Hi Michael, sorry for the late reply.
On Mo, 2019-05-13 at 14:33 +0100, Michael Tremer wrote:
Hi,
I think this patch is mostly fine. Just a couple of small questions.
On 12 May 2019, at 05:24, Erik Kapfer ummeegge@ipfire.org wrote:
- New user and group sslh has been added.
- Added USELIBCAP to make transparent mode possible.
- red.up script has been added. If red IP changes, sslh will be
restarted to run with the new IP.
- red.up script searches for sslh symlink in rc3.d, if nothing can
be found, it will not start so it can be disabled via WUI (services.cgi).
- Symlinks for runlevels has been nevertheless added to sslh
package to control it also via services.cgi.
- Configuration block has been added to sslh initscript.
- External IP address check will also be used for configure
options.
- Configure provides currently only OpenVPN
- OpenVPN port will be automatically investigated.
Signed-off-by: Erik Kapfer ummeegge@ipfire.org
config/rootfiles/packages/sslh | 1 + config/sslh/25-sslh | 17 +++++++++++++++++ lfs/initscripts | 3 --- lfs/sslh | 16 +++++++++------- src/initscripts/packages/sslh | 41 +++++++++++++++++++++++++++++++++-------- src/paks/sslh/install.sh | 16 +++++++++++++++- src/paks/sslh/uninstall.sh | 4 +++- 7 files changed, 78 insertions(+), 20 deletions(-) create mode 100644 config/sslh/25-sslh
diff --git a/config/rootfiles/packages/sslh b/config/rootfiles/packages/sslh index 2c67aad3a..15d5ff8f9 100644 --- a/config/rootfiles/packages/sslh +++ b/config/rootfiles/packages/sslh @@ -1,2 +1,3 @@ +etc/rc.d/init.d/networking/red.up/25-sslh etc/rc.d/init.d/sslh usr/sbin/sslh diff --git a/config/sslh/25-sslh b/config/sslh/25-sslh new file mode 100644 index 000000000..0b65d4309 --- /dev/null +++ b/config/sslh/25-sslh @@ -0,0 +1,17 @@ +#!/bin/bash
+# Check if SSLH has been enabled in WUI +if ls /etc/rc.d/rc3.d | grep -q '.*sslh' >/dev/null; then
I do not think that this is very elegant. Calling ls is shell scripts has many disadvantages.
Can we not just test for /etc/rc.d/rc3.d/S98sslh being present? We know the real path.
Is
if readlink /etc/rc.d/rc3.d/*sslh > /dev/null; then
better in this place ?
- # If SSLH is enabled and running but red0 gets a new IP,
restart SSLH
- if pgrep 'sslh' > /dev/null; then
/etc/init.d/sslh restart- else
# If sslh is not running yet, start it/etc/init.d/sslh start- fi
This is fine.
+else
- # If SSLH has been disabled on boot via services WUI, stop
service
- /etc/init.d/sslh stop
It should not be running in the first place here.
Have tested this and if sslh will be disabled at boot via webuserinterface and the red IP is changing before a reboot of the machine the --listen address from sslh do not change and sslh can not be used anymore.
# root @ ipfire in /etc/rc.d/init.d/networking/red.up [7:07:30] $ ps aux | grep sslh sslh 29632 0.0 0.1 17564 2124 ? Ss 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty sslh 29633 0.0 0.0 17564 160 ? S 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty
# root @ ipfire-server in /etc/rc.d/init.d/networking/red.up [7:08:17] $ setup
Changed red IP in setup to 192.168.2.33
# root @ ipfire in /etc/rc.d/init.d/networking/red.up [7:09:14] $ ps aux | grep sslh sslh 29632 0.0 0.1 17564 2124 ? Ss 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty sslh 29633 0.0 0.0 17564 160 ? S 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty
Until a reboot the "EXTERNAL IP" listens to the old IP. This is surely a rare case but to prevent also that one i added the init stop. May you have another idea for this ?
+fi
+# EOF diff --git a/lfs/initscripts b/lfs/initscripts index 055e106d0..3173a04e4 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -136,9 +136,6 @@ $(TARGET) : ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175 ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175
- ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh
- ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh
- ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin
diff --git a/lfs/sslh b/lfs/sslh index 100cec065..ab453c75d 100644 --- a/lfs/sslh +++ b/lfs/sslh @@ -1,7 +1,7 @@ ################################################################### ############ # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.7a +VER = 1.20
THISAPP = sslh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = sslh -PAK_VER = 5 +PAK_VER = 6
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912
install : $(TARGET)
@@ -77,11 +77,13 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING)
USELIBWRAP=
- cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin
- cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING)
USELIBCAP=1 USELIBWRAP=
- cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh
- #install initscripts
- # Install initscripts $(call INSTALL_INITSCRIPT,sslh)
- # Install red.up
- install -v -m 754 -D $(DIR_CONF)/sslh/25-sslh
/etc/rc.d/init.d/networking/red.up/25-sslh
@rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/initscripts/packages/sslh b/src/initscripts/packages/sslh index 43e58f392..f227ae9fb 100644 --- a/src/initscripts/packages/sslh +++ b/src/initscripts/packages/sslh @@ -3,31 +3,56 @@
# Based on sysklogd script from LFS-3.1 and earlier. # Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org +# +############################################################# +#
. /etc/sysconfig/rc . $rc_functions
+DAEMON="/usr/sbin/sslh" +PID="/var/run/sslh.pid"
+# Check external IP address and ports +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"
+# Investigate OpenVPN port +IPFIREOPENVPN=$(awk '/port/ { print $2 }' /var/ipfire/ovpn/server.conf)
+# Loopback interface +LO="127.0.0.1"
+# Used TCP ports +LISTENPORT="443" +OPENVPNPORT=${IPFIREOPENVPN}
+# Configuration options +DAEMON_OPTS=" +--user sslh +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} +--openvpn ${LO}:${OPENVPNPORT} +--pidfile ${PID} +-C /var/empty +"
case "$1" in start) boot_mesg "Starting SSLH Deamon..."
LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"if [ -z "${LOCAL_IP_ADDRESS}" ]; then
if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then echo_failure boot_mesg -n "FAILURE:\n\nCould not determine"${FAILURE} boot_mesg -n " your external IP address." boot_mesg "" ${NORMAL} exit 1 fi
loadproc /usr/sbin/sslh -u nobody \-p "${LOCAL_IP_ADDRESS}:443" -s localhost:222-l localhost:444
loadproc ${DAEMON} ${DAEMON_OPTS}evaluate_retval ;;
stop) boot_mesg "Stopping SSLH Deamon..."
killproc /usr/sbin/sslh
killproc ${DAEMON}rm -f ${PID}@@ -38,7 +63,7 @@ case "$1" in ;;
status)
statusproc /usr/sbin/sslh
statusproc ${DAEMON};;
*)
diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh index 626884bdd..410dc9d83 100644 --- a/src/paks/sslh/install.sh +++ b/src/paks/sslh/install.sh @@ -23,5 +23,19 @@ # . /opt/pakfire/lib/functions.sh extract_files -ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh
+# Add user and group for sslh if not already done +if ! getent group sslh &>/dev/null; then
groupadd -g 131 sslh+fi
+if ! getent passwd sslh; then
useradd -u 123 -g sslh -c "SSLH daemon user" -d /var/empty-s /bin/false sslh +fi
Why are the user and group ID different? Is there a reason why they cannot be the same?
I used the ID´s which are used in other distributions but i have changed GID/UID to '123' .
+# Set symlink for runlevels +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh
start_service --background ${NAME} diff --git a/src/paks/sslh/uninstall.sh b/src/paks/sslh/uninstall.sh index dca34ccbd..4dfa0b274 100644 --- a/src/paks/sslh/uninstall.sh +++ b/src/paks/sslh/uninstall.sh @@ -24,4 +24,6 @@ . /opt/pakfire/lib/functions.sh stop_service ${NAME} remove_files -rm -f /etc/rc.d/init.d/networking/red.up/50-sslh
+# Delete symlinks in runlevels
+rm -f /etc/rc.d/rc?.d/???sslh;
2.12.2
-Michael
Thanks again for looking into this. Have ask also in the testing topic in the forum for some howto´s for the transparent mode which invloves also some IPTables if LAN machines (which i couldn´t test) are invloved and have get also some help from there so a wiki can also include some little more extended paragraphs for sslh.
If we find a proper solution for the outstanding questions i can send the updated patch and would then also start with the wiki for sslh.
Best,
Erik
On Mo, 2019-05-13 at 14:33 +0100, Michael Tremer wrote:
Hi,
I think this patch is mostly fine. Just a couple of small questions.
On 12 May 2019, at 05:24, Erik Kapfer ummeegge@ipfire.org wrote:
- New user and group sslh has been added.
- Added USELIBCAP to make transparent mode possible.
- red.up script has been added. If red IP changes, sslh will be
restarted to run with the new IP.
- red.up script searches for sslh symlink in rc3.d, if nothing can
be found, it will not start so it can be disabled via WUI (services.cgi).
- Symlinks for runlevels has been nevertheless added to sslh
package to control it also via services.cgi.
- Configuration block has been added to sslh initscript.
- External IP address check will also be used for configure
options.
- Configure provides currently only OpenVPN
- OpenVPN port will be automatically investigated.
Signed-off-by: Erik Kapfer ummeegge@ipfire.org
config/rootfiles/packages/sslh | 1 + config/sslh/25-sslh | 17 +++++++++++++++++ lfs/initscripts | 3 --- lfs/sslh | 16 +++++++++------- src/initscripts/packages/sslh | 41 +++++++++++++++++++++++++++++++++-------- src/paks/sslh/install.sh | 16 +++++++++++++++- src/paks/sslh/uninstall.sh | 4 +++- 7 files changed, 78 insertions(+), 20 deletions(-) create mode 100644 config/sslh/25-sslh
diff --git a/config/rootfiles/packages/sslh b/config/rootfiles/packages/sslh index 2c67aad3a..15d5ff8f9 100644 --- a/config/rootfiles/packages/sslh +++ b/config/rootfiles/packages/sslh @@ -1,2 +1,3 @@ +etc/rc.d/init.d/networking/red.up/25-sslh etc/rc.d/init.d/sslh usr/sbin/sslh diff --git a/config/sslh/25-sslh b/config/sslh/25-sslh new file mode 100644 index 000000000..0b65d4309 --- /dev/null +++ b/config/sslh/25-sslh @@ -0,0 +1,17 @@ +#!/bin/bash
+# Check if SSLH has been enabled in WUI +if ls /etc/rc.d/rc3.d | grep -q '.*sslh' >/dev/null; then
I do not think that this is very elegant. Calling ls is shell scripts has many disadvantages.
Can we not just test for /etc/rc.d/rc3.d/S98sslh being present? We know the real path.
- # If SSLH is enabled and running but red0 gets a new IP,
restart SSLH
- if pgrep 'sslh' > /dev/null; then
/etc/init.d/sslh restart- else
# If sslh is not running yet, start it/etc/init.d/sslh start- fi
This is fine.
+else
- # If SSLH has been disabled on boot via services WUI, stop
service
- /etc/init.d/sslh stop
It should not be running in the first place here.
+fi
+# EOF diff --git a/lfs/initscripts b/lfs/initscripts index 055e106d0..3173a04e4 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -136,9 +136,6 @@ $(TARGET) : ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175 ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175
- ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh
- ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh
- ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin
diff --git a/lfs/sslh b/lfs/sslh index 100cec065..ab453c75d 100644 --- a/lfs/sslh +++ b/lfs/sslh @@ -1,7 +1,7 @@ ################################################################### ############ # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.7a +VER = 1.20
THISAPP = sslh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = sslh -PAK_VER = 5 +PAK_VER = 6
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912
install : $(TARGET)
@@ -77,11 +77,13 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING)
USELIBWRAP=
- cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin
- cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING)
USELIBCAP=1 USELIBWRAP=
- cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh
- #install initscripts
- # Install initscripts $(call INSTALL_INITSCRIPT,sslh)
- # Install red.up
- install -v -m 754 -D $(DIR_CONF)/sslh/25-sslh
/etc/rc.d/init.d/networking/red.up/25-sslh
@rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/initscripts/packages/sslh b/src/initscripts/packages/sslh index 43e58f392..f227ae9fb 100644 --- a/src/initscripts/packages/sslh +++ b/src/initscripts/packages/sslh @@ -3,31 +3,56 @@
# Based on sysklogd script from LFS-3.1 and earlier. # Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org +# +############################################################# +#
. /etc/sysconfig/rc . $rc_functions
+DAEMON="/usr/sbin/sslh" +PID="/var/run/sslh.pid"
+# Check external IP address and ports +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"
+# Investigate OpenVPN port +IPFIREOPENVPN=$(awk '/port/ { print $2 }' /var/ipfire/ovpn/server.conf)
+# Loopback interface +LO="127.0.0.1"
+# Used TCP ports +LISTENPORT="443" +OPENVPNPORT=${IPFIREOPENVPN}
+# Configuration options +DAEMON_OPTS=" +--user sslh +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} +--openvpn ${LO}:${OPENVPNPORT} +--pidfile ${PID} +-C /var/empty +"
case "$1" in start) boot_mesg "Starting SSLH Deamon..."
LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"if [ -z "${LOCAL_IP_ADDRESS}" ]; then
if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then echo_failure boot_mesg -n "FAILURE:\n\nCould not determine"${FAILURE} boot_mesg -n " your external IP address." boot_mesg "" ${NORMAL} exit 1 fi
loadproc /usr/sbin/sslh -u nobody \-p "${LOCAL_IP_ADDRESS}:443" -s localhost:222-l localhost:444
loadproc ${DAEMON} ${DAEMON_OPTS}evaluate_retval ;;
stop) boot_mesg "Stopping SSLH Deamon..."
killproc /usr/sbin/sslh
killproc ${DAEMON}rm -f ${PID}@@ -38,7 +63,7 @@ case "$1" in ;;
status)
statusproc /usr/sbin/sslh
statusproc ${DAEMON};;
*)
diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh index 626884bdd..410dc9d83 100644 --- a/src/paks/sslh/install.sh +++ b/src/paks/sslh/install.sh @@ -23,5 +23,19 @@ # . /opt/pakfire/lib/functions.sh extract_files -ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh
+# Add user and group for sslh if not already done +if ! getent group sslh &>/dev/null; then
groupadd -g 131 sslh+fi
+if ! getent passwd sslh; then
useradd -u 123 -g sslh -c "SSLH daemon user" -d /var/empty-s /bin/false sslh +fi
Why are the user and group ID different? Is there a reason why they cannot be the same?
+# Set symlink for runlevels +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh
start_service --background ${NAME} diff --git a/src/paks/sslh/uninstall.sh b/src/paks/sslh/uninstall.sh index dca34ccbd..4dfa0b274 100644 --- a/src/paks/sslh/uninstall.sh +++ b/src/paks/sslh/uninstall.sh @@ -24,4 +24,6 @@ . /opt/pakfire/lib/functions.sh stop_service ${NAME} remove_files -rm -f /etc/rc.d/init.d/networking/red.up/50-sslh
+# Delete symlinks in runlevels
+rm -f /etc/rc.d/rc?.d/???sslh;
2.12.2
-Michael