Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sslh: add transparent proxy support #12280

Merged
merged 5 commits into from May 26, 2020
Merged

sslh: add transparent proxy support #12280

merged 5 commits into from May 26, 2020

Conversation

sgabe
Copy link
Contributor

@sgabe sgabe commented May 24, 2020
edited

Compile with USELIBCAP=1 to make use of POSIX capabilities. This will save the required capabilities needed for transparent proxying for unprivileged processes. Furthermore, upstream will drop support for the ssl option in the next future version, hence we should use tls instead.

Signed-off-by: Gabor Seljan sgabe@users.noreply.github.com

Maintainer: @jmccrohan
Compile tested: MT7621, RB750Gr3, v19.07.3
Run tested: MT7621, RB750Gr3, v19.07.0

Description:

  • Transparent proxying is supported with the --transparent option added in v1.15 of sslh. This PR updates the init script and the configuration file to support transparent proxying.
  • Capabilities are supported since v1.16 of sslh using the USELIBCAP compiler flag. This PR adds the libcap package as a dependency and enables the USELIBCAP flag. Capabilities support is especially needed for transparent proxying while running sslh as the unprivileged nobody user.
  • The ssl option is deprecated and the legacy support will be removed in sslh v1.21. This PR replaces the old ssl option with the new tls option that should be used instead.

@sgabe
sslh: add transparent proxy support
499f3ac 
Signed-off-by: Gabor Seljan <sgabe@users.noreply.github.com>
@neheb
Copy link
Contributor

neheb commented May 25, 2020

Needs a PKG_RELEASE bump. Might want to put all your changes in one PR.

@sgabe
Copy link
Contributor Author

sgabe commented May 25, 2020

I have opened separate PRs because this way the proposed changes can be discussed and accepted or rejected independently and I could increment the PKG_RELEASE in the order the PRs are merged.

@sgabe
sslh: bump package release
888c580 
Signed-off-by: Gabor Seljan <sgabe@users.noreply.github.com>
@neheb
Copy link
Contributor

neheb commented May 26, 2020

All of the changes look fine. I’d put them in one PR. Easier that way.

sgabe added 3 commits May 26, 2020 19:58
@sgabe
sslh: add http probe config
4950a37 
Signed-off-by: Gabor Seljan <sgabe@users.noreply.github.com>
@sgabe
sslh: add capabilities support
f3aaffd 
Compile with USELIBCAP=1 to make use of POSIX capabilities. This will
save the required capabilities needed for transparent proxying for
unprivileged processes.

Signed-off-by: Gabor Seljan <sgabe@users.noreply.github.com>
@sgabe
sslh: use tls option instead of deprecated ssl
46c253d 
Upstream will drop support for the ssl option in the next future version.

Signed-off-by: Gabor Seljan <sgabe@users.noreply.github.com>
@sgabe
Copy link
Contributor Author

sgabe commented May 26, 2020

As per your request, I have pulled all changes into this PR.

@neheb neheb merged commit 413b7dc into openwrt:master May 26, 2020
@BKPepe
Copy link
Member

BKPepe commented May 31, 2020

Shouldn't it be cherry-picked into 19.07?

@BKPepe
Copy link
Member

BKPepe commented Jun 5, 2020

Done - 267b490

Fixes warning in OpenWrt 19.07:
/etc/init.d/sslh start Usage of 'ssl' setting is deprecated and will be removed in v1.21. Please use 'tls' instead

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@sgabe @neheb @BKPepe