Hi Michael, sorry for the late reply. On Mo, 2019-05-13 at 14:33 +0100, Michael Tremer wrote: > Hi, > > I think this patch is mostly fine. Just a couple of small questions. > > > On 12 May 2019, at 05:24, Erik Kapfer wrote: > > > > - New user and group sslh has been added. > > - Added USELIBCAP to make transparent mode possible. > > - red.up script has been added. If red IP changes, sslh will be > > restarted to run with the new IP. > > - red.up script searches for sslh symlink in rc3.d, if nothing can > > be found, it will not start so it can be disabled via WUI > > (services.cgi). > > - Symlinks for runlevels has been nevertheless added to sslh > > package to control it also via services.cgi. > > - Configuration block has been added to sslh initscript. > > - External IP address check will also be used for configure > > options. > > - Configure provides currently only OpenVPN > > - OpenVPN port will be automatically investigated. > > > > Signed-off-by: Erik Kapfer > > --- > > config/rootfiles/packages/sslh | 1 + > > config/sslh/25-sslh | 17 +++++++++++++++++ > > lfs/initscripts | 3 --- > > lfs/sslh | 16 +++++++++------- > > src/initscripts/packages/sslh | 41 > > +++++++++++++++++++++++++++++++++-------- > > src/paks/sslh/install.sh | 16 +++++++++++++++- > > src/paks/sslh/uninstall.sh | 4 +++- > > 7 files changed, 78 insertions(+), 20 deletions(-) > > create mode 100644 config/sslh/25-sslh > > > > diff --git a/config/rootfiles/packages/sslh > > b/config/rootfiles/packages/sslh > > index 2c67aad3a..15d5ff8f9 100644 > > --- a/config/rootfiles/packages/sslh > > +++ b/config/rootfiles/packages/sslh > > @@ -1,2 +1,3 @@ > > +etc/rc.d/init.d/networking/red.up/25-sslh > > etc/rc.d/init.d/sslh > > usr/sbin/sslh > > diff --git a/config/sslh/25-sslh b/config/sslh/25-sslh > > new file mode 100644 > > index 000000000..0b65d4309 > > --- /dev/null > > +++ b/config/sslh/25-sslh > > @@ -0,0 +1,17 @@ > > +#!/bin/bash > > + > > +# Check if SSLH has been enabled in WUI > > +if ls /etc/rc.d/rc3.d | grep -q '.*sslh' >/dev/null; then > > I do not think that this is very elegant. Calling ls is shell scripts > has many disadvantages. > > Can we not just test for /etc/rc.d/rc3.d/S98sslh being present? We > know the real path. Is if readlink /etc/rc.d/rc3.d/*sslh > /dev/null; then better in this place ? > > > + # If SSLH is enabled and running but red0 gets a new IP, > > restart SSLH > > + if pgrep 'sslh' > /dev/null; then > > + /etc/init.d/sslh restart > > + else > > + # If sslh is not running yet, start it > > + /etc/init.d/sslh start > > + fi > > This is fine. > > > +else > > + # If SSLH has been disabled on boot via services WUI, stop > > service > > + /etc/init.d/sslh stop > > It should not be running in the first place here. Have tested this and if sslh will be disabled at boot via webuserinterface and the red IP is changing before a reboot of the machine the --listen address from sslh do not change and sslh can not be used anymore. # root @ ipfire in /etc/rc.d/init.d/networking/red.up [7:07:30] $ ps aux | grep sslh sslh 29632 0.0 0.1 17564 2124 ? Ss 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty sslh 29633 0.0 0.0 17564 160 ? S 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty # root @ ipfire-server in /etc/rc.d/init.d/networking/red.up [7:08:17] $ setup Changed red IP in setup to 192.168.2.33 # root @ ipfire in /etc/rc.d/init.d/networking/red.up [7:09:14] $ ps aux | grep sslh sslh 29632 0.0 0.1 17564 2124 ? Ss 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty sslh 29633 0.0 0.0 17564 160 ? S 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty Until a reboot the "EXTERNAL IP" listens to the old IP. This is surely a rare case but to prevent also that one i added the init stop. May you have another idea for this ? > > > +fi > > + > > +# EOF > > diff --git a/lfs/initscripts b/lfs/initscripts > > index 055e106d0..3173a04e4 100644 > > --- a/lfs/initscripts > > +++ b/lfs/initscripts > > @@ -136,9 +136,6 @@ $(TARGET) : > > ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 > > ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175 > > ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175 > > - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > > - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > > - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > > ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin > > ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin > > ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin > > diff --git a/lfs/sslh b/lfs/sslh > > index 100cec065..ab453c75d 100644 > > --- a/lfs/sslh > > +++ b/lfs/sslh > > @@ -1,7 +1,7 @@ > > ################################################################### > > ############ > > # > > # > > # IPFire.org - A linux based > > firewall # > > -# Copyright (C) 2007-2018 IPFire Team > > # > > +# Copyright (C) 2007-2019 IPFire Team > > # > > # > > # > > # This program is free software: you can redistribute it and/or > > modify # > > # it under the terms of the GNU General Public License as published > > by # > > @@ -24,7 +24,7 @@ > > > > include Config > > > > -VER = 1.7a > > +VER = 1.20 > > > > THISAPP = sslh-$(VER) > > DL_FILE = $(THISAPP).tar.gz > > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > > DIR_APP = $(DIR_SRC)/$(THISAPP) > > TARGET = $(DIR_INFO)/$(THISAPP) > > PROG = sslh > > -PAK_VER = 5 > > +PAK_VER = 6 > > > > DEPS = "" > > > > @@ -44,7 +44,7 @@ objects = $(DL_FILE) > > > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > > > -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d > > +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912 > > > > install : $(TARGET) > > > > @@ -77,11 +77,13 @@ $(subst %,%_MD5,$(objects)) : > > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > @$(PREBUILD) > > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf > > $(DIR_DL)/$(DL_FILE) > > - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > > USELIBWRAP= > > - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin > > + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > > USELIBCAP=1 USELIBWRAP= > > + cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh > > > > - #install initscripts > > + # Install initscripts > > $(call INSTALL_INITSCRIPT,sslh) > > + # Install red.up > > + install -v -m 754 -D $(DIR_CONF)/sslh/25-sslh > > /etc/rc.d/init.d/networking/red.up/25-sslh > > > > @rm -rf $(DIR_APP) > > @$(POSTBUILD) > > diff --git a/src/initscripts/packages/sslh > > b/src/initscripts/packages/sslh > > index 43e58f392..f227ae9fb 100644 > > --- a/src/initscripts/packages/sslh > > +++ b/src/initscripts/packages/sslh > > @@ -3,31 +3,56 @@ > > > > # Based on sysklogd script from LFS-3.1 and earlier. > > # Rewritten by Gerard Beekmans - gerard(a)linuxfromscratch.org > > +# > > +############################################################# > > +# > > > > . /etc/sysconfig/rc > > . $rc_functions > > > > +DAEMON="/usr/sbin/sslh" > > +PID="/var/run/sslh.pid" > > + > > +# Check external IP address and ports > > +EXTERNAL_IP_ADDRESS="$( > + > > +# Investigate OpenVPN port > > +IPFIREOPENVPN=$(awk '/port/ { print $2 }' > > /var/ipfire/ovpn/server.conf) > > + > > +# Loopback interface > > +LO="127.0.0.1" > > + > > +# Used TCP ports > > +LISTENPORT="443" > > +OPENVPNPORT=${IPFIREOPENVPN} > > + > > +# Configuration options > > +DAEMON_OPTS=" > > +--user sslh > > +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} > > +--openvpn ${LO}:${OPENVPNPORT} > > +--pidfile ${PID} > > +-C /var/empty > > +" > > + > > case "$1" in > > start) > > boot_mesg "Starting SSLH Deamon..." > > - > > - LOCAL_IP_ADDRESS="$( > - if [ -z "${LOCAL_IP_ADDRESS}" ]; then > > + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then > > echo_failure > > boot_mesg -n "FAILURE:\n\nCould not determine" > > ${FAILURE} > > boot_mesg -n " your external IP address." > > boot_mesg "" ${NORMAL} > > exit 1 > > fi > > - > > - loadproc /usr/sbin/sslh -u nobody \ > > - -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 > > -l localhost:444 > > + loadproc ${DAEMON} ${DAEMON_OPTS} > > evaluate_retval > > ;; > > > > stop) > > boot_mesg "Stopping SSLH Deamon..." > > - killproc /usr/sbin/sslh > > + killproc ${DAEMON} > > + rm -f ${PID} > > evaluate_retval > > ;; > > > > @@ -38,7 +63,7 @@ case "$1" in > > ;; > > > > status) > > - statusproc /usr/sbin/sslh > > + statusproc ${DAEMON} > > ;; > > > > *) > > diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh > > index 626884bdd..410dc9d83 100644 > > --- a/src/paks/sslh/install.sh > > +++ b/src/paks/sslh/install.sh > > @@ -23,5 +23,19 @@ > > # > > . /opt/pakfire/lib/functions.sh > > extract_files > > -ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh > > + > > +# Add user and group for sslh if not already done > > +if ! getent group sslh &>/dev/null; then > > + groupadd -g 131 sslh > > +fi > > + > > +if ! getent passwd sslh; then > > + useradd -u 123 -g sslh -c "SSLH daemon user" -d /var/empty > > -s /bin/false sslh > > +fi > > Why are the user and group ID different? Is there a reason why they > cannot be the same? I used the ID´s which are used in other distributions but i have changed GID/UID to '123' . > > > + > > +# Set symlink for runlevels > > +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > > +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > > +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > > + > > start_service --background ${NAME} > > diff --git a/src/paks/sslh/uninstall.sh > > b/src/paks/sslh/uninstall.sh > > index dca34ccbd..4dfa0b274 100644 > > --- a/src/paks/sslh/uninstall.sh > > +++ b/src/paks/sslh/uninstall.sh > > @@ -24,4 +24,6 @@ > > . /opt/pakfire/lib/functions.sh > > stop_service ${NAME} > > remove_files > > -rm -f /etc/rc.d/init.d/networking/red.up/50-sslh > > + > > +# Delete symlinks in runlevels > > +rm -f /etc/rc.d/rc?.d/???sslh; > > -- > > 2.12.2 > > -Michael > Thanks again for looking into this. Have ask also in the testing topic in the forum for some howto´s for the transparent mode which invloves also some IPTables if LAN machines (which i couldn´t test) are invloved and have get also some help from there so a wiki can also include some little more extended paragraphs for sslh. If we find a proper solution for the outstanding questions i can send the updated patch and would then also start with the wiki for sslh. Best, Erik On Mo, 2019-05-13 at 14:33 +0100, Michael Tremer wrote: > Hi, > > I think this patch is mostly fine. Just a couple of small questions. > > > On 12 May 2019, at 05:24, Erik Kapfer wrote: > > > > - New user and group sslh has been added. > > - Added USELIBCAP to make transparent mode possible. > > - red.up script has been added. If red IP changes, sslh will be > > restarted to run with the new IP. > > - red.up script searches for sslh symlink in rc3.d, if nothing can > > be found, it will not start so it can be disabled via WUI > > (services.cgi). > > - Symlinks for runlevels has been nevertheless added to sslh > > package to control it also via services.cgi. > > - Configuration block has been added to sslh initscript. > > - External IP address check will also be used for configure > > options. > > - Configure provides currently only OpenVPN > > - OpenVPN port will be automatically investigated. > > > > Signed-off-by: Erik Kapfer > > --- > > config/rootfiles/packages/sslh | 1 + > > config/sslh/25-sslh | 17 +++++++++++++++++ > > lfs/initscripts | 3 --- > > lfs/sslh | 16 +++++++++------- > > src/initscripts/packages/sslh | 41 > > +++++++++++++++++++++++++++++++++-------- > > src/paks/sslh/install.sh | 16 +++++++++++++++- > > src/paks/sslh/uninstall.sh | 4 +++- > > 7 files changed, 78 insertions(+), 20 deletions(-) > > create mode 100644 config/sslh/25-sslh > > > > diff --git a/config/rootfiles/packages/sslh > > b/config/rootfiles/packages/sslh > > index 2c67aad3a..15d5ff8f9 100644 > > --- a/config/rootfiles/packages/sslh > > +++ b/config/rootfiles/packages/sslh > > @@ -1,2 +1,3 @@ > > +etc/rc.d/init.d/networking/red.up/25-sslh > > etc/rc.d/init.d/sslh > > usr/sbin/sslh > > diff --git a/config/sslh/25-sslh b/config/sslh/25-sslh > > new file mode 100644 > > index 000000000..0b65d4309 > > --- /dev/null > > +++ b/config/sslh/25-sslh > > @@ -0,0 +1,17 @@ > > +#!/bin/bash > > + > > +# Check if SSLH has been enabled in WUI > > +if ls /etc/rc.d/rc3.d | grep -q '.*sslh' >/dev/null; then > > I do not think that this is very elegant. Calling ls is shell scripts > has many disadvantages. > > Can we not just test for /etc/rc.d/rc3.d/S98sslh being present? We > know the real path. > > > + # If SSLH is enabled and running but red0 gets a new IP, > > restart SSLH > > + if pgrep 'sslh' > /dev/null; then > > + /etc/init.d/sslh restart > > + else > > + # If sslh is not running yet, start it > > + /etc/init.d/sslh start > > + fi > > This is fine. > > > +else > > + # If SSLH has been disabled on boot via services WUI, stop > > service > > + /etc/init.d/sslh stop > > It should not be running in the first place here. > > > +fi > > + > > +# EOF > > diff --git a/lfs/initscripts b/lfs/initscripts > > index 055e106d0..3173a04e4 100644 > > --- a/lfs/initscripts > > +++ b/lfs/initscripts > > @@ -136,9 +136,6 @@ $(TARGET) : > > ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 > > ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175 > > ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175 > > - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > > - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > > - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > > ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin > > ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin > > ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin > > diff --git a/lfs/sslh b/lfs/sslh > > index 100cec065..ab453c75d 100644 > > --- a/lfs/sslh > > +++ b/lfs/sslh > > @@ -1,7 +1,7 @@ > > ################################################################### > > ############ > > # > > # > > # IPFire.org - A linux based > > firewall # > > -# Copyright (C) 2007-2018 IPFire Team > > # > > +# Copyright (C) 2007-2019 IPFire Team > > # > > # > > # > > # This program is free software: you can redistribute it and/or > > modify # > > # it under the terms of the GNU General Public License as published > > by # > > @@ -24,7 +24,7 @@ > > > > include Config > > > > -VER = 1.7a > > +VER = 1.20 > > > > THISAPP = sslh-$(VER) > > DL_FILE = $(THISAPP).tar.gz > > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > > DIR_APP = $(DIR_SRC)/$(THISAPP) > > TARGET = $(DIR_INFO)/$(THISAPP) > > PROG = sslh > > -PAK_VER = 5 > > +PAK_VER = 6 > > > > DEPS = "" > > > > @@ -44,7 +44,7 @@ objects = $(DL_FILE) > > > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > > > -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d > > +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912 > > > > install : $(TARGET) > > > > @@ -77,11 +77,13 @@ $(subst %,%_MD5,$(objects)) : > > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > > @$(PREBUILD) > > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf > > $(DIR_DL)/$(DL_FILE) > > - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > > USELIBWRAP= > > - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin > > + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) > > USELIBCAP=1 USELIBWRAP= > > + cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh > > > > - #install initscripts > > + # Install initscripts > > $(call INSTALL_INITSCRIPT,sslh) > > + # Install red.up > > + install -v -m 754 -D $(DIR_CONF)/sslh/25-sslh > > /etc/rc.d/init.d/networking/red.up/25-sslh > > > > @rm -rf $(DIR_APP) > > @$(POSTBUILD) > > diff --git a/src/initscripts/packages/sslh > > b/src/initscripts/packages/sslh > > index 43e58f392..f227ae9fb 100644 > > --- a/src/initscripts/packages/sslh > > +++ b/src/initscripts/packages/sslh > > @@ -3,31 +3,56 @@ > > > > # Based on sysklogd script from LFS-3.1 and earlier. > > # Rewritten by Gerard Beekmans - gerard(a)linuxfromscratch.org > > +# > > +############################################################# > > +# > > > > . /etc/sysconfig/rc > > . $rc_functions > > > > +DAEMON="/usr/sbin/sslh" > > +PID="/var/run/sslh.pid" > > + > > +# Check external IP address and ports > > +EXTERNAL_IP_ADDRESS="$( > + > > +# Investigate OpenVPN port > > +IPFIREOPENVPN=$(awk '/port/ { print $2 }' > > /var/ipfire/ovpn/server.conf) > > + > > +# Loopback interface > > +LO="127.0.0.1" > > + > > +# Used TCP ports > > +LISTENPORT="443" > > +OPENVPNPORT=${IPFIREOPENVPN} > > + > > +# Configuration options > > +DAEMON_OPTS=" > > +--user sslh > > +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} > > +--openvpn ${LO}:${OPENVPNPORT} > > +--pidfile ${PID} > > +-C /var/empty > > +" > > + > > case "$1" in > > start) > > boot_mesg "Starting SSLH Deamon..." > > - > > - LOCAL_IP_ADDRESS="$( > - if [ -z "${LOCAL_IP_ADDRESS}" ]; then > > + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then > > echo_failure > > boot_mesg -n "FAILURE:\n\nCould not determine" > > ${FAILURE} > > boot_mesg -n " your external IP address." > > boot_mesg "" ${NORMAL} > > exit 1 > > fi > > - > > - loadproc /usr/sbin/sslh -u nobody \ > > - -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 > > -l localhost:444 > > + loadproc ${DAEMON} ${DAEMON_OPTS} > > evaluate_retval > > ;; > > > > stop) > > boot_mesg "Stopping SSLH Deamon..." > > - killproc /usr/sbin/sslh > > + killproc ${DAEMON} > > + rm -f ${PID} > > evaluate_retval > > ;; > > > > @@ -38,7 +63,7 @@ case "$1" in > > ;; > > > > status) > > - statusproc /usr/sbin/sslh > > + statusproc ${DAEMON} > > ;; > > > > *) > > diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh > > index 626884bdd..410dc9d83 100644 > > --- a/src/paks/sslh/install.sh > > +++ b/src/paks/sslh/install.sh > > @@ -23,5 +23,19 @@ > > # > > . /opt/pakfire/lib/functions.sh > > extract_files > > -ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh > > + > > +# Add user and group for sslh if not already done > > +if ! getent group sslh &>/dev/null; then > > + groupadd -g 131 sslh > > +fi > > + > > +if ! getent passwd sslh; then > > + useradd -u 123 -g sslh -c "SSLH daemon user" -d /var/empty > > -s /bin/false sslh > > +fi > > Why are the user and group ID different? Is there a reason why they > cannot be the same? > > > + > > +# Set symlink for runlevels > > +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > > +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > > +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > > + > > start_service --background ${NAME} > > diff --git a/src/paks/sslh/uninstall.sh > > b/src/paks/sslh/uninstall.sh > > index dca34ccbd..4dfa0b274 100644 > > --- a/src/paks/sslh/uninstall.sh > > +++ b/src/paks/sslh/uninstall.sh > > @@ -24,4 +24,6 @@ > > . /opt/pakfire/lib/functions.sh > > stop_service ${NAME} > > remove_files > > -rm -f /etc/rc.d/init.d/networking/red.up/50-sslh > > + > > +# Delete symlinks in runlevels > > +rm -f /etc/rc.d/rc?.d/???sslh; > > -- > > 2.12.2 > > -Michael >