LO}:${SSHPORT} > +--tls ${LO}:${TLSPORT} > +--openvpn ${LO}:${OPENVPNPORT} > +--pidfile /var/run/sslh.pid > +-C /var/empty > +" > + > +# Check for binary > +if ! [ -x "$(command -v ${DAEMON})" ]; then > + echo "Error: could not find ${DAEMON}" >&2 > + exit 1 > +fi > + > +# Check for external IP > +EXTERNAL_IP_FUNCT > + > case "$1" in > start) > boot_mesg "Starting SSLH Deamon..." > - > - LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" > - if [ -z "${LOCAL_IP_ADDRESS}" ]; then > - echo_failure > - boot_mesg -n "FAILURE:\n\nCould not determine" > ${FAILURE} > - boot_mesg -n " your external IP address." > - boot_mesg "" ${NORMAL} > - exit 1 > - fi > - > - loadproc /usr/sbin/sslh -u nobody \ > - -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 > -l localhost:444 > + loadproc ${DAEMON} ${DAEMON_OPTS} > evaluate_retval > ;; > > stop) > boot_mesg "Stopping SSLH Deamon..." > - killproc /usr/sbin/sslh > + killproc ${DAEMON} > evaluate_retval > ;; > > @@ -38,7 +75,7 @@ case "$1" in > ;; > > status) > - statusproc /usr/sbin/sslh > + statusproc ${DAEMON} > ;; > > *) > diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh > index 626884bdd..df7cafc78 100644 > --- a/src/paks/sslh/install.sh > +++ b/src/paks/sslh/install.sh > @@ -23,5 +23,18 @@ > # > . /opt/pakfire/lib/functions.sh > extract_files > + > +# Add user and group for sslh if not already done > +if ! grep -q sslh /etc/passwd; then > + groupadd sslh; > + useradd -g sslh -M -s /sbin/nologin sslh > +fi > + > ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh > + > +# Set symlink for runlevels > +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > + > start_service --background ${NAME} > diff --git a/src/paks/sslh/uninstall.sh b/src/paks/sslh/uninstall.sh > index dca34ccbd..05bb27945 100644 > --- a/src/paks/sslh/uninstall.sh > +++ b/src/paks/sslh/uninstall.sh > @@ -23,5 +23,14 @@ > # > . /opt/pakfire/lib/functions.sh > stop_service ${NAME} > + > +# Delete user and group sslh > +if grep -q sslh /etc/passwd; then > + userdel sslh > + groupdel sslh > +fi > + > remove_files > rm -f /etc/rc.d/init.d/networking/red.up/50-sslh > +# Delete initscript symlinks > +rm -f /etc/rc.d/rc?.d/???sslh ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] sslh: Update to version 1.20 2019-04-23 7:06 [PATCH] sslh: Update to version 1.20 Erik Kapfer 2019-04-23 7:09 ` ummeegge @ 2019-04-24 11:04 ` Michael Tremer 2019-04-26 4:55 ` ummeegge 2019-05-12 4:24 ` [PATCH v2] sslh: update to 1.20 Erik Kapfer 2 siblings, 1 reply; 11+ messages in thread From: Michael Tremer @ 2019-04-24 11:04 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 9238 bytes --] Hi, Thanks for working on this. I have a couple of questions and remarks. > On 23 Apr 2019, at 08:06, Erik Kapfer <ummeegge(a)ipfire.org> wrote: > > - Added USELIBCAP=1 to enable the possibility for transparent option. > - Wrote configuration directives in initscript into variable for better overview. > - Introduce chroot directive in start parameter. > - Added new user and group sslh (will be deleted if uninstall). > - Changed EXTERNAL_IP_FUNCT to serve data also for configuration block but use it also as check as before. > - Added symlinks in sslh paks since the initscripts LFS do not serves it in old installation (a reboot does not started sslh again). > - Deleted sslh symlinks in initscripts LFS since they are served via sslh paks and are not needed anymore. > > Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> > --- > lfs/initscripts | 3 -- > lfs/sslh | 12 ++++---- > src/initscripts/packages/sslh | 65 +++++++++++++++++++++++++++++++++---------- > src/paks/sslh/install.sh | 13 +++++++++ > src/paks/sslh/uninstall.sh | 9 ++++++ > 5 files changed, 79 insertions(+), 23 deletions(-) > > diff --git a/lfs/initscripts b/lfs/initscripts > index 055e106d0..3173a04e4 100644 > --- a/lfs/initscripts > +++ b/lfs/initscripts > @@ -136,9 +136,6 @@ $(TARGET) : > ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 > ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175 > ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175 > - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin > ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin > ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin > diff --git a/lfs/sslh b/lfs/sslh > index 100cec065..dedd10272 100644 > --- a/lfs/sslh > +++ b/lfs/sslh > @@ -1,7 +1,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> # > +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -24,7 +24,7 @@ > > include Config > > -VER = 1.7a > +VER = 1.20 > > THISAPP = sslh-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > DIR_APP = $(DIR_SRC)/$(THISAPP) > TARGET = $(DIR_INFO)/$(THISAPP) > PROG = sslh > -PAK_VER = 5 > +PAK_VER = 6 > > DEPS = "" > > @@ -44,7 +44,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d > +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912 > > install : $(TARGET) > > @@ -77,8 +77,8 @@ $(subst %,%_MD5,$(objects)) : > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) > - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBWRAP= > - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin > + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBCAP=1 USELIBWRAP= > + cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh > > #install initscripts > $(call INSTALL_INITSCRIPT,sslh) It looks all fine up to this point. > diff --git a/src/initscripts/packages/sslh b/src/initscripts/packages/sslh > index 43e58f392..0935b1114 100644 > --- a/src/initscripts/packages/sslh > +++ b/src/initscripts/packages/sslh > @@ -3,31 +3,68 @@ > > # Based on sysklogd script from LFS-3.1 and earlier. > # Rewritten by Gerard Beekmans - gerard(a)linuxfromscratch.org > +# > +# $LastChangedBy: ummeegge - ummeegge(a)ipfire.org $ > +# $Date: 2019-04-04 04:35:09 -0500 (Thu, 04 Apr 2019) $ > +# > +############################################################# > +# You do not need to include authorship headers because Git will take care of this. > > . /etc/sysconfig/rc > . $rc_functions > > +DAEMON="/usr/sbin/sslh" > + > +# Check for external IP address and provide it to listening option > +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" > +EXTERNAL_IP_FUNCT() { > + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then > + echo_failure > + boot_mesg -n "FAILURE:\n\nCould not determine" ${FAILURE} > + boot_mesg -n " your external IP address." > + boot_mesg "" ${NORMAL} > + exit 1 > + fi > +} Although you are starting the service rather late in the boot process, it might indeed happen that this goes wrong. How do we recover from this? The service should be started eventually when RED comes up. What if the IP address on RED changes? How is sslh notified? > + > +# Loopback interface > +LO="127.0.0.1" > +# Used TCP ports > +LISTENPORT="443" > +SSHPORT="222" > +TLSPORT="444" > +OPENVPNPORT=“1194" Can we use hard-coded port numbers here? > + > +# Configuration options > +DAEMON_OPTS=" > +--user sslh > +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} > +--ssh ${LO}:${SSHPORT} > +--tls ${LO}:${TLSPORT} > +--openvpn ${LO}:${OPENVPNPORT} > +--pidfile /var/run/sslh.pid > +-C /var/empty > +" > + > +# Check for binary > +if ! [ -x "$(command -v ${DAEMON})" ]; then > + echo "Error: could not find ${DAEMON}" >&2 > + exit 1 > +fi No need for this check really. We don’t have it anywhere else. > + > +# Check for external IP > +EXTERNAL_IP_FUNCT This does not really need to be a function because the if statement above isn’t either. And it should not be evaluated in the stop case. If the system is not online, this service can never be stopped. I think it is best for this code to have it in the start section where is was before - unless I missed something here. > + > case "$1" in > start) > boot_mesg "Starting SSLH Deamon..." > - > - LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" > - if [ -z "${LOCAL_IP_ADDRESS}" ]; then > - echo_failure > - boot_mesg -n "FAILURE:\n\nCould not determine" ${FAILURE} > - boot_mesg -n " your external IP address." > - boot_mesg "" ${NORMAL} > - exit 1 > - fi > - > - loadproc /usr/sbin/sslh -u nobody \ > - -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 -l localhost:444 > + loadproc ${DAEMON} ${DAEMON_OPTS} > evaluate_retval > ;; > > stop) > boot_mesg "Stopping SSLH Deamon..." > - killproc /usr/sbin/sslh > + killproc ${DAEMON} > evaluate_retval > ;; > > @@ -38,7 +75,7 @@ case "$1" in > ;; > > status) > - statusproc /usr/sbin/sslh > + statusproc ${DAEMON} > ;; > > *) > diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh > index 626884bdd..df7cafc78 100644 > --- a/src/paks/sslh/install.sh > +++ b/src/paks/sslh/install.sh > @@ -23,5 +23,18 @@ > # > . /opt/pakfire/lib/functions.sh > extract_files > + > +# Add user and group for sslh if not already done > +if ! grep -q sslh /etc/passwd; then > + groupadd sslh; > + useradd -g sslh -M -s /sbin/nologin sslh > +fi Can you change this to use getent? There are a couple of examples in some other scripts (e.g. tor). You should also check if the group existed already. > + > ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh Why is this link not in the package? Should we not check if the service is running and only then restart? What happens when the service is disabled at boot time? > + > +# Set symlink for runlevels > +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > + > start_service --background ${NAME} > diff --git a/src/paks/sslh/uninstall.sh b/src/paks/sslh/uninstall.sh > index dca34ccbd..05bb27945 100644 > --- a/src/paks/sslh/uninstall.sh > +++ b/src/paks/sslh/uninstall.sh > @@ -23,5 +23,14 @@ > # > . /opt/pakfire/lib/functions.sh > stop_service ${NAME} > + > +# Delete user and group sslh > +if grep -q sslh /etc/passwd; then > + userdel sslh > + groupdel sslh > +fi We don’t delete users. This will cause that log files or so will have no owner any more. This won’t be an issue because we check if the user exists in the install script and if it does we are not trying to create it any more. > + > remove_files > rm -f /etc/rc.d/init.d/networking/red.up/50-sslh > +# Delete initscript symlinks > +rm -f /etc/rc.d/rc?.d/???sslh > -- > 2.12.2 > Overall this looks good and makes this a better add-on. It looks like many things to change, but they are all small and should not take too long. Best, -Michael ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] sslh: Update to version 1.20 2019-04-24 11:04 ` Michael Tremer @ 2019-04-26 4:55 ` ummeegge 2019-05-01 11:13 ` Michael Tremer 0 siblings, 1 reply; 11+ messages in thread From: ummeegge @ 2019-04-26 4:55 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 11790 bytes --] Hi Michael and thanks for looking into this. On Mi, 2019-04-24 at 12:04 +0100, Michael Tremer wrote: > Hi, > > Thanks for working on this. I have a couple of questions and remarks. > > > On 23 Apr 2019, at 08:06, Erik Kapfer <ummeegge(a)ipfire.org> wrote: > > > > - Added USELIBCAP=1 to enable the possibility for transparent > > option. > > - Wrote configuration directives in initscript into variable for > > better overview. > > - Introduce chroot directive in start parameter. > > - Added new user and group sslh (will be deleted if uninstall). > > - Changed EXTERNAL_IP_FUNCT to serve data also for configuration > > block but use it also as check as before. > > - Added symlinks in sslh paks since the initscripts LFS do not > > serves it in old installation (a reboot does not started sslh > > again). > > - Deleted sslh symlinks in initscripts LFS since they are served > > via sslh paks and are not needed anymore. > > > > Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> > > --- > > lfs/initscripts | 3 -- > > lfs/sslh | 12 ++++---- > > src/initscripts/packages/sslh | 65 > > +++++++++++++++++++++++++++++++++---------- > > src/paks/sslh/install.sh | 13 +++++++++ > > src/paks/sslh/uninstall.sh | 9 ++++++ > > 5 files changed, 79 insertions(+), 23 deletions(-) > > > > diff --git a/lfs/initscripts b/lfs/initscripts > > index 055e106d0..3173a04e4 100644 > > --- a/lfs/initscripts > > +++ b/lfs/initscripts > > @@ -136,9 +136,6 @@ $(TARGET) : > > ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 > > ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175 > > ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175 > > - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > > - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > > - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > > ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin > > ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin > > ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin > > diff --git a/lfs/sslh b/lfs/sslh > > index 100cec065..dedd10272 100644 > > --- a/lfs/sslh > > +++ b/lfs/sslh > > @@ -1,7 +1,7 @@ > > ################################################################### > > ############ > > # > > # > > # IPFire.org - A linux based > > firewall # > > -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> > > # > > +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> > > # > > # > > # > > # This program is free software: you can redistribute it and/or > > modify # > > # it under the terms of the GNU General Public License as published > > by # > > @@ -24,7 +24,7 @@ > > > > include Config > > > > -VER = 1.7a > > +VER = 1.20 > > > > THISAPP = sslh-$(VER) > > DL_FILE = $(THISAPP).tar.gz > > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > > DIR_APP = $(DIR_SRC)/$(THISAPP) > > TARGET = $(DIR_INFO)/$(THISAPP) > > PROG = sslh > > -PAK_VER = 5 > > +PAK_VER = 6 > > > > DEPS = "" > > > > @@ -44,7 +44,7 @@ objects = $(DL_FILE) > > > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > > > -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d > > +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912 > > > > install : $(TARGET) > > > > @@ -77,8 +77,8 @@ $(subst %,%_MD5,$(objects)) : > > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > @$(PREBUILD) > > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf > > $(DIR_DL)/$(DL_FILE) > > - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > > USELIBWRAP= > > - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin > > + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > > USELIBCAP=1 USELIBWRAP= > > + cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh > > > > #install initscripts > > $(call INSTALL_INITSCRIPT,sslh) > > It looks all fine up to this point. > > > diff --git a/src/initscripts/packages/sslh > > b/src/initscripts/packages/sslh > > index 43e58f392..0935b1114 100644 > > --- a/src/initscripts/packages/sslh > > +++ b/src/initscripts/packages/sslh > > @@ -3,31 +3,68 @@ > > > > # Based on sysklogd script from LFS-3.1 and earlier. > > # Rewritten by Gerard Beekmans - gerard(a)linuxfromscratch.org > > +# > > +# $LastChangedBy: ummeegge - ummeegge(a)ipfire.org $ > > +# $Date: 2019-04-04 04:35:09 -0500 (Thu, 04 Apr 2019) $ > > +# > > +############################################################# > > +# > > You do not need to include authorship headers because Git will take > care of this. Done. > > > > > . /etc/sysconfig/rc > > . $rc_functions > > > > +DAEMON="/usr/sbin/sslh" > > + > > +# Check for external IP address and provide it to listening option > > +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" > > +EXTERNAL_IP_FUNCT() { > > + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then > > + echo_failure > > + boot_mesg -n "FAILURE:\n\nCould not determine" > > ${FAILURE} > > + boot_mesg -n " your external IP address." > > + boot_mesg "" ${NORMAL} > > + exit 1 > > + fi > > +} > > Although you are starting the service rather late in the boot > process, it might indeed happen that this goes wrong. How do we > recover from this? The service should be started eventually when RED > comes up. I tried to leave the most options pretty much the same as they where before whereby the numbers of the symlinks are a part of this the testings did not delivered problems with this but better to stay save there. The network initscript starts at 'S20' where i think RED will be started too what you think is a good starting point for sslh ? > > What if the IP address on RED changes? How is sslh notified? I think it won´t currently. Have seen some configurations which uses 0.0.0.0 for the --listen option but this can cause bigger troubles if '443' is the --listen port here i think. As far as i can see only a restart of sslh would fix this currently. May you have an idea here ? > > > + > > +# Loopback interface > > +LO="127.0.0.1" > > +# Used TCP ports > > +LISTENPORT="443" > > +SSHPORT="222" > > +TLSPORT="444" > > +OPENVPNPORT=“1194" > > Can we use hard-coded port numbers here? Here arises also some more questions for me. We can grep for them in the configuration files but also may a check for the correct usage can be made since e.g. OpenVPN needs to run with TCP for example. Should we really provide TCP 444 in here for external access ? I think also SSH might be more secure via VPN but may a little more acceptable if no VPN is in usage?! The main topic in the tests we made in the forum where mainly for LAN instances on seperated machines (mostly webservers) where those questions may be not that critical?! > > > + > > +# Configuration options > > +DAEMON_OPTS=" > > +--user sslh > > +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} > > +--ssh ${LO}:${SSHPORT} > > +--tls ${LO}:${TLSPORT} > > +--openvpn ${LO}:${OPENVPNPORT} > > +--pidfile /var/run/sslh.pid > > +-C /var/empty > > +" > > + > > +# Check for binary > > +if ! [ -x "$(command -v ${DAEMON})" ]; then > > + echo "Error: could not find ${DAEMON}" >&2 > > + exit 1 > > +fi > > No need for this check really. We don’t have it anywhere else. Done. > > > + > > +# Check for external IP > > +EXTERNAL_IP_FUNCT > > This does not really need to be a function because the if statement > above isn’t either. > > And it should not be evaluated in the stop case. If the system is not > online, this service can never be stopped. > > I think it is best for this code to have it in the start section > where is was before - unless I missed something here. Have externalised the investigation of the RED address to provide it also for the --listen option in the configuration block. To keep the start) case also a little cleaner have decided to set the external IP check completely outside of the start) case and set the check before but this is fast changed. > > > + > > case "$1" in > > start) > > boot_mesg "Starting SSLH Deamon..." > > - > > - LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" > > - if [ -z "${LOCAL_IP_ADDRESS}" ]; then > > - echo_failure > > - boot_mesg -n "FAILURE:\n\nCould not determine" > > ${FAILURE} > > - boot_mesg -n " your external IP address." > > - boot_mesg "" ${NORMAL} > > - exit 1 > > - fi > > - > > - loadproc /usr/sbin/sslh -u nobody \ > > - -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 > > -l localhost:444 > > + loadproc ${DAEMON} ${DAEMON_OPTS} > > evaluate_retval > > ;; > > > > stop) > > boot_mesg "Stopping SSLH Deamon..." > > - killproc /usr/sbin/sslh > > + killproc ${DAEMON} > > evaluate_retval > > ;; > > > > @@ -38,7 +75,7 @@ case "$1" in > > ;; > > > > status) > > - statusproc /usr/sbin/sslh > > + statusproc ${DAEMON} > > ;; > > > > *) > > diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh > > index 626884bdd..df7cafc78 100644 > > --- a/src/paks/sslh/install.sh > > +++ b/src/paks/sslh/install.sh > > @@ -23,5 +23,18 @@ > > # > > . /opt/pakfire/lib/functions.sh > > extract_files > > + > > +# Add user and group for sslh if not already done > > +if ! grep -q sslh /etc/passwd; then > > + groupadd sslh; > > + useradd -g sslh -M -s /sbin/nologin sslh > > +fi > > Can you change this to use getent? There are a couple of examples in > some other scripts (e.g. tor). Done. > > You should also check if the group existed already. I think the getent solution --> if ! getent group sslh &>/dev/null; then ... will do this. > > > + > > ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh > > Why is this link not in the package? You mean in the LFS ? This is also a part of the old implementation, might it be an idea to have it in the initscript (incl. deletion of the symlink) ? > > Should we not check if the service is running and only then restart? Via pgrep check in start) ? > What happens when the service is disabled at boot time? You mean disabled via WUI ? > > > + > > +# Set symlink for runlevels > > +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > > +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > > +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > > + > > start_service --background ${NAME} > > diff --git a/src/paks/sslh/uninstall.sh > > b/src/paks/sslh/uninstall.sh > > index dca34ccbd..05bb27945 100644 > > --- a/src/paks/sslh/uninstall.sh > > +++ b/src/paks/sslh/uninstall.sh > > @@ -23,5 +23,14 @@ > > # > > . /opt/pakfire/lib/functions.sh > > stop_service ${NAME} > > + > > +# Delete user and group sslh > > +if grep -q sslh /etc/passwd; then > > + userdel sslh > > + groupdel sslh > > +fi > > We don’t delete users. This will cause that log files or so will have > no owner any more. > > This won’t be an issue because we check if the user exists in the > install script and if it does we are not trying to create it any > more. Done. > > > + > > remove_files > > rm -f /etc/rc.d/init.d/networking/red.up/50-sslh > > +# Delete initscript symlinks > > +rm -f /etc/rc.d/rc?.d/???sslh > > -- > > 2.12.2 > > > > Overall this looks good and makes this a better add-on. It looks like > many things to change, but they are all small and should not take too > long. This Addon is really a old one and i was not sure if it should be updated again or if it would be dropped since stunnel do a similar job i think. But am happy if it can be a better one and the time to bring it back to life was not wasted. > > Best, > -Michael > Best, Erik ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] sslh: Update to version 1.20 2019-04-26 4:55 ` ummeegge @ 2019-05-01 11:13 ` Michael Tremer 2019-05-10 11:54 ` ummeegge 0 siblings, 1 reply; 11+ messages in thread From: Michael Tremer @ 2019-05-01 11:13 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 14452 bytes --] Hi, Apologies for the late reply again… I am trying to catch up on my rather large inbox. > On 26 Apr 2019, at 05:55, ummeegge <ummeegge(a)ipfire.org> wrote: > > Hi Michael and thanks for looking into this. > > On Mi, 2019-04-24 at 12:04 +0100, Michael Tremer wrote: >> Hi, >> >> Thanks for working on this. I have a couple of questions and remarks. >> >>> On 23 Apr 2019, at 08:06, Erik Kapfer <ummeegge(a)ipfire.org> wrote: >>> >>> - Added USELIBCAP=1 to enable the possibility for transparent >>> option. >>> - Wrote configuration directives in initscript into variable for >>> better overview. >>> - Introduce chroot directive in start parameter. >>> - Added new user and group sslh (will be deleted if uninstall). >>> - Changed EXTERNAL_IP_FUNCT to serve data also for configuration >>> block but use it also as check as before. >>> - Added symlinks in sslh paks since the initscripts LFS do not >>> serves it in old installation (a reboot does not started sslh >>> again). >>> - Deleted sslh symlinks in initscripts LFS since they are served >>> via sslh paks and are not needed anymore. >>> >>> Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> >>> --- >>> lfs/initscripts | 3 -- >>> lfs/sslh | 12 ++++---- >>> src/initscripts/packages/sslh | 65 >>> +++++++++++++++++++++++++++++++++---------- >>> src/paks/sslh/install.sh | 13 +++++++++ >>> src/paks/sslh/uninstall.sh | 9 ++++++ >>> 5 files changed, 79 insertions(+), 23 deletions(-) >>> >>> diff --git a/lfs/initscripts b/lfs/initscripts >>> index 055e106d0..3173a04e4 100644 >>> --- a/lfs/initscripts >>> +++ b/lfs/initscripts >>> @@ -136,9 +136,6 @@ $(TARGET) : >>> ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 >>> ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175 >>> ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175 >>> - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh >>> - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh >>> - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh >>> ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin >>> ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin >>> ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin >>> diff --git a/lfs/sslh b/lfs/sslh >>> index 100cec065..dedd10272 100644 >>> --- a/lfs/sslh >>> +++ b/lfs/sslh >>> @@ -1,7 +1,7 @@ >>> ################################################################### >>> ############ >>> # >>> # >>> # IPFire.org - A linux based >>> firewall # >>> -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> >>> # >>> +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> >>> # >>> # >>> # >>> # This program is free software: you can redistribute it and/or >>> modify # >>> # it under the terms of the GNU General Public License as published >>> by # >>> @@ -24,7 +24,7 @@ >>> >>> include Config >>> >>> -VER = 1.7a >>> +VER = 1.20 >>> >>> THISAPP = sslh-$(VER) >>> DL_FILE = $(THISAPP).tar.gz >>> @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) >>> DIR_APP = $(DIR_SRC)/$(THISAPP) >>> TARGET = $(DIR_INFO)/$(THISAPP) >>> PROG = sslh >>> -PAK_VER = 5 >>> +PAK_VER = 6 >>> >>> DEPS = "" >>> >>> @@ -44,7 +44,7 @@ objects = $(DL_FILE) >>> >>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>> >>> -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d >>> +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912 >>> >>> install : $(TARGET) >>> >>> @@ -77,8 +77,8 @@ $(subst %,%_MD5,$(objects)) : >>> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> @$(PREBUILD) >>> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf >>> $(DIR_DL)/$(DL_FILE) >>> - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) >>> USELIBWRAP= >>> - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin >>> + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) >>> USELIBCAP=1 USELIBWRAP= >>> + cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh >>> >>> #install initscripts >>> $(call INSTALL_INITSCRIPT,sslh) >> >> It looks all fine up to this point. >> >>> diff --git a/src/initscripts/packages/sslh >>> b/src/initscripts/packages/sslh >>> index 43e58f392..0935b1114 100644 >>> --- a/src/initscripts/packages/sslh >>> +++ b/src/initscripts/packages/sslh >>> @@ -3,31 +3,68 @@ >>> >>> # Based on sysklogd script from LFS-3.1 and earlier. >>> # Rewritten by Gerard Beekmans - gerard(a)linuxfromscratch.org >>> +# >>> +# $LastChangedBy: ummeegge - ummeegge(a)ipfire.org $ >>> +# $Date: 2019-04-04 04:35:09 -0500 (Thu, 04 Apr 2019) $ >>> +# >>> +############################################################# >>> +# >> >> You do not need to include authorship headers because Git will take >> care of this. > Done. > >> >>> >>> . /etc/sysconfig/rc >>> . $rc_functions >>> >>> +DAEMON="/usr/sbin/sslh" >>> + >>> +# Check for external IP address and provide it to listening option >>> +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" >>> +EXTERNAL_IP_FUNCT() { >>> + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then >>> + echo_failure >>> + boot_mesg -n "FAILURE:\n\nCould not determine" >>> ${FAILURE} >>> + boot_mesg -n " your external IP address." >>> + boot_mesg "" ${NORMAL} >>> + exit 1 >>> + fi >>> +} >> >> Although you are starting the service rather late in the boot >> process, it might indeed happen that this goes wrong. How do we >> recover from this? The service should be started eventually when RED >> comes up. > I tried to leave the most options pretty much the same as they where > before whereby the numbers of the symlinks are a part of this the > testings did not delivered problems with this but better to stay save > there. > The network initscript starts at 'S20' where i think RED will be > started too what you think is a good starting point for sslh ? If there is a cable plugged into RED and it actually comes up this is a good time to start the service. But what if the DSL modem takes longer to sync or so? It should still be started in red.up then. > >> >> What if the IP address on RED changes? How is sslh notified? > I think it won´t currently. Have seen some configurations which uses > 0.0.0.0 for the --listen option but this can cause bigger troubles if > '443' is the --listen port here i think. As far as i can see only a > restart of sslh would fix this currently. > May you have an idea here ? Have a script in red.up which restarts the whole service - but only if the IP address has actually changed so that standing connections won’t be interrupted. I think that is what we need here, isn’t it? > > >> >>> + >>> +# Loopback interface >>> +LO="127.0.0.1" >>> +# Used TCP ports >>> +LISTENPORT="443" >>> +SSHPORT="222" >>> +TLSPORT="444" >>> +OPENVPNPORT=“1194" >> >> Can we use hard-coded port numbers here? > Here arises also some more questions for me. > We can grep for them in the configuration files but also may a check > for the correct usage can be made since e.g. OpenVPN needs to run with > TCP for example. I would say that 443 probably masks traffic best and is most likely to be open even in more restricted environments. OpenVPN has to be running in TCP mode, but that is something the user has to configure. It isn’t even certain if they are using OpenVPN here. So that should be optional. > Should we really provide TCP 444 in here for external access ? I think > also SSH might be more secure via VPN but may a little more acceptable > if no VPN is in usage?! The Web UI? No, that should not be open by default. People should use OpenVPN to access the firewall. > The main topic in the tests we made in the forum where mainly for LAN > instances on seperated machines (mostly webservers) where those > questions may be not that critical?! We do not know how critical the application of the user is. So assuming it is most critical is best. > >> >>> + >>> +# Configuration options >>> +DAEMON_OPTS=" >>> +--user sslh >>> +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} >>> +--ssh ${LO}:${SSHPORT} >>> +--tls ${LO}:${TLSPORT} >>> +--openvpn ${LO}:${OPENVPNPORT} >>> +--pidfile /var/run/sslh.pid >>> +-C /var/empty >>> +" >>> + >>> +# Check for binary >>> +if ! [ -x "$(command -v ${DAEMON})" ]; then >>> + echo "Error: could not find ${DAEMON}" >&2 >>> + exit 1 >>> +fi >> >> No need for this check really. We don’t have it anywhere else. > Done. > >> >>> + >>> +# Check for external IP >>> +EXTERNAL_IP_FUNCT >> >> This does not really need to be a function because the if statement >> above isn’t either. >> >> And it should not be evaluated in the stop case. If the system is not >> online, this service can never be stopped. >> >> I think it is best for this code to have it in the start section >> where is was before - unless I missed something here. > Have externalised the investigation of the RED address to provide it > also for the --listen option in the configuration block. To keep the > start) case also a little cleaner have decided to set the external IP > check completely outside of the start) case and set the check before > but this is fast changed. You won’t be able to stop the service then if the script is ended in that block. I think it should only be evaluated in the start block. The check isn’t needed for stopping the service. > >> >>> + >>> case "$1" in >>> start) >>> boot_mesg "Starting SSLH Deamon..." >>> - >>> - LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" >>> - if [ -z "${LOCAL_IP_ADDRESS}" ]; then >>> - echo_failure >>> - boot_mesg -n "FAILURE:\n\nCould not determine" >>> ${FAILURE} >>> - boot_mesg -n " your external IP address." >>> - boot_mesg "" ${NORMAL} >>> - exit 1 >>> - fi >>> - >>> - loadproc /usr/sbin/sslh -u nobody \ >>> - -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 >>> -l localhost:444 >>> + loadproc ${DAEMON} ${DAEMON_OPTS} >>> evaluate_retval >>> ;; >>> >>> stop) >>> boot_mesg "Stopping SSLH Deamon..." >>> - killproc /usr/sbin/sslh >>> + killproc ${DAEMON} >>> evaluate_retval >>> ;; >>> >>> @@ -38,7 +75,7 @@ case "$1" in >>> ;; >>> >>> status) >>> - statusproc /usr/sbin/sslh >>> + statusproc ${DAEMON} >>> ;; >>> >>> *) >>> diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh >>> index 626884bdd..df7cafc78 100644 >>> --- a/src/paks/sslh/install.sh >>> +++ b/src/paks/sslh/install.sh >>> @@ -23,5 +23,18 @@ >>> # >>> . /opt/pakfire/lib/functions.sh >>> extract_files >>> + >>> +# Add user and group for sslh if not already done >>> +if ! grep -q sslh /etc/passwd; then >>> + groupadd sslh; >>> + useradd -g sslh -M -s /sbin/nologin sslh >>> +fi >> >> Can you change this to use getent? There are a couple of examples in >> some other scripts (e.g. tor). > Done. > >> >> You should also check if the group existed already. > I think the getent solution --> > if ! getent group sslh &>/dev/null; then > ... > will do this. OK! >> >>> + >>> ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh >> >> Why is this link not in the package? > You mean in the LFS ? This is also a part of the old implementation, > might it be an idea to have it in the initscript (incl. deletion of the > symlink) ? I think it is easiest to have it in the package so it will be deleted when the package is being removed. This might become a script now - see above. >> >> Should we not check if the service is running and only then restart? > Via pgrep check in start) ? Not in start, but in the red.up script. That way we would only touch the service when it is active. If it isn’t started, we need to figure out if it should be started - or check if the boot process brought it up - even though RED wasn’t up. >> What happens when the service is disabled at boot time? > You mean disabled via WUI ? Yes. > >> >>> + >>> +# Set symlink for runlevels >>> +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh >>> +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh >>> +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh >>> + >>> start_service --background ${NAME} >>> diff --git a/src/paks/sslh/uninstall.sh >>> b/src/paks/sslh/uninstall.sh >>> index dca34ccbd..05bb27945 100644 >>> --- a/src/paks/sslh/uninstall.sh >>> +++ b/src/paks/sslh/uninstall.sh >>> @@ -23,5 +23,14 @@ >>> # >>> . /opt/pakfire/lib/functions.sh >>> stop_service ${NAME} >>> + >>> +# Delete user and group sslh >>> +if grep -q sslh /etc/passwd; then >>> + userdel sslh >>> + groupdel sslh >>> +fi >> >> We don’t delete users. This will cause that log files or so will have >> no owner any more. >> >> This won’t be an issue because we check if the user exists in the >> install script and if it does we are not trying to create it any >> more. > Done. Thanks! >> >>> + >>> remove_files >>> rm -f /etc/rc.d/init.d/networking/red.up/50-sslh >>> +# Delete initscript symlinks >>> +rm -f /etc/rc.d/rc?.d/???sslh >>> -- >>> 2.12.2 >>> >> >> Overall this looks good and makes this a better add-on. It looks like >> many things to change, but they are all small and should not take too >> long. > This Addon is really a old one and i was not sure if it should be > updated again or if it would be dropped since stunnel do a similar job > i think. But am happy if it can be a better one and the time to bring > it back to life was not wasted. If you are using it, it should of course be updated. There is a little bit of work to be done and some add-ons are really just the package itself with little integration, but I think it is a good idea to make high-quality add-on out of this. Maybe we should have awesome documentation on the Wiki so that more people are aware of it and therefore use it. -Michael > >> >> Best, >> -Michael >> > > Best, > > Erik ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] sslh: Update to version 1.20 2019-05-01 11:13 ` Michael Tremer @ 2019-05-10 11:54 ` ummeegge 2019-05-11 10:06 ` Michael Tremer 0 siblings, 1 reply; 11+ messages in thread From: ummeegge @ 2019-05-10 11:54 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 17332 bytes --] Hi Michael, and thanks for your feedback. Made a V2 patch now but i get an $ git send-email -v2 -1 --in-replay-to 690B105B-733E-4283-9D05-9967D09BA86F(a)ipfire.org fatal: ambiguous argument '690B105B-733E-4283-9D05-9967D09BA86F(a)ipfire.org': unknown revision or path not in the working tree. Use '--' to separate paths from revisions, like this: 'git <command> [<revision>...] -- [<file>...]' format-patch -o /tmp/qnlL0LbJPZ -v2 -1 --in-replay-to 690B105B-733E-4283-9D05-9967D09BA86F(a)ipfire.org: command returned error: 128 am currently not sure how to fix this. Have nevertheless pushed the new version (hopefully all wanted is included) to Git --> https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=314975a6703f78d8e4c0cb9071819597ad72d48e Since my time is currently a little less it might be great if you can review it in that way. Best, Erik On Mi, 2019-05-01 at 12:13 +0100, Michael Tremer wrote: > Hi, > > Apologies for the late reply again… I am trying to catch up on my > rather large inbox. > > > On 26 Apr 2019, at 05:55, ummeegge <ummeegge(a)ipfire.org> wrote: > > > > Hi Michael and thanks for looking into this. > > > > On Mi, 2019-04-24 at 12:04 +0100, Michael Tremer wrote: > > > Hi, > > > > > > Thanks for working on this. I have a couple of questions and > > > remarks. > > > > > > > On 23 Apr 2019, at 08:06, Erik Kapfer <ummeegge(a)ipfire.org> > > > > wrote: > > > > > > > > - Added USELIBCAP=1 to enable the possibility for transparent > > > > option. > > > > - Wrote configuration directives in initscript into variable > > > > for > > > > better overview. > > > > - Introduce chroot directive in start parameter. > > > > - Added new user and group sslh (will be deleted if uninstall). > > > > - Changed EXTERNAL_IP_FUNCT to serve data also for > > > > configuration > > > > block but use it also as check as before. > > > > - Added symlinks in sslh paks since the initscripts LFS do not > > > > serves it in old installation (a reboot does not started sslh > > > > again). > > > > - Deleted sslh symlinks in initscripts LFS since they are > > > > served > > > > via sslh paks and are not needed anymore. > > > > > > > > Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> > > > > --- > > > > lfs/initscripts | 3 -- > > > > lfs/sslh | 12 ++++---- > > > > src/initscripts/packages/sslh | 65 > > > > +++++++++++++++++++++++++++++++++---------- > > > > src/paks/sslh/install.sh | 13 +++++++++ > > > > src/paks/sslh/uninstall.sh | 9 ++++++ > > > > 5 files changed, 79 insertions(+), 23 deletions(-) > > > > > > > > diff --git a/lfs/initscripts b/lfs/initscripts > > > > index 055e106d0..3173a04e4 100644 > > > > --- a/lfs/initscripts > > > > +++ b/lfs/initscripts > > > > @@ -136,9 +136,6 @@ $(TARGET) : > > > > ln -sf > > > > ../init.d/client175 /etc/rc.d/rc0.d/K34client175 > > > > ln -sf > > > > ../init.d/client175 /etc/rc.d/rc3.d/S66client175 > > > > ln -sf > > > > ../init.d/client175 /etc/rc.d/rc6.d/K34client175 > > > > - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > > > > - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > > > > - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > > > > ln -sf > > > > ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin > > > > ln -sf > > > > ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin > > > > ln -sf > > > > ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin > > > > diff --git a/lfs/sslh b/lfs/sslh > > > > index 100cec065..dedd10272 100644 > > > > --- a/lfs/sslh > > > > +++ b/lfs/sslh > > > > @@ -1,7 +1,7 @@ > > > > ############################################################### > > > > #### > > > > ############ > > > > # > > > > > > > > # > > > > # IPFire.org - A linux based > > > > firewall # > > > > -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> > > > > > > > > # > > > > +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> > > > > > > > > # > > > > # > > > > > > > > # > > > > # This program is free software: you can redistribute it and/or > > > > modify # > > > > # it under the terms of the GNU General Public License as > > > > published > > > > by # > > > > @@ -24,7 +24,7 @@ > > > > > > > > include Config > > > > > > > > -VER = 1.7a > > > > +VER = 1.20 > > > > > > > > THISAPP = sslh-$(VER) > > > > DL_FILE = $(THISAPP).tar.gz > > > > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > > > > DIR_APP = $(DIR_SRC)/$(THISAPP) > > > > TARGET = $(DIR_INFO)/$(THISAPP) > > > > PROG = sslh > > > > -PAK_VER = 5 > > > > +PAK_VER = 6 > > > > > > > > DEPS = "" > > > > > > > > @@ -44,7 +44,7 @@ objects = $(DL_FILE) > > > > > > > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > > > > > > > -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d > > > > +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912 > > > > > > > > install : $(TARGET) > > > > > > > > @@ -77,8 +77,8 @@ $(subst %,%_MD5,$(objects)) : > > > > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > > > @$(PREBUILD) > > > > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf > > > > $(DIR_DL)/$(DL_FILE) > > > > - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > > > > USELIBWRAP= > > > > - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin > > > > + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > > > > USELIBCAP=1 USELIBWRAP= > > > > + cd $(DIR_APP) && install -v -m 755 sslh-fork > > > > /usr/sbin/sslh > > > > > > > > #install initscripts > > > > $(call INSTALL_INITSCRIPT,sslh) > > > > > > It looks all fine up to this point. > > > > > > > diff --git a/src/initscripts/packages/sslh > > > > b/src/initscripts/packages/sslh > > > > index 43e58f392..0935b1114 100644 > > > > --- a/src/initscripts/packages/sslh > > > > +++ b/src/initscripts/packages/sslh > > > > @@ -3,31 +3,68 @@ > > > > > > > > # Based on sysklogd script from LFS-3.1 and earlier. > > > > # Rewritten by Gerard Beekmans - gerard(a)linuxfromscratch.org > > > > +# > > > > +# $LastChangedBy: ummeegge - ummeegge(a)ipfire.org $ > > > > +# $Date: 2019-04-04 04:35:09 -0500 (Thu, 04 Apr 2019) $ > > > > +# > > > > +############################################################# > > > > +# > > > > > > You do not need to include authorship headers because Git will > > > take > > > care of this. > > > > Done. > > > > > > > > > > > > > . /etc/sysconfig/rc > > > > . $rc_functions > > > > > > > > +DAEMON="/usr/sbin/sslh" > > > > + > > > > +# Check for external IP address and provide it to listening > > > > option > > > > +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" > > > > +EXTERNAL_IP_FUNCT() { > > > > + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then > > > > + echo_failure > > > > + boot_mesg -n "FAILURE:\n\nCould not determine" > > > > ${FAILURE} > > > > + boot_mesg -n " your external IP address." > > > > + boot_mesg "" ${NORMAL} > > > > + exit 1 > > > > + fi > > > > +} > > > > > > Although you are starting the service rather late in the boot > > > process, it might indeed happen that this goes wrong. How do we > > > recover from this? The service should be started eventually when > > > RED > > > comes up. > > > > I tried to leave the most options pretty much the same as they > > where > > before whereby the numbers of the symlinks are a part of this the > > testings did not delivered problems with this but better to stay > > save > > there. > > The network initscript starts at 'S20' where i think RED will be > > started too what you think is a good starting point for sslh ? > > If there is a cable plugged into RED and it actually comes up this is > a good time to start the service. But what if the DSL modem takes > longer to sync or so? It should still be started in red.up then. > > > > > > > > > What if the IP address on RED changes? How is sslh notified? > > > > I think it won´t currently. Have seen some configurations which > > uses > > 0.0.0.0 for the --listen option but this can cause bigger troubles > > if > > '443' is the --listen port here i think. As far as i can see only a > > restart of sslh would fix this currently. > > May you have an idea here ? > > Have a script in red.up which restarts the whole service - but only > if the IP address has actually changed so that standing connections > won’t be interrupted. I think that is what we need here, isn’t it? > > > > > > > > > > > > + > > > > +# Loopback interface > > > > +LO="127.0.0.1" > > > > +# Used TCP ports > > > > +LISTENPORT="443" > > > > +SSHPORT="222" > > > > +TLSPORT="444" > > > > +OPENVPNPORT=“1194" > > > > > > Can we use hard-coded port numbers here? > > > > Here arises also some more questions for me. > > We can grep for them in the configuration files but also may a > > check > > for the correct usage can be made since e.g. OpenVPN needs to run > > with > > TCP for example. > > I would say that 443 probably masks traffic best and is most likely > to be open even in more restricted environments. > > OpenVPN has to be running in TCP mode, but that is something the user > has to configure. It isn’t even certain if they are using OpenVPN > here. So that should be optional. > > > Should we really provide TCP 444 in here for external access ? I > > think > > also SSH might be more secure via VPN but may a little more > > acceptable > > if no VPN is in usage?! > > The Web UI? No, that should not be open by default. People should use > OpenVPN to access the firewall. > > > The main topic in the tests we made in the forum where mainly for > > LAN > > instances on seperated machines (mostly webservers) where those > > questions may be not that critical?! > > We do not know how critical the application of the user is. So > assuming it is most critical is best. > > > > > > > > > > + > > > > +# Configuration options > > > > +DAEMON_OPTS=" > > > > +--user sslh > > > > +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} > > > > +--ssh ${LO}:${SSHPORT} > > > > +--tls ${LO}:${TLSPORT} > > > > +--openvpn ${LO}:${OPENVPNPORT} > > > > +--pidfile /var/run/sslh.pid > > > > +-C /var/empty > > > > +" > > > > + > > > > +# Check for binary > > > > +if ! [ -x "$(command -v ${DAEMON})" ]; then > > > > + echo "Error: could not find ${DAEMON}" >&2 > > > > + exit 1 > > > > +fi > > > > > > No need for this check really. We don’t have it anywhere else. > > > > Done. > > > > > > > > > + > > > > +# Check for external IP > > > > +EXTERNAL_IP_FUNCT > > > > > > This does not really need to be a function because the if > > > statement > > > above isn’t either. > > > > > > And it should not be evaluated in the stop case. If the system is > > > not > > > online, this service can never be stopped. > > > > > > I think it is best for this code to have it in the start section > > > where is was before - unless I missed something here. > > > > Have externalised the investigation of the RED address to provide > > it > > also for the --listen option in the configuration block. To keep > > the > > start) case also a little cleaner have decided to set the external > > IP > > check completely outside of the start) case and set the check > > before > > but this is fast changed. > > You won’t be able to stop the service then if the script is ended in > that block. > > I think it should only be evaluated in the start block. The check > isn’t needed for stopping the service. > > > > > > > > > > + > > > > case "$1" in > > > > start) > > > > boot_mesg "Starting SSLH Deamon..." > > > > - > > > > - LOCAL_IP_ADDRESS="$(</var/ipfire/red/local- > > > > ipaddress)" > > > > - if [ -z "${LOCAL_IP_ADDRESS}" ]; then > > > > - echo_failure > > > > - boot_mesg -n "FAILURE:\n\nCould not > > > > determine" > > > > ${FAILURE} > > > > - boot_mesg -n " your external IP > > > > address." > > > > - boot_mesg "" ${NORMAL} > > > > - exit 1 > > > > - fi > > > > - > > > > - loadproc /usr/sbin/sslh -u nobody \ > > > > - -p "${LOCAL_IP_ADDRESS}:443" -s > > > > localhost:222 > > > > -l localhost:444 > > > > + loadproc ${DAEMON} ${DAEMON_OPTS} > > > > evaluate_retval > > > > ;; > > > > > > > > stop) > > > > boot_mesg "Stopping SSLH Deamon..." > > > > - killproc /usr/sbin/sslh > > > > + killproc ${DAEMON} > > > > evaluate_retval > > > > ;; > > > > > > > > @@ -38,7 +75,7 @@ case "$1" in > > > > ;; > > > > > > > > status) > > > > - statusproc /usr/sbin/sslh > > > > + statusproc ${DAEMON} > > > > ;; > > > > > > > > *) > > > > diff --git a/src/paks/sslh/install.sh > > > > b/src/paks/sslh/install.sh > > > > index 626884bdd..df7cafc78 100644 > > > > --- a/src/paks/sslh/install.sh > > > > +++ b/src/paks/sslh/install.sh > > > > @@ -23,5 +23,18 @@ > > > > # > > > > . /opt/pakfire/lib/functions.sh > > > > extract_files > > > > + > > > > +# Add user and group for sslh if not already done > > > > +if ! grep -q sslh /etc/passwd; then > > > > + groupadd sslh; > > > > + useradd -g sslh -M -s /sbin/nologin sslh > > > > +fi > > > > > > Can you change this to use getent? There are a couple of examples > > > in > > > some other scripts (e.g. tor). > > > > Done. > > > > > > > > You should also check if the group existed already. > > > > I think the getent solution --> > > if ! getent group sslh &>/dev/null; then > > ... > > will do this. > > OK! > > > > > > > > + > > > > ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50- > > > > sslh > > > > > > Why is this link not in the package? > > > > You mean in the LFS ? This is also a part of the old > > implementation, > > might it be an idea to have it in the initscript (incl. deletion of > > the > > symlink) ? > > I think it is easiest to have it in the package so it will be deleted > when the package is being removed. > > This might become a script now - see above. > > > > > > > Should we not check if the service is running and only then > > > restart? > > > > Via pgrep check in start) ? > > Not in start, but in the red.up script. > > That way we would only touch the service when it is active. If it > isn’t started, we need to figure out if it should be started - or > check if the boot process brought it up - even though RED wasn’t up. > > > > What happens when the service is disabled at boot time? > > > > You mean disabled via WUI ? > > Yes. > > > > > > > > > > + > > > > +# Set symlink for runlevels > > > > +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > > > > +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > > > > +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > > > > + > > > > start_service --background ${NAME} > > > > diff --git a/src/paks/sslh/uninstall.sh > > > > b/src/paks/sslh/uninstall.sh > > > > index dca34ccbd..05bb27945 100644 > > > > --- a/src/paks/sslh/uninstall.sh > > > > +++ b/src/paks/sslh/uninstall.sh > > > > @@ -23,5 +23,14 @@ > > > > # > > > > . /opt/pakfire/lib/functions.sh > > > > stop_service ${NAME} > > > > + > > > > +# Delete user and group sslh > > > > +if grep -q sslh /etc/passwd; then > > > > + userdel sslh > > > > + groupdel sslh > > > > +fi > > > > > > We don’t delete users. This will cause that log files or so will > > > have > > > no owner any more. > > > > > > This won’t be an issue because we check if the user exists in the > > > install script and if it does we are not trying to create it any > > > more. > > > > Done. > > Thanks! > > > > > > > > + > > > > remove_files > > > > rm -f /etc/rc.d/init.d/networking/red.up/50-sslh > > > > +# Delete initscript symlinks > > > > +rm -f /etc/rc.d/rc?.d/???sslh > > > > -- > > > > 2.12.2 > > > > > > > > > > Overall this looks good and makes this a better add-on. It looks > > > like > > > many things to change, but they are all small and should not take > > > too > > > long. > > > > This Addon is really a old one and i was not sure if it should be > > updated again or if it would be dropped since stunnel do a similar > > job > > i think. But am happy if it can be a better one and the time to > > bring > > it back to life was not wasted. > > If you are using it, it should of course be updated. > > There is a little bit of work to be done and some add-ons are really > just the package itself with little integration, but I think it is a > good idea to make high-quality add-on out of this. > > Maybe we should have awesome documentation on the Wiki so that more > people are aware of it and therefore use it. > > -Michael > > > > > > > > > Best, > > > -Michael > > > > > > > Best, > > > > Erik > > ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] sslh: Update to version 1.20 2019-05-10 11:54 ` ummeegge @ 2019-05-11 10:06 ` Michael Tremer 2019-05-12 4:35 ` ummeegge 0 siblings, 1 reply; 11+ messages in thread From: Michael Tremer @ 2019-05-11 10:06 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 16982 bytes --] Hi, The parameter is “in-reply-to”. You got an extra “a” there. -Michael > On 10 May 2019, at 12:54, ummeegge <ummeegge(a)ipfire.org> wrote: > > Hi Michael, > and thanks for your feedback. Made a V2 patch now but i get an > > $ git send-email -v2 -1 --in-replay-to 690B105B-733E-4283-9D05-9967D09BA86F(a)ipfire.org > fatal: ambiguous argument '690B105B-733E-4283-9D05-9967D09BA86F(a)ipfire.org': unknown revision or path not in the working tree. > Use '--' to separate paths from revisions, like this: > 'git <command> [<revision>...] -- [<file>...]' > format-patch -o /tmp/qnlL0LbJPZ -v2 -1 --in-replay-to 690B105B-733E-4283-9D05-9967D09BA86F(a)ipfire.org: command returned error: 128 > > am currently not sure how to fix this. Have nevertheless pushed the new version > (hopefully all wanted is included) to Git --> > https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=314975a6703f78d8e4c0cb9071819597ad72d48e > > Since my time is currently a little less it might be great if you can > review it in that way. > > Best, > > Erik > > > On Mi, 2019-05-01 at 12:13 +0100, Michael Tremer wrote: >> Hi, >> >> Apologies for the late reply again… I am trying to catch up on my >> rather large inbox. >> >>> On 26 Apr 2019, at 05:55, ummeegge <ummeegge(a)ipfire.org> wrote: >>> >>> Hi Michael and thanks for looking into this. >>> >>> On Mi, 2019-04-24 at 12:04 +0100, Michael Tremer wrote: >>>> Hi, >>>> >>>> Thanks for working on this. I have a couple of questions and >>>> remarks. >>>> >>>>> On 23 Apr 2019, at 08:06, Erik Kapfer <ummeegge(a)ipfire.org> >>>>> wrote: >>>>> >>>>> - Added USELIBCAP=1 to enable the possibility for transparent >>>>> option. >>>>> - Wrote configuration directives in initscript into variable >>>>> for >>>>> better overview. >>>>> - Introduce chroot directive in start parameter. >>>>> - Added new user and group sslh (will be deleted if uninstall). >>>>> - Changed EXTERNAL_IP_FUNCT to serve data also for >>>>> configuration >>>>> block but use it also as check as before. >>>>> - Added symlinks in sslh paks since the initscripts LFS do not >>>>> serves it in old installation (a reboot does not started sslh >>>>> again). >>>>> - Deleted sslh symlinks in initscripts LFS since they are >>>>> served >>>>> via sslh paks and are not needed anymore. >>>>> >>>>> Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> >>>>> --- >>>>> lfs/initscripts | 3 -- >>>>> lfs/sslh | 12 ++++---- >>>>> src/initscripts/packages/sslh | 65 >>>>> +++++++++++++++++++++++++++++++++---------- >>>>> src/paks/sslh/install.sh | 13 +++++++++ >>>>> src/paks/sslh/uninstall.sh | 9 ++++++ >>>>> 5 files changed, 79 insertions(+), 23 deletions(-) >>>>> >>>>> diff --git a/lfs/initscripts b/lfs/initscripts >>>>> index 055e106d0..3173a04e4 100644 >>>>> --- a/lfs/initscripts >>>>> +++ b/lfs/initscripts >>>>> @@ -136,9 +136,6 @@ $(TARGET) : >>>>> ln -sf >>>>> ../init.d/client175 /etc/rc.d/rc0.d/K34client175 >>>>> ln -sf >>>>> ../init.d/client175 /etc/rc.d/rc3.d/S66client175 >>>>> ln -sf >>>>> ../init.d/client175 /etc/rc.d/rc6.d/K34client175 >>>>> - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh >>>>> - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh >>>>> - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh >>>>> ln -sf >>>>> ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin >>>>> ln -sf >>>>> ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin >>>>> ln -sf >>>>> ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin >>>>> diff --git a/lfs/sslh b/lfs/sslh >>>>> index 100cec065..dedd10272 100644 >>>>> --- a/lfs/sslh >>>>> +++ b/lfs/sslh >>>>> @@ -1,7 +1,7 @@ >>>>> ############################################################### >>>>> #### >>>>> ############ >>>>> # >>>>> >>>>> # >>>>> # IPFire.org - A linux based >>>>> firewall # >>>>> -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> >>>>> >>>>> # >>>>> +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> >>>>> >>>>> # >>>>> # >>>>> >>>>> # >>>>> # This program is free software: you can redistribute it and/or >>>>> modify # >>>>> # it under the terms of the GNU General Public License as >>>>> published >>>>> by # >>>>> @@ -24,7 +24,7 @@ >>>>> >>>>> include Config >>>>> >>>>> -VER = 1.7a >>>>> +VER = 1.20 >>>>> >>>>> THISAPP = sslh-$(VER) >>>>> DL_FILE = $(THISAPP).tar.gz >>>>> @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) >>>>> DIR_APP = $(DIR_SRC)/$(THISAPP) >>>>> TARGET = $(DIR_INFO)/$(THISAPP) >>>>> PROG = sslh >>>>> -PAK_VER = 5 >>>>> +PAK_VER = 6 >>>>> >>>>> DEPS = "" >>>>> >>>>> @@ -44,7 +44,7 @@ objects = $(DL_FILE) >>>>> >>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>>>> >>>>> -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d >>>>> +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912 >>>>> >>>>> install : $(TARGET) >>>>> >>>>> @@ -77,8 +77,8 @@ $(subst %,%_MD5,$(objects)) : >>>>> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>>>> @$(PREBUILD) >>>>> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf >>>>> $(DIR_DL)/$(DL_FILE) >>>>> - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) >>>>> USELIBWRAP= >>>>> - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin >>>>> + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) >>>>> USELIBCAP=1 USELIBWRAP= >>>>> + cd $(DIR_APP) && install -v -m 755 sslh-fork >>>>> /usr/sbin/sslh >>>>> >>>>> #install initscripts >>>>> $(call INSTALL_INITSCRIPT,sslh) >>>> >>>> It looks all fine up to this point. >>>> >>>>> diff --git a/src/initscripts/packages/sslh >>>>> b/src/initscripts/packages/sslh >>>>> index 43e58f392..0935b1114 100644 >>>>> --- a/src/initscripts/packages/sslh >>>>> +++ b/src/initscripts/packages/sslh >>>>> @@ -3,31 +3,68 @@ >>>>> >>>>> # Based on sysklogd script from LFS-3.1 and earlier. >>>>> # Rewritten by Gerard Beekmans - gerard(a)linuxfromscratch.org >>>>> +# >>>>> +# $LastChangedBy: ummeegge - ummeegge(a)ipfire.org $ >>>>> +# $Date: 2019-04-04 04:35:09 -0500 (Thu, 04 Apr 2019) $ >>>>> +# >>>>> +############################################################# >>>>> +# >>>> >>>> You do not need to include authorship headers because Git will >>>> take >>>> care of this. >>> >>> Done. >>> >>>> >>>>> >>>>> . /etc/sysconfig/rc >>>>> . $rc_functions >>>>> >>>>> +DAEMON="/usr/sbin/sslh" >>>>> + >>>>> +# Check for external IP address and provide it to listening >>>>> option >>>>> +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" >>>>> +EXTERNAL_IP_FUNCT() { >>>>> + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then >>>>> + echo_failure >>>>> + boot_mesg -n "FAILURE:\n\nCould not determine" >>>>> ${FAILURE} >>>>> + boot_mesg -n " your external IP address." >>>>> + boot_mesg "" ${NORMAL} >>>>> + exit 1 >>>>> + fi >>>>> +} >>>> >>>> Although you are starting the service rather late in the boot >>>> process, it might indeed happen that this goes wrong. How do we >>>> recover from this? The service should be started eventually when >>>> RED >>>> comes up. >>> >>> I tried to leave the most options pretty much the same as they >>> where >>> before whereby the numbers of the symlinks are a part of this the >>> testings did not delivered problems with this but better to stay >>> save >>> there. >>> The network initscript starts at 'S20' where i think RED will be >>> started too what you think is a good starting point for sslh ? >> >> If there is a cable plugged into RED and it actually comes up this is >> a good time to start the service. But what if the DSL modem takes >> longer to sync or so? It should still be started in red.up then. >> >>> >>>> >>>> What if the IP address on RED changes? How is sslh notified? >>> >>> I think it won´t currently. Have seen some configurations which >>> uses >>> 0.0.0.0 for the --listen option but this can cause bigger troubles >>> if >>> '443' is the --listen port here i think. As far as i can see only a >>> restart of sslh would fix this currently. >>> May you have an idea here ? >> >> Have a script in red.up which restarts the whole service - but only >> if the IP address has actually changed so that standing connections >> won’t be interrupted. I think that is what we need here, isn’t it? >> >>> >>> >>>> >>>>> + >>>>> +# Loopback interface >>>>> +LO="127.0.0.1" >>>>> +# Used TCP ports >>>>> +LISTENPORT="443" >>>>> +SSHPORT="222" >>>>> +TLSPORT="444" >>>>> +OPENVPNPORT=“1194" >>>> >>>> Can we use hard-coded port numbers here? >>> >>> Here arises also some more questions for me. >>> We can grep for them in the configuration files but also may a >>> check >>> for the correct usage can be made since e.g. OpenVPN needs to run >>> with >>> TCP for example. >> >> I would say that 443 probably masks traffic best and is most likely >> to be open even in more restricted environments. >> >> OpenVPN has to be running in TCP mode, but that is something the user >> has to configure. It isn’t even certain if they are using OpenVPN >> here. So that should be optional. >> >>> Should we really provide TCP 444 in here for external access ? I >>> think >>> also SSH might be more secure via VPN but may a little more >>> acceptable >>> if no VPN is in usage?! >> >> The Web UI? No, that should not be open by default. People should use >> OpenVPN to access the firewall. >> >>> The main topic in the tests we made in the forum where mainly for >>> LAN >>> instances on seperated machines (mostly webservers) where those >>> questions may be not that critical?! >> >> We do not know how critical the application of the user is. So >> assuming it is most critical is best. >> >>> >>>> >>>>> + >>>>> +# Configuration options >>>>> +DAEMON_OPTS=" >>>>> +--user sslh >>>>> +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} >>>>> +--ssh ${LO}:${SSHPORT} >>>>> +--tls ${LO}:${TLSPORT} >>>>> +--openvpn ${LO}:${OPENVPNPORT} >>>>> +--pidfile /var/run/sslh.pid >>>>> +-C /var/empty >>>>> +" >>>>> + >>>>> +# Check for binary >>>>> +if ! [ -x "$(command -v ${DAEMON})" ]; then >>>>> + echo "Error: could not find ${DAEMON}" >&2 >>>>> + exit 1 >>>>> +fi >>>> >>>> No need for this check really. We don’t have it anywhere else. >>> >>> Done. >>> >>>> >>>>> + >>>>> +# Check for external IP >>>>> +EXTERNAL_IP_FUNCT >>>> >>>> This does not really need to be a function because the if >>>> statement >>>> above isn’t either. >>>> >>>> And it should not be evaluated in the stop case. If the system is >>>> not >>>> online, this service can never be stopped. >>>> >>>> I think it is best for this code to have it in the start section >>>> where is was before - unless I missed something here. >>> >>> Have externalised the investigation of the RED address to provide >>> it >>> also for the --listen option in the configuration block. To keep >>> the >>> start) case also a little cleaner have decided to set the external >>> IP >>> check completely outside of the start) case and set the check >>> before >>> but this is fast changed. >> >> You won’t be able to stop the service then if the script is ended in >> that block. >> >> I think it should only be evaluated in the start block. The check >> isn’t needed for stopping the service. >> >>> >>>> >>>>> + >>>>> case "$1" in >>>>> start) >>>>> boot_mesg "Starting SSLH Deamon..." >>>>> - >>>>> - LOCAL_IP_ADDRESS="$(</var/ipfire/red/local- >>>>> ipaddress)" >>>>> - if [ -z "${LOCAL_IP_ADDRESS}" ]; then >>>>> - echo_failure >>>>> - boot_mesg -n "FAILURE:\n\nCould not >>>>> determine" >>>>> ${FAILURE} >>>>> - boot_mesg -n " your external IP >>>>> address." >>>>> - boot_mesg "" ${NORMAL} >>>>> - exit 1 >>>>> - fi >>>>> - >>>>> - loadproc /usr/sbin/sslh -u nobody \ >>>>> - -p "${LOCAL_IP_ADDRESS}:443" -s >>>>> localhost:222 >>>>> -l localhost:444 >>>>> + loadproc ${DAEMON} ${DAEMON_OPTS} >>>>> evaluate_retval >>>>> ;; >>>>> >>>>> stop) >>>>> boot_mesg "Stopping SSLH Deamon..." >>>>> - killproc /usr/sbin/sslh >>>>> + killproc ${DAEMON} >>>>> evaluate_retval >>>>> ;; >>>>> >>>>> @@ -38,7 +75,7 @@ case "$1" in >>>>> ;; >>>>> >>>>> status) >>>>> - statusproc /usr/sbin/sslh >>>>> + statusproc ${DAEMON} >>>>> ;; >>>>> >>>>> *) >>>>> diff --git a/src/paks/sslh/install.sh >>>>> b/src/paks/sslh/install.sh >>>>> index 626884bdd..df7cafc78 100644 >>>>> --- a/src/paks/sslh/install.sh >>>>> +++ b/src/paks/sslh/install.sh >>>>> @@ -23,5 +23,18 @@ >>>>> # >>>>> . /opt/pakfire/lib/functions.sh >>>>> extract_files >>>>> + >>>>> +# Add user and group for sslh if not already done >>>>> +if ! grep -q sslh /etc/passwd; then >>>>> + groupadd sslh; >>>>> + useradd -g sslh -M -s /sbin/nologin sslh >>>>> +fi >>>> >>>> Can you change this to use getent? There are a couple of examples >>>> in >>>> some other scripts (e.g. tor). >>> >>> Done. >>> >>>> >>>> You should also check if the group existed already. >>> >>> I think the getent solution --> >>> if ! getent group sslh &>/dev/null; then >>> ... >>> will do this. >> >> OK! >> >>>> >>>>> + >>>>> ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50- >>>>> sslh >>>> >>>> Why is this link not in the package? >>> >>> You mean in the LFS ? This is also a part of the old >>> implementation, >>> might it be an idea to have it in the initscript (incl. deletion of >>> the >>> symlink) ? >> >> I think it is easiest to have it in the package so it will be deleted >> when the package is being removed. >> >> This might become a script now - see above. >> >>>> >>>> Should we not check if the service is running and only then >>>> restart? >>> >>> Via pgrep check in start) ? >> >> Not in start, but in the red.up script. >> >> That way we would only touch the service when it is active. If it >> isn’t started, we need to figure out if it should be started - or >> check if the boot process brought it up - even though RED wasn’t up. >> >>>> What happens when the service is disabled at boot time? >>> >>> You mean disabled via WUI ? >> >> Yes. >> >>> >>>> >>>>> + >>>>> +# Set symlink for runlevels >>>>> +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh >>>>> +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh >>>>> +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh >>>>> + >>>>> start_service --background ${NAME} >>>>> diff --git a/src/paks/sslh/uninstall.sh >>>>> b/src/paks/sslh/uninstall.sh >>>>> index dca34ccbd..05bb27945 100644 >>>>> --- a/src/paks/sslh/uninstall.sh >>>>> +++ b/src/paks/sslh/uninstall.sh >>>>> @@ -23,5 +23,14 @@ >>>>> # >>>>> . /opt/pakfire/lib/functions.sh >>>>> stop_service ${NAME} >>>>> + >>>>> +# Delete user and group sslh >>>>> +if grep -q sslh /etc/passwd; then >>>>> + userdel sslh >>>>> + groupdel sslh >>>>> +fi >>>> >>>> We don’t delete users. This will cause that log files or so will >>>> have >>>> no owner any more. >>>> >>>> This won’t be an issue because we check if the user exists in the >>>> install script and if it does we are not trying to create it any >>>> more. >>> >>> Done. >> >> Thanks! >> >>>> >>>>> + >>>>> remove_files >>>>> rm -f /etc/rc.d/init.d/networking/red.up/50-sslh >>>>> +# Delete initscript symlinks >>>>> +rm -f /etc/rc.d/rc?.d/???sslh >>>>> -- >>>>> 2.12.2 >>>>> >>>> >>>> Overall this looks good and makes this a better add-on. It looks >>>> like >>>> many things to change, but they are all small and should not take >>>> too >>>> long. >>> >>> This Addon is really a old one and i was not sure if it should be >>> updated again or if it would be dropped since stunnel do a similar >>> job >>> i think. But am happy if it can be a better one and the time to >>> bring >>> it back to life was not wasted. >> >> If you are using it, it should of course be updated. >> >> There is a little bit of work to be done and some add-ons are really >> just the package itself with little integration, but I think it is a >> good idea to make high-quality add-on out of this. >> >> Maybe we should have awesome documentation on the Wiki so that more >> people are aware of it and therefore use it. >> >> -Michael >> >>> >>>> >>>> Best, >>>> -Michael >>>> >>> >>> Best, >>> >>> Erik >> >> > ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] sslh: Update to version 1.20 2019-05-11 10:06 ` Michael Tremer @ 2019-05-12 4:35 ` ummeegge 0 siblings, 0 replies; 11+ messages in thread From: ummeegge @ 2019-05-12 4:35 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 20384 bytes --] Hi Michael, On Sa, 2019-05-11 at 11:06 +0100, Michael Tremer wrote: > Hi, > > The parameter is “in-reply-to”. You got an extra “a” there. autsch... Thanks for the hint. Have send it to the list now. Best, Erik > > -Michael > > > On 10 May 2019, at 12:54, ummeegge <ummeegge(a)ipfire.org> wrote: > > > > Hi Michael, > > and thanks for your feedback. Made a V2 patch now but i get an > > > > $ git send-email -v2 -1 --in-replay-to > > 690B105B-733E-4283-9D05-9967D09BA86F(a)ipfire.org > > fatal: ambiguous argument > > '690B105B-733E-4283-9D05-9967D09BA86F(a)ipfire.org': unknown revision > > or path not in the working tree. > > Use '--' to separate paths from revisions, like this: > > 'git <command> [<revision>...] -- [<file>...]' > > format-patch -o /tmp/qnlL0LbJPZ -v2 -1 --in-replay-to > > 690B105B-733E-4283-9D05-9967D09BA86F(a)ipfire.org: command returned > > error: 128 > > > > am currently not sure how to fix this. Have nevertheless pushed the > > new version > > (hopefully all wanted is included) to Git --> > > https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=314975a6703f78d8e4c0cb9071819597ad72d48e > > > > Since my time is currently a little less it might be great if you > > can > > review it in that way. > > > > Best, > > > > Erik > > > > > > On Mi, 2019-05-01 at 12:13 +0100, Michael Tremer wrote: > > > Hi, > > > > > > Apologies for the late reply again… I am trying to catch up on my > > > rather large inbox. > > > > > > > On 26 Apr 2019, at 05:55, ummeegge <ummeegge(a)ipfire.org> wrote: > > > > > > > > Hi Michael and thanks for looking into this. > > > > > > > > On Mi, 2019-04-24 at 12:04 +0100, Michael Tremer wrote: > > > > > Hi, > > > > > > > > > > Thanks for working on this. I have a couple of questions and > > > > > remarks. > > > > > > > > > > > On 23 Apr 2019, at 08:06, Erik Kapfer <ummeegge(a)ipfire.org> > > > > > > wrote: > > > > > > > > > > > > - Added USELIBCAP=1 to enable the possibility for > > > > > > transparent > > > > > > option. > > > > > > - Wrote configuration directives in initscript into > > > > > > variable > > > > > > for > > > > > > better overview. > > > > > > - Introduce chroot directive in start parameter. > > > > > > - Added new user and group sslh (will be deleted if > > > > > > uninstall). > > > > > > - Changed EXTERNAL_IP_FUNCT to serve data also for > > > > > > configuration > > > > > > block but use it also as check as before. > > > > > > - Added symlinks in sslh paks since the initscripts LFS do > > > > > > not > > > > > > serves it in old installation (a reboot does not started > > > > > > sslh > > > > > > again). > > > > > > - Deleted sslh symlinks in initscripts LFS since they are > > > > > > served > > > > > > via sslh paks and are not needed anymore. > > > > > > > > > > > > Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> > > > > > > --- > > > > > > lfs/initscripts | 3 -- > > > > > > lfs/sslh | 12 ++++---- > > > > > > src/initscripts/packages/sslh | 65 > > > > > > +++++++++++++++++++++++++++++++++---------- > > > > > > src/paks/sslh/install.sh | 13 +++++++++ > > > > > > src/paks/sslh/uninstall.sh | 9 ++++++ > > > > > > 5 files changed, 79 insertions(+), 23 deletions(-) > > > > > > > > > > > > diff --git a/lfs/initscripts b/lfs/initscripts > > > > > > index 055e106d0..3173a04e4 100644 > > > > > > --- a/lfs/initscripts > > > > > > +++ b/lfs/initscripts > > > > > > @@ -136,9 +136,6 @@ $(TARGET) : > > > > > > ln -sf > > > > > > ../init.d/client175 /etc/rc.d/rc0.d/K34client175 > > > > > > ln -sf > > > > > > ../init.d/client175 /etc/rc.d/rc3.d/S66client175 > > > > > > ln -sf > > > > > > ../init.d/client175 /etc/rc.d/rc6.d/K34client175 > > > > > > - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > > > > > > - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > > > > > > - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > > > > > > ln -sf > > > > > > ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin > > > > > > ln -sf > > > > > > ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin > > > > > > ln -sf > > > > > > ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin > > > > > > diff --git a/lfs/sslh b/lfs/sslh > > > > > > index 100cec065..dedd10272 100644 > > > > > > --- a/lfs/sslh > > > > > > +++ b/lfs/sslh > > > > > > @@ -1,7 +1,7 @@ > > > > > > ########################################################### > > > > > > #### > > > > > > #### > > > > > > ############ > > > > > > # > > > > > > > > > > > > > > > > > > # > > > > > > # IPFire.org - A linux based > > > > > > firewall # > > > > > > -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> > > > > > > > > > > > > > > > > > > # > > > > > > +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> > > > > > > > > > > > > > > > > > > # > > > > > > # > > > > > > > > > > > > > > > > > > # > > > > > > # This program is free software: you can redistribute it > > > > > > and/or > > > > > > modify # > > > > > > # it under the terms of the GNU General Public License as > > > > > > published > > > > > > by # > > > > > > @@ -24,7 +24,7 @@ > > > > > > > > > > > > include Config > > > > > > > > > > > > -VER = 1.7a > > > > > > +VER = 1.20 > > > > > > > > > > > > THISAPP = sslh-$(VER) > > > > > > DL_FILE = $(THISAPP).tar.gz > > > > > > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > > > > > > DIR_APP = $(DIR_SRC)/$(THISAPP) > > > > > > TARGET = $(DIR_INFO)/$(THISAPP) > > > > > > PROG = sslh > > > > > > -PAK_VER = 5 > > > > > > +PAK_VER = 6 > > > > > > > > > > > > DEPS = "" > > > > > > > > > > > > @@ -44,7 +44,7 @@ objects = $(DL_FILE) > > > > > > > > > > > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > > > > > > > > > > > -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d > > > > > > +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912 > > > > > > > > > > > > install : $(TARGET) > > > > > > > > > > > > @@ -77,8 +77,8 @@ $(subst %,%_MD5,$(objects)) : > > > > > > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > > > > > @$(PREBUILD) > > > > > > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf > > > > > > $(DIR_DL)/$(DL_FILE) > > > > > > - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > > > > > > USELIBWRAP= > > > > > > - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin > > > > > > + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > > > > > > USELIBCAP=1 USELIBWRAP= > > > > > > + cd $(DIR_APP) && install -v -m 755 sslh-fork > > > > > > /usr/sbin/sslh > > > > > > > > > > > > #install initscripts > > > > > > $(call INSTALL_INITSCRIPT,sslh) > > > > > > > > > > It looks all fine up to this point. > > > > > > > > > > > diff --git a/src/initscripts/packages/sslh > > > > > > b/src/initscripts/packages/sslh > > > > > > index 43e58f392..0935b1114 100644 > > > > > > --- a/src/initscripts/packages/sslh > > > > > > +++ b/src/initscripts/packages/sslh > > > > > > @@ -3,31 +3,68 @@ > > > > > > > > > > > > # Based on sysklogd script from LFS-3.1 and earlier. > > > > > > # Rewritten by Gerard Beekmans - > > > > > > gerard(a)linuxfromscratch.org > > > > > > +# > > > > > > +# $LastChangedBy: ummeegge - ummeegge(a)ipfire.org $ > > > > > > +# $Date: 2019-04-04 04:35:09 -0500 (Thu, 04 Apr 2019) $ > > > > > > +# > > > > > > +########################################################## > > > > > > ### > > > > > > +# > > > > > > > > > > You do not need to include authorship headers because Git > > > > > will > > > > > take > > > > > care of this. > > > > > > > > Done. > > > > > > > > > > > > > > > > > > > > > . /etc/sysconfig/rc > > > > > > . $rc_functions > > > > > > > > > > > > +DAEMON="/usr/sbin/sslh" > > > > > > + > > > > > > +# Check for external IP address and provide it to > > > > > > listening > > > > > > option > > > > > > +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" > > > > > > +EXTERNAL_IP_FUNCT() { > > > > > > + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then > > > > > > + echo_failure > > > > > > + boot_mesg -n "FAILURE:\n\nCould not > > > > > > determine" > > > > > > ${FAILURE} > > > > > > + boot_mesg -n " your external IP address." > > > > > > + boot_mesg "" ${NORMAL} > > > > > > + exit 1 > > > > > > + fi > > > > > > +} > > > > > > > > > > Although you are starting the service rather late in the boot > > > > > process, it might indeed happen that this goes wrong. How do > > > > > we > > > > > recover from this? The service should be started eventually > > > > > when > > > > > RED > > > > > comes up. > > > > > > > > I tried to leave the most options pretty much the same as they > > > > where > > > > before whereby the numbers of the symlinks are a part of this > > > > the > > > > testings did not delivered problems with this but better to > > > > stay > > > > save > > > > there. > > > > The network initscript starts at 'S20' where i think RED will > > > > be > > > > started too what you think is a good starting point for sslh ? > > > > > > If there is a cable plugged into RED and it actually comes up > > > this is > > > a good time to start the service. But what if the DSL modem takes > > > longer to sync or so? It should still be started in red.up then. > > > > > > > > > > > > > > > > > What if the IP address on RED changes? How is sslh notified? > > > > > > > > I think it won´t currently. Have seen some configurations which > > > > uses > > > > 0.0.0.0 for the --listen option but this can cause bigger > > > > troubles > > > > if > > > > '443' is the --listen port here i think. As far as i can see > > > > only a > > > > restart of sslh would fix this currently. > > > > May you have an idea here ? > > > > > > Have a script in red.up which restarts the whole service - but > > > only > > > if the IP address has actually changed so that standing > > > connections > > > won’t be interrupted. I think that is what we need here, isn’t > > > it? > > > > > > > > > > > > > > > > > > > > > > + > > > > > > +# Loopback interface > > > > > > +LO="127.0.0.1" > > > > > > +# Used TCP ports > > > > > > +LISTENPORT="443" > > > > > > +SSHPORT="222" > > > > > > +TLSPORT="444" > > > > > > +OPENVPNPORT=“1194" > > > > > > > > > > Can we use hard-coded port numbers here? > > > > > > > > Here arises also some more questions for me. > > > > We can grep for them in the configuration files but also may a > > > > check > > > > for the correct usage can be made since e.g. OpenVPN needs to > > > > run > > > > with > > > > TCP for example. > > > > > > I would say that 443 probably masks traffic best and is most > > > likely > > > to be open even in more restricted environments. > > > > > > OpenVPN has to be running in TCP mode, but that is something the > > > user > > > has to configure. It isn’t even certain if they are using OpenVPN > > > here. So that should be optional. > > > > > > > Should we really provide TCP 444 in here for external access ? > > > > I > > > > think > > > > also SSH might be more secure via VPN but may a little more > > > > acceptable > > > > if no VPN is in usage?! > > > > > > The Web UI? No, that should not be open by default. People should > > > use > > > OpenVPN to access the firewall. > > > > > > > The main topic in the tests we made in the forum where mainly > > > > for > > > > LAN > > > > instances on seperated machines (mostly webservers) where those > > > > questions may be not that critical?! > > > > > > We do not know how critical the application of the user is. So > > > assuming it is most critical is best. > > > > > > > > > > > > > > > > > > + > > > > > > +# Configuration options > > > > > > +DAEMON_OPTS=" > > > > > > +--user sslh > > > > > > +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} > > > > > > +--ssh ${LO}:${SSHPORT} > > > > > > +--tls ${LO}:${TLSPORT} > > > > > > +--openvpn ${LO}:${OPENVPNPORT} > > > > > > +--pidfile /var/run/sslh.pid > > > > > > +-C /var/empty > > > > > > +" > > > > > > + > > > > > > +# Check for binary > > > > > > +if ! [ -x "$(command -v ${DAEMON})" ]; then > > > > > > + echo "Error: could not find ${DAEMON}" >&2 > > > > > > + exit 1 > > > > > > +fi > > > > > > > > > > No need for this check really. We don’t have it anywhere > > > > > else. > > > > > > > > Done. > > > > > > > > > > > > > > > + > > > > > > +# Check for external IP > > > > > > +EXTERNAL_IP_FUNCT > > > > > > > > > > This does not really need to be a function because the if > > > > > statement > > > > > above isn’t either. > > > > > > > > > > And it should not be evaluated in the stop case. If the > > > > > system is > > > > > not > > > > > online, this service can never be stopped. > > > > > > > > > > I think it is best for this code to have it in the start > > > > > section > > > > > where is was before - unless I missed something here. > > > > > > > > Have externalised the investigation of the RED address to > > > > provide > > > > it > > > > also for the --listen option in the configuration block. To > > > > keep > > > > the > > > > start) case also a little cleaner have decided to set the > > > > external > > > > IP > > > > check completely outside of the start) case and set the check > > > > before > > > > but this is fast changed. > > > > > > You won’t be able to stop the service then if the script is ended > > > in > > > that block. > > > > > > I think it should only be evaluated in the start block. The check > > > isn’t needed for stopping the service. > > > > > > > > > > > > > > > > > > + > > > > > > case "$1" in > > > > > > start) > > > > > > boot_mesg "Starting SSLH Deamon..." > > > > > > - > > > > > > - LOCAL_IP_ADDRESS="$(</var/ipfire/red/local- > > > > > > ipaddress)" > > > > > > - if [ -z "${LOCAL_IP_ADDRESS}" ]; then > > > > > > - echo_failure > > > > > > - boot_mesg -n "FAILURE:\n\nCould not > > > > > > determine" > > > > > > ${FAILURE} > > > > > > - boot_mesg -n " your external IP > > > > > > address." > > > > > > - boot_mesg "" ${NORMAL} > > > > > > - exit 1 > > > > > > - fi > > > > > > - > > > > > > - loadproc /usr/sbin/sslh -u nobody \ > > > > > > - -p "${LOCAL_IP_ADDRESS}:443" -s > > > > > > localhost:222 > > > > > > -l localhost:444 > > > > > > + loadproc ${DAEMON} ${DAEMON_OPTS} > > > > > > evaluate_retval > > > > > > ;; > > > > > > > > > > > > stop) > > > > > > boot_mesg "Stopping SSLH Deamon..." > > > > > > - killproc /usr/sbin/sslh > > > > > > + killproc ${DAEMON} > > > > > > evaluate_retval > > > > > > ;; > > > > > > > > > > > > @@ -38,7 +75,7 @@ case "$1" in > > > > > > ;; > > > > > > > > > > > > status) > > > > > > - statusproc /usr/sbin/sslh > > > > > > + statusproc ${DAEMON} > > > > > > ;; > > > > > > > > > > > > *) > > > > > > diff --git a/src/paks/sslh/install.sh > > > > > > b/src/paks/sslh/install.sh > > > > > > index 626884bdd..df7cafc78 100644 > > > > > > --- a/src/paks/sslh/install.sh > > > > > > +++ b/src/paks/sslh/install.sh > > > > > > @@ -23,5 +23,18 @@ > > > > > > # > > > > > > . /opt/pakfire/lib/functions.sh > > > > > > extract_files > > > > > > + > > > > > > +# Add user and group for sslh if not already done > > > > > > +if ! grep -q sslh /etc/passwd; then > > > > > > + groupadd sslh; > > > > > > + useradd -g sslh -M -s /sbin/nologin sslh > > > > > > +fi > > > > > > > > > > Can you change this to use getent? There are a couple of > > > > > examples > > > > > in > > > > > some other scripts (e.g. tor). > > > > > > > > Done. > > > > > > > > > > > > > > You should also check if the group existed already. > > > > > > > > I think the getent solution --> > > > > if ! getent group sslh &>/dev/null; then > > > > ... > > > > will do this. > > > > > > OK! > > > > > > > > > > > > > > + > > > > > > ln -s /etc/init.d/sslh > > > > > > /etc/rc.d/init.d/networking/red.up/50- > > > > > > sslh > > > > > > > > > > Why is this link not in the package? > > > > > > > > You mean in the LFS ? This is also a part of the old > > > > implementation, > > > > might it be an idea to have it in the initscript (incl. > > > > deletion of > > > > the > > > > symlink) ? > > > > > > I think it is easiest to have it in the package so it will be > > > deleted > > > when the package is being removed. > > > > > > This might become a script now - see above. > > > > > > > > > > > > > Should we not check if the service is running and only then > > > > > restart? > > > > > > > > Via pgrep check in start) ? > > > > > > Not in start, but in the red.up script. > > > > > > That way we would only touch the service when it is active. If it > > > isn’t started, we need to figure out if it should be started - or > > > check if the boot process brought it up - even though RED wasn’t > > > up. > > > > > > > > What happens when the service is disabled at boot time? > > > > > > > > You mean disabled via WUI ? > > > > > > Yes. > > > > > > > > > > > > > > > > > > + > > > > > > +# Set symlink for runlevels > > > > > > +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > > > > > > +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > > > > > > +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > > > > > > + > > > > > > start_service --background ${NAME} > > > > > > diff --git a/src/paks/sslh/uninstall.sh > > > > > > b/src/paks/sslh/uninstall.sh > > > > > > index dca34ccbd..05bb27945 100644 > > > > > > --- a/src/paks/sslh/uninstall.sh > > > > > > +++ b/src/paks/sslh/uninstall.sh > > > > > > @@ -23,5 +23,14 @@ > > > > > > # > > > > > > . /opt/pakfire/lib/functions.sh > > > > > > stop_service ${NAME} > > > > > > + > > > > > > +# Delete user and group sslh > > > > > > +if grep -q sslh /etc/passwd; then > > > > > > + userdel sslh > > > > > > + groupdel sslh > > > > > > +fi > > > > > > > > > > We don’t delete users. This will cause that log files or so > > > > > will > > > > > have > > > > > no owner any more. > > > > > > > > > > This won’t be an issue because we check if the user exists in > > > > > the > > > > > install script and if it does we are not trying to create it > > > > > any > > > > > more. > > > > > > > > Done. > > > > > > Thanks! > > > > > > > > > > > > > > + > > > > > > remove_files > > > > > > rm -f /etc/rc.d/init.d/networking/red.up/50-sslh > > > > > > +# Delete initscript symlinks > > > > > > +rm -f /etc/rc.d/rc?.d/???sslh > > > > > > -- > > > > > > 2.12.2 > > > > > > > > > > > > > > > > Overall this looks good and makes this a better add-on. It > > > > > looks > > > > > like > > > > > many things to change, but they are all small and should not > > > > > take > > > > > too > > > > > long. > > > > > > > > This Addon is really a old one and i was not sure if it should > > > > be > > > > updated again or if it would be dropped since stunnel do a > > > > similar > > > > job > > > > i think. But am happy if it can be a better one and the time to > > > > bring > > > > it back to life was not wasted. > > > > > > If you are using it, it should of course be updated. > > > > > > There is a little bit of work to be done and some add-ons are > > > really > > > just the package itself with little integration, but I think it > > > is a > > > good idea to make high-quality add-on out of this. > > > > > > Maybe we should have awesome documentation on the Wiki so that > > > more > > > people are aware of it and therefore use it. > > > > > > -Michael > > > > > > > > > > > > > > > > > Best, > > > > > -Michael > > > > > > > > > > > > > Best, > > > > > > > > Erik > > > > > > > > ^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v2] sslh: update to 1.20 2019-04-23 7:06 [PATCH] sslh: Update to version 1.20 Erik Kapfer 2019-04-23 7:09 ` ummeegge 2019-04-24 11:04 ` Michael Tremer @ 2019-05-12 4:24 ` Erik Kapfer 2019-05-13 13:33 ` Michael Tremer 2 siblings, 1 reply; 11+ messages in thread From: Erik Kapfer @ 2019-05-12 4:24 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 7868 bytes --] - New user and group sslh has been added. - Added USELIBCAP to make transparent mode possible. - red.up script has been added. If red IP changes, sslh will be restarted to run with the new IP. - red.up script searches for sslh symlink in rc3.d, if nothing can be found, it will not start so it can be disabled via WUI (services.cgi). - Symlinks for runlevels has been nevertheless added to sslh package to control it also via services.cgi. - Configuration block has been added to sslh initscript. - External IP address check will also be used for configure options. - Configure provides currently only OpenVPN - OpenVPN port will be automatically investigated. Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> --- config/rootfiles/packages/sslh | 1 + config/sslh/25-sslh | 17 +++++++++++++++++ lfs/initscripts | 3 --- lfs/sslh | 16 +++++++++------- src/initscripts/packages/sslh | 41 +++++++++++++++++++++++++++++++++-------- src/paks/sslh/install.sh | 16 +++++++++++++++- src/paks/sslh/uninstall.sh | 4 +++- 7 files changed, 78 insertions(+), 20 deletions(-) create mode 100644 config/sslh/25-sslh diff --git a/config/rootfiles/packages/sslh b/config/rootfiles/packages/sslh index 2c67aad3a..15d5ff8f9 100644 --- a/config/rootfiles/packages/sslh +++ b/config/rootfiles/packages/sslh @@ -1,2 +1,3 @@ +etc/rc.d/init.d/networking/red.up/25-sslh etc/rc.d/init.d/sslh usr/sbin/sslh diff --git a/config/sslh/25-sslh b/config/sslh/25-sslh new file mode 100644 index 000000000..0b65d4309 --- /dev/null +++ b/config/sslh/25-sslh @@ -0,0 +1,17 @@ +#!/bin/bash + +# Check if SSLH has been enabled in WUI +if ls /etc/rc.d/rc3.d | grep -q '.*sslh' >/dev/null; then + # If SSLH is enabled and running but red0 gets a new IP, restart SSLH + if pgrep 'sslh' > /dev/null; then + /etc/init.d/sslh restart + else + # If sslh is not running yet, start it + /etc/init.d/sslh start + fi +else + # If SSLH has been disabled on boot via services WUI, stop service + /etc/init.d/sslh stop +fi + +# EOF diff --git a/lfs/initscripts b/lfs/initscripts index 055e106d0..3173a04e4 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -136,9 +136,6 @@ $(TARGET) : ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175 ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175 - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin diff --git a/lfs/sslh b/lfs/sslh index 100cec065..ab453c75d 100644 --- a/lfs/sslh +++ b/lfs/sslh @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 1.7a +VER = 1.20 THISAPP = sslh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = sslh -PAK_VER = 5 +PAK_VER = 6 DEPS = "" @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912 install : $(TARGET) @@ -77,11 +77,13 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBWRAP= - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBCAP=1 USELIBWRAP= + cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh - #install initscripts + # Install initscripts $(call INSTALL_INITSCRIPT,sslh) + # Install red.up + install -v -m 754 -D $(DIR_CONF)/sslh/25-sslh /etc/rc.d/init.d/networking/red.up/25-sslh @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/initscripts/packages/sslh b/src/initscripts/packages/sslh index 43e58f392..f227ae9fb 100644 --- a/src/initscripts/packages/sslh +++ b/src/initscripts/packages/sslh @@ -3,31 +3,56 @@ # Based on sysklogd script from LFS-3.1 and earlier. # Rewritten by Gerard Beekmans - gerard(a)linuxfromscratch.org +# +############################################################# +# . /etc/sysconfig/rc . $rc_functions +DAEMON="/usr/sbin/sslh" +PID="/var/run/sslh.pid" + +# Check external IP address and ports +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" + +# Investigate OpenVPN port +IPFIREOPENVPN=$(awk '/port/ { print $2 }' /var/ipfire/ovpn/server.conf) + +# Loopback interface +LO="127.0.0.1" + +# Used TCP ports +LISTENPORT="443" +OPENVPNPORT=${IPFIREOPENVPN} + +# Configuration options +DAEMON_OPTS=" +--user sslh +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} +--openvpn ${LO}:${OPENVPNPORT} +--pidfile ${PID} +-C /var/empty +" + case "$1" in start) boot_mesg "Starting SSLH Deamon..." - - LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" - if [ -z "${LOCAL_IP_ADDRESS}" ]; then + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then echo_failure boot_mesg -n "FAILURE:\n\nCould not determine" ${FAILURE} boot_mesg -n " your external IP address." boot_mesg "" ${NORMAL} exit 1 fi - - loadproc /usr/sbin/sslh -u nobody \ - -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 -l localhost:444 + loadproc ${DAEMON} ${DAEMON_OPTS} evaluate_retval ;; stop) boot_mesg "Stopping SSLH Deamon..." - killproc /usr/sbin/sslh + killproc ${DAEMON} + rm -f ${PID} evaluate_retval ;; @@ -38,7 +63,7 @@ case "$1" in ;; status) - statusproc /usr/sbin/sslh + statusproc ${DAEMON} ;; *) diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh index 626884bdd..410dc9d83 100644 --- a/src/paks/sslh/install.sh +++ b/src/paks/sslh/install.sh @@ -23,5 +23,19 @@ # . /opt/pakfire/lib/functions.sh extract_files -ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh + +# Add user and group for sslh if not already done +if ! getent group sslh &>/dev/null; then + groupadd -g 131 sslh +fi + +if ! getent passwd sslh; then + useradd -u 123 -g sslh -c "SSLH daemon user" -d /var/empty -s /bin/false sslh +fi + +# Set symlink for runlevels +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh + start_service --background ${NAME} diff --git a/src/paks/sslh/uninstall.sh b/src/paks/sslh/uninstall.sh index dca34ccbd..4dfa0b274 100644 --- a/src/paks/sslh/uninstall.sh +++ b/src/paks/sslh/uninstall.sh @@ -24,4 +24,6 @@ . /opt/pakfire/lib/functions.sh stop_service ${NAME} remove_files -rm -f /etc/rc.d/init.d/networking/red.up/50-sslh + +# Delete symlinks in runlevels +rm -f /etc/rc.d/rc?.d/???sslh; -- 2.12.2 ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2] sslh: update to 1.20 2019-05-12 4:24 ` [PATCH v2] sslh: update to 1.20 Erik Kapfer @ 2019-05-13 13:33 ` Michael Tremer 2019-05-19 5:29 ` ummeegge 0 siblings, 1 reply; 11+ messages in thread From: Michael Tremer @ 2019-05-13 13:33 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 8785 bytes --] Hi, I think this patch is mostly fine. Just a couple of small questions. > On 12 May 2019, at 05:24, Erik Kapfer <ummeegge(a)ipfire.org> wrote: > > - New user and group sslh has been added. > - Added USELIBCAP to make transparent mode possible. > - red.up script has been added. If red IP changes, sslh will be restarted to run with the new IP. > - red.up script searches for sslh symlink in rc3.d, if nothing can be found, it will not start so it can be disabled via WUI (services.cgi). > - Symlinks for runlevels has been nevertheless added to sslh package to control it also via services.cgi. > - Configuration block has been added to sslh initscript. > - External IP address check will also be used for configure options. > - Configure provides currently only OpenVPN > - OpenVPN port will be automatically investigated. > > Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> > --- > config/rootfiles/packages/sslh | 1 + > config/sslh/25-sslh | 17 +++++++++++++++++ > lfs/initscripts | 3 --- > lfs/sslh | 16 +++++++++------- > src/initscripts/packages/sslh | 41 +++++++++++++++++++++++++++++++++-------- > src/paks/sslh/install.sh | 16 +++++++++++++++- > src/paks/sslh/uninstall.sh | 4 +++- > 7 files changed, 78 insertions(+), 20 deletions(-) > create mode 100644 config/sslh/25-sslh > > diff --git a/config/rootfiles/packages/sslh b/config/rootfiles/packages/sslh > index 2c67aad3a..15d5ff8f9 100644 > --- a/config/rootfiles/packages/sslh > +++ b/config/rootfiles/packages/sslh > @@ -1,2 +1,3 @@ > +etc/rc.d/init.d/networking/red.up/25-sslh > etc/rc.d/init.d/sslh > usr/sbin/sslh > diff --git a/config/sslh/25-sslh b/config/sslh/25-sslh > new file mode 100644 > index 000000000..0b65d4309 > --- /dev/null > +++ b/config/sslh/25-sslh > @@ -0,0 +1,17 @@ > +#!/bin/bash > + > +# Check if SSLH has been enabled in WUI > +if ls /etc/rc.d/rc3.d | grep -q '.*sslh' >/dev/null; then I do not think that this is very elegant. Calling ls is shell scripts has many disadvantages. Can we not just test for /etc/rc.d/rc3.d/S98sslh being present? We know the real path. > + # If SSLH is enabled and running but red0 gets a new IP, restart SSLH > + if pgrep 'sslh' > /dev/null; then > + /etc/init.d/sslh restart > + else > + # If sslh is not running yet, start it > + /etc/init.d/sslh start > + fi This is fine. > +else > + # If SSLH has been disabled on boot via services WUI, stop service > + /etc/init.d/sslh stop It should not be running in the first place here. > +fi > + > +# EOF > diff --git a/lfs/initscripts b/lfs/initscripts > index 055e106d0..3173a04e4 100644 > --- a/lfs/initscripts > +++ b/lfs/initscripts > @@ -136,9 +136,6 @@ $(TARGET) : > ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 > ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175 > ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175 > - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin > ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin > ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin > diff --git a/lfs/sslh b/lfs/sslh > index 100cec065..ab453c75d 100644 > --- a/lfs/sslh > +++ b/lfs/sslh > @@ -1,7 +1,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> # > +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -24,7 +24,7 @@ > > include Config > > -VER = 1.7a > +VER = 1.20 > > THISAPP = sslh-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > DIR_APP = $(DIR_SRC)/$(THISAPP) > TARGET = $(DIR_INFO)/$(THISAPP) > PROG = sslh > -PAK_VER = 5 > +PAK_VER = 6 > > DEPS = "" > > @@ -44,7 +44,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d > +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912 > > install : $(TARGET) > > @@ -77,11 +77,13 @@ $(subst %,%_MD5,$(objects)) : > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) > - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBWRAP= > - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin > + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBCAP=1 USELIBWRAP= > + cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh > > - #install initscripts > + # Install initscripts > $(call INSTALL_INITSCRIPT,sslh) > + # Install red.up > + install -v -m 754 -D $(DIR_CONF)/sslh/25-sslh /etc/rc.d/init.d/networking/red.up/25-sslh > > @rm -rf $(DIR_APP) > @$(POSTBUILD) > diff --git a/src/initscripts/packages/sslh b/src/initscripts/packages/sslh > index 43e58f392..f227ae9fb 100644 > --- a/src/initscripts/packages/sslh > +++ b/src/initscripts/packages/sslh > @@ -3,31 +3,56 @@ > > # Based on sysklogd script from LFS-3.1 and earlier. > # Rewritten by Gerard Beekmans - gerard(a)linuxfromscratch.org > +# > +############################################################# > +# > > . /etc/sysconfig/rc > . $rc_functions > > +DAEMON="/usr/sbin/sslh" > +PID="/var/run/sslh.pid" > + > +# Check external IP address and ports > +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" > + > +# Investigate OpenVPN port > +IPFIREOPENVPN=$(awk '/port/ { print $2 }' /var/ipfire/ovpn/server.conf) > + > +# Loopback interface > +LO="127.0.0.1" > + > +# Used TCP ports > +LISTENPORT="443" > +OPENVPNPORT=${IPFIREOPENVPN} > + > +# Configuration options > +DAEMON_OPTS=" > +--user sslh > +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} > +--openvpn ${LO}:${OPENVPNPORT} > +--pidfile ${PID} > +-C /var/empty > +" > + > case "$1" in > start) > boot_mesg "Starting SSLH Deamon..." > - > - LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" > - if [ -z "${LOCAL_IP_ADDRESS}" ]; then > + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then > echo_failure > boot_mesg -n "FAILURE:\n\nCould not determine" ${FAILURE} > boot_mesg -n " your external IP address." > boot_mesg "" ${NORMAL} > exit 1 > fi > - > - loadproc /usr/sbin/sslh -u nobody \ > - -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 -l localhost:444 > + loadproc ${DAEMON} ${DAEMON_OPTS} > evaluate_retval > ;; > > stop) > boot_mesg "Stopping SSLH Deamon..." > - killproc /usr/sbin/sslh > + killproc ${DAEMON} > + rm -f ${PID} > evaluate_retval > ;; > > @@ -38,7 +63,7 @@ case "$1" in > ;; > > status) > - statusproc /usr/sbin/sslh > + statusproc ${DAEMON} > ;; > > *) > diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh > index 626884bdd..410dc9d83 100644 > --- a/src/paks/sslh/install.sh > +++ b/src/paks/sslh/install.sh > @@ -23,5 +23,19 @@ > # > . /opt/pakfire/lib/functions.sh > extract_files > -ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh > + > +# Add user and group for sslh if not already done > +if ! getent group sslh &>/dev/null; then > + groupadd -g 131 sslh > +fi > + > +if ! getent passwd sslh; then > + useradd -u 123 -g sslh -c "SSLH daemon user" -d /var/empty -s /bin/false sslh > +fi Why are the user and group ID different? Is there a reason why they cannot be the same? > + > +# Set symlink for runlevels > +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > + > start_service --background ${NAME} > diff --git a/src/paks/sslh/uninstall.sh b/src/paks/sslh/uninstall.sh > index dca34ccbd..4dfa0b274 100644 > --- a/src/paks/sslh/uninstall.sh > +++ b/src/paks/sslh/uninstall.sh > @@ -24,4 +24,6 @@ > . /opt/pakfire/lib/functions.sh > stop_service ${NAME} > remove_files > -rm -f /etc/rc.d/init.d/networking/red.up/50-sslh > + > +# Delete symlinks in runlevels > +rm -f /etc/rc.d/rc?.d/???sslh; > -- > 2.12.2 -Michael ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2] sslh: update to 1.20 2019-05-13 13:33 ` Michael Tremer @ 2019-05-19 5:29 ` ummeegge 0 siblings, 0 replies; 11+ messages in thread From: ummeegge @ 2019-05-19 5:29 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 21206 bytes --] Hi Michael, sorry for the late reply. On Mo, 2019-05-13 at 14:33 +0100, Michael Tremer wrote: > Hi, > > I think this patch is mostly fine. Just a couple of small questions. > > > On 12 May 2019, at 05:24, Erik Kapfer <ummeegge(a)ipfire.org> wrote: > > > > - New user and group sslh has been added. > > - Added USELIBCAP to make transparent mode possible. > > - red.up script has been added. If red IP changes, sslh will be > > restarted to run with the new IP. > > - red.up script searches for sslh symlink in rc3.d, if nothing can > > be found, it will not start so it can be disabled via WUI > > (services.cgi). > > - Symlinks for runlevels has been nevertheless added to sslh > > package to control it also via services.cgi. > > - Configuration block has been added to sslh initscript. > > - External IP address check will also be used for configure > > options. > > - Configure provides currently only OpenVPN > > - OpenVPN port will be automatically investigated. > > > > Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> > > --- > > config/rootfiles/packages/sslh | 1 + > > config/sslh/25-sslh | 17 +++++++++++++++++ > > lfs/initscripts | 3 --- > > lfs/sslh | 16 +++++++++------- > > src/initscripts/packages/sslh | 41 > > +++++++++++++++++++++++++++++++++-------- > > src/paks/sslh/install.sh | 16 +++++++++++++++- > > src/paks/sslh/uninstall.sh | 4 +++- > > 7 files changed, 78 insertions(+), 20 deletions(-) > > create mode 100644 config/sslh/25-sslh > > > > diff --git a/config/rootfiles/packages/sslh > > b/config/rootfiles/packages/sslh > > index 2c67aad3a..15d5ff8f9 100644 > > --- a/config/rootfiles/packages/sslh > > +++ b/config/rootfiles/packages/sslh > > @@ -1,2 +1,3 @@ > > +etc/rc.d/init.d/networking/red.up/25-sslh > > etc/rc.d/init.d/sslh > > usr/sbin/sslh > > diff --git a/config/sslh/25-sslh b/config/sslh/25-sslh > > new file mode 100644 > > index 000000000..0b65d4309 > > --- /dev/null > > +++ b/config/sslh/25-sslh > > @@ -0,0 +1,17 @@ > > +#!/bin/bash > > + > > +# Check if SSLH has been enabled in WUI > > +if ls /etc/rc.d/rc3.d | grep -q '.*sslh' >/dev/null; then > > I do not think that this is very elegant. Calling ls is shell scripts > has many disadvantages. > > Can we not just test for /etc/rc.d/rc3.d/S98sslh being present? We > know the real path. Is if readlink /etc/rc.d/rc3.d/*sslh > /dev/null; then better in this place ? > > > + # If SSLH is enabled and running but red0 gets a new IP, > > restart SSLH > > + if pgrep 'sslh' > /dev/null; then > > + /etc/init.d/sslh restart > > + else > > + # If sslh is not running yet, start it > > + /etc/init.d/sslh start > > + fi > > This is fine. > > > +else > > + # If SSLH has been disabled on boot via services WUI, stop > > service > > + /etc/init.d/sslh stop > > It should not be running in the first place here. Have tested this and if sslh will be disabled at boot via webuserinterface and the red IP is changing before a reboot of the machine the --listen address from sslh do not change and sslh can not be used anymore. # root @ ipfire in /etc/rc.d/init.d/networking/red.up [7:07:30] $ ps aux | grep sslh sslh 29632 0.0 0.1 17564 2124 ? Ss 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty sslh 29633 0.0 0.0 17564 160 ? S 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty # root @ ipfire-server in /etc/rc.d/init.d/networking/red.up [7:08:17] $ setup Changed red IP in setup to 192.168.2.33 # root @ ipfire in /etc/rc.d/init.d/networking/red.up [7:09:14] $ ps aux | grep sslh sslh 29632 0.0 0.1 17564 2124 ? Ss 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty sslh 29633 0.0 0.0 17564 160 ? S 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty Until a reboot the "EXTERNAL IP" listens to the old IP. This is surely a rare case but to prevent also that one i added the init stop. May you have another idea for this ? > > > +fi > > + > > +# EOF > > diff --git a/lfs/initscripts b/lfs/initscripts > > index 055e106d0..3173a04e4 100644 > > --- a/lfs/initscripts > > +++ b/lfs/initscripts > > @@ -136,9 +136,6 @@ $(TARGET) : > > ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 > > ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175 > > ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175 > > - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > > - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > > - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > > ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin > > ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin > > ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin > > diff --git a/lfs/sslh b/lfs/sslh > > index 100cec065..ab453c75d 100644 > > --- a/lfs/sslh > > +++ b/lfs/sslh > > @@ -1,7 +1,7 @@ > > ################################################################### > > ############ > > # > > # > > # IPFire.org - A linux based > > firewall # > > -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> > > # > > +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> > > # > > # > > # > > # This program is free software: you can redistribute it and/or > > modify # > > # it under the terms of the GNU General Public License as published > > by # > > @@ -24,7 +24,7 @@ > > > > include Config > > > > -VER = 1.7a > > +VER = 1.20 > > > > THISAPP = sslh-$(VER) > > DL_FILE = $(THISAPP).tar.gz > > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > > DIR_APP = $(DIR_SRC)/$(THISAPP) > > TARGET = $(DIR_INFO)/$(THISAPP) > > PROG = sslh > > -PAK_VER = 5 > > +PAK_VER = 6 > > > > DEPS = "" > > > > @@ -44,7 +44,7 @@ objects = $(DL_FILE) > > > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > > > -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d > > +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912 > > > > install : $(TARGET) > > > > @@ -77,11 +77,13 @@ $(subst %,%_MD5,$(objects)) : > > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > @$(PREBUILD) > > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf > > $(DIR_DL)/$(DL_FILE) > > - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > > USELIBWRAP= > > - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin > > + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > > USELIBCAP=1 USELIBWRAP= > > + cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh > > > > - #install initscripts > > + # Install initscripts > > $(call INSTALL_INITSCRIPT,sslh) > > + # Install red.up > > + install -v -m 754 -D $(DIR_CONF)/sslh/25-sslh > > /etc/rc.d/init.d/networking/red.up/25-sslh > > > > @rm -rf $(DIR_APP) > > @$(POSTBUILD) > > diff --git a/src/initscripts/packages/sslh > > b/src/initscripts/packages/sslh > > index 43e58f392..f227ae9fb 100644 > > --- a/src/initscripts/packages/sslh > > +++ b/src/initscripts/packages/sslh > > @@ -3,31 +3,56 @@ > > > > # Based on sysklogd script from LFS-3.1 and earlier. > > # Rewritten by Gerard Beekmans - gerard(a)linuxfromscratch.org > > +# > > +############################################################# > > +# > > > > . /etc/sysconfig/rc > > . $rc_functions > > > > +DAEMON="/usr/sbin/sslh" > > +PID="/var/run/sslh.pid" > > + > > +# Check external IP address and ports > > +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" > > + > > +# Investigate OpenVPN port > > +IPFIREOPENVPN=$(awk '/port/ { print $2 }' > > /var/ipfire/ovpn/server.conf) > > + > > +# Loopback interface > > +LO="127.0.0.1" > > + > > +# Used TCP ports > > +LISTENPORT="443" > > +OPENVPNPORT=${IPFIREOPENVPN} > > + > > +# Configuration options > > +DAEMON_OPTS=" > > +--user sslh > > +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} > > +--openvpn ${LO}:${OPENVPNPORT} > > +--pidfile ${PID} > > +-C /var/empty > > +" > > + > > case "$1" in > > start) > > boot_mesg "Starting SSLH Deamon..." > > - > > - LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" > > - if [ -z "${LOCAL_IP_ADDRESS}" ]; then > > + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then > > echo_failure > > boot_mesg -n "FAILURE:\n\nCould not determine" > > ${FAILURE} > > boot_mesg -n " your external IP address." > > boot_mesg "" ${NORMAL} > > exit 1 > > fi > > - > > - loadproc /usr/sbin/sslh -u nobody \ > > - -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 > > -l localhost:444 > > + loadproc ${DAEMON} ${DAEMON_OPTS} > > evaluate_retval > > ;; > > > > stop) > > boot_mesg "Stopping SSLH Deamon..." > > - killproc /usr/sbin/sslh > > + killproc ${DAEMON} > > + rm -f ${PID} > > evaluate_retval > > ;; > > > > @@ -38,7 +63,7 @@ case "$1" in > > ;; > > > > status) > > - statusproc /usr/sbin/sslh > > + statusproc ${DAEMON} > > ;; > > > > *) > > diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh > > index 626884bdd..410dc9d83 100644 > > --- a/src/paks/sslh/install.sh > > +++ b/src/paks/sslh/install.sh > > @@ -23,5 +23,19 @@ > > # > > . /opt/pakfire/lib/functions.sh > > extract_files > > -ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh > > + > > +# Add user and group for sslh if not already done > > +if ! getent group sslh &>/dev/null; then > > + groupadd -g 131 sslh > > +fi > > + > > +if ! getent passwd sslh; then > > + useradd -u 123 -g sslh -c "SSLH daemon user" -d /var/empty > > -s /bin/false sslh > > +fi > > Why are the user and group ID different? Is there a reason why they > cannot be the same? I used the ID´s which are used in other distributions but i have changed GID/UID to '123' . > > > + > > +# Set symlink for runlevels > > +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > > +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > > +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > > + > > start_service --background ${NAME} > > diff --git a/src/paks/sslh/uninstall.sh > > b/src/paks/sslh/uninstall.sh > > index dca34ccbd..4dfa0b274 100644 > > --- a/src/paks/sslh/uninstall.sh > > +++ b/src/paks/sslh/uninstall.sh > > @@ -24,4 +24,6 @@ > > . /opt/pakfire/lib/functions.sh > > stop_service ${NAME} > > remove_files > > -rm -f /etc/rc.d/init.d/networking/red.up/50-sslh > > + > > +# Delete symlinks in runlevels > > +rm -f /etc/rc.d/rc?.d/???sslh; > > -- > > 2.12.2 > > -Michael > Thanks again for looking into this. Have ask also in the testing topic in the forum for some howto´s for the transparent mode which invloves also some IPTables if LAN machines (which i couldn´t test) are invloved and have get also some help from there so a wiki can also include some little more extended paragraphs for sslh. If we find a proper solution for the outstanding questions i can send the updated patch and would then also start with the wiki for sslh. Best, Erik On Mo, 2019-05-13 at 14:33 +0100, Michael Tremer wrote: > Hi, > > I think this patch is mostly fine. Just a couple of small questions. > > > On 12 May 2019, at 05:24, Erik Kapfer <ummeegge(a)ipfire.org> wrote: > > > > - New user and group sslh has been added. > > - Added USELIBCAP to make transparent mode possible. > > - red.up script has been added. If red IP changes, sslh will be > > restarted to run with the new IP. > > - red.up script searches for sslh symlink in rc3.d, if nothing can > > be found, it will not start so it can be disabled via WUI > > (services.cgi). > > - Symlinks for runlevels has been nevertheless added to sslh > > package to control it also via services.cgi. > > - Configuration block has been added to sslh initscript. > > - External IP address check will also be used for configure > > options. > > - Configure provides currently only OpenVPN > > - OpenVPN port will be automatically investigated. > > > > Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> > > --- > > config/rootfiles/packages/sslh | 1 + > > config/sslh/25-sslh | 17 +++++++++++++++++ > > lfs/initscripts | 3 --- > > lfs/sslh | 16 +++++++++------- > > src/initscripts/packages/sslh | 41 > > +++++++++++++++++++++++++++++++++-------- > > src/paks/sslh/install.sh | 16 +++++++++++++++- > > src/paks/sslh/uninstall.sh | 4 +++- > > 7 files changed, 78 insertions(+), 20 deletions(-) > > create mode 100644 config/sslh/25-sslh > > > > diff --git a/config/rootfiles/packages/sslh > > b/config/rootfiles/packages/sslh > > index 2c67aad3a..15d5ff8f9 100644 > > --- a/config/rootfiles/packages/sslh > > +++ b/config/rootfiles/packages/sslh > > @@ -1,2 +1,3 @@ > > +etc/rc.d/init.d/networking/red.up/25-sslh > > etc/rc.d/init.d/sslh > > usr/sbin/sslh > > diff --git a/config/sslh/25-sslh b/config/sslh/25-sslh > > new file mode 100644 > > index 000000000..0b65d4309 > > --- /dev/null > > +++ b/config/sslh/25-sslh > > @@ -0,0 +1,17 @@ > > +#!/bin/bash > > + > > +# Check if SSLH has been enabled in WUI > > +if ls /etc/rc.d/rc3.d | grep -q '.*sslh' >/dev/null; then > > I do not think that this is very elegant. Calling ls is shell scripts > has many disadvantages. > > Can we not just test for /etc/rc.d/rc3.d/S98sslh being present? We > know the real path. > > > + # If SSLH is enabled and running but red0 gets a new IP, > > restart SSLH > > + if pgrep 'sslh' > /dev/null; then > > + /etc/init.d/sslh restart > > + else > > + # If sslh is not running yet, start it > > + /etc/init.d/sslh start > > + fi > > This is fine. > > > +else > > + # If SSLH has been disabled on boot via services WUI, stop > > service > > + /etc/init.d/sslh stop > > It should not be running in the first place here. > > > +fi > > + > > +# EOF > > diff --git a/lfs/initscripts b/lfs/initscripts > > index 055e106d0..3173a04e4 100644 > > --- a/lfs/initscripts > > +++ b/lfs/initscripts > > @@ -136,9 +136,6 @@ $(TARGET) : > > ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 > > ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175 > > ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175 > > - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > > - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > > - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > > ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin > > ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin > > ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin > > diff --git a/lfs/sslh b/lfs/sslh > > index 100cec065..ab453c75d 100644 > > --- a/lfs/sslh > > +++ b/lfs/sslh > > @@ -1,7 +1,7 @@ > > ################################################################### > > ############ > > # > > # > > # IPFire.org - A linux based > > firewall # > > -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> > > # > > +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> > > # > > # > > # > > # This program is free software: you can redistribute it and/or > > modify # > > # it under the terms of the GNU General Public License as published > > by # > > @@ -24,7 +24,7 @@ > > > > include Config > > > > -VER = 1.7a > > +VER = 1.20 > > > > THISAPP = sslh-$(VER) > > DL_FILE = $(THISAPP).tar.gz > > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > > DIR_APP = $(DIR_SRC)/$(THISAPP) > > TARGET = $(DIR_INFO)/$(THISAPP) > > PROG = sslh > > -PAK_VER = 5 > > +PAK_VER = 6 > > > > DEPS = "" > > > > @@ -44,7 +44,7 @@ objects = $(DL_FILE) > > > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > > > -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d > > +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912 > > > > install : $(TARGET) > > > > @@ -77,11 +77,13 @@ $(subst %,%_MD5,$(objects)) : > > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > @$(PREBUILD) > > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf > > $(DIR_DL)/$(DL_FILE) > > - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > > USELIBWRAP= > > - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin > > + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > > USELIBCAP=1 USELIBWRAP= > > + cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh > > > > - #install initscripts > > + # Install initscripts > > $(call INSTALL_INITSCRIPT,sslh) > > + # Install red.up > > + install -v -m 754 -D $(DIR_CONF)/sslh/25-sslh > > /etc/rc.d/init.d/networking/red.up/25-sslh > > > > @rm -rf $(DIR_APP) > > @$(POSTBUILD) > > diff --git a/src/initscripts/packages/sslh > > b/src/initscripts/packages/sslh > > index 43e58f392..f227ae9fb 100644 > > --- a/src/initscripts/packages/sslh > > +++ b/src/initscripts/packages/sslh > > @@ -3,31 +3,56 @@ > > > > # Based on sysklogd script from LFS-3.1 and earlier. > > # Rewritten by Gerard Beekmans - gerard(a)linuxfromscratch.org > > +# > > +############################################################# > > +# > > > > . /etc/sysconfig/rc > > . $rc_functions > > > > +DAEMON="/usr/sbin/sslh" > > +PID="/var/run/sslh.pid" > > + > > +# Check external IP address and ports > > +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" > > + > > +# Investigate OpenVPN port > > +IPFIREOPENVPN=$(awk '/port/ { print $2 }' > > /var/ipfire/ovpn/server.conf) > > + > > +# Loopback interface > > +LO="127.0.0.1" > > + > > +# Used TCP ports > > +LISTENPORT="443" > > +OPENVPNPORT=${IPFIREOPENVPN} > > + > > +# Configuration options > > +DAEMON_OPTS=" > > +--user sslh > > +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} > > +--openvpn ${LO}:${OPENVPNPORT} > > +--pidfile ${PID} > > +-C /var/empty > > +" > > + > > case "$1" in > > start) > > boot_mesg "Starting SSLH Deamon..." > > - > > - LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)" > > - if [ -z "${LOCAL_IP_ADDRESS}" ]; then > > + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then > > echo_failure > > boot_mesg -n "FAILURE:\n\nCould not determine" > > ${FAILURE} > > boot_mesg -n " your external IP address." > > boot_mesg "" ${NORMAL} > > exit 1 > > fi > > - > > - loadproc /usr/sbin/sslh -u nobody \ > > - -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 > > -l localhost:444 > > + loadproc ${DAEMON} ${DAEMON_OPTS} > > evaluate_retval > > ;; > > > > stop) > > boot_mesg "Stopping SSLH Deamon..." > > - killproc /usr/sbin/sslh > > + killproc ${DAEMON} > > + rm -f ${PID} > > evaluate_retval > > ;; > > > > @@ -38,7 +63,7 @@ case "$1" in > > ;; > > > > status) > > - statusproc /usr/sbin/sslh > > + statusproc ${DAEMON} > > ;; > > > > *) > > diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh > > index 626884bdd..410dc9d83 100644 > > --- a/src/paks/sslh/install.sh > > +++ b/src/paks/sslh/install.sh > > @@ -23,5 +23,19 @@ > > # > > . /opt/pakfire/lib/functions.sh > > extract_files > > -ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh > > + > > +# Add user and group for sslh if not already done > > +if ! getent group sslh &>/dev/null; then > > + groupadd -g 131 sslh > > +fi > > + > > +if ! getent passwd sslh; then > > + useradd -u 123 -g sslh -c "SSLH daemon user" -d /var/empty > > -s /bin/false sslh > > +fi > > Why are the user and group ID different? Is there a reason why they > cannot be the same? > > > + > > +# Set symlink for runlevels > > +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > > +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > > +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > > + > > start_service --background ${NAME} > > diff --git a/src/paks/sslh/uninstall.sh > > b/src/paks/sslh/uninstall.sh > > index dca34ccbd..4dfa0b274 100644 > > --- a/src/paks/sslh/uninstall.sh > > +++ b/src/paks/sslh/uninstall.sh > > @@ -24,4 +24,6 @@ > > . /opt/pakfire/lib/functions.sh > > stop_service ${NAME} > > remove_files > > -rm -f /etc/rc.d/init.d/networking/red.up/50-sslh > > + > > +# Delete symlinks in runlevels > > +rm -f /etc/rc.d/rc?.d/???sslh; > > -- > > 2.12.2 > > -Michael > ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2019-05-19 5:29 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-04-23 7:06 [PATCH] sslh: Update to version 1.20 Erik Kapfer 2019-04-23 7:09 ` ummeegge 2019-04-24 11:04 ` Michael Tremer 2019-04-26 4:55 ` ummeegge 2019-05-01 11:13 ` Michael Tremer 2019-05-10 11:54 ` ummeegge 2019-05-11 10:06 ` Michael Tremer 2019-05-12 4:35 ` ummeegge 2019-05-12 4:24 ` [PATCH v2] sslh: update to 1.20 Erik Kapfer 2019-05-13 13:33 ` Michael Tremer 2019-05-19 5:29 ` ummeegge
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox