Pre-built binaries

Docker images of master and of the tagged versions are available directly from Github.

Windows binaries for Cygwin are graciouly produced by nono303 on his repository.

Compile and install

Dependencies

sslh uses:

  • libconfig. For Debian this is contained in package libconfig-dev. You can compile with or without it using USELIBCONFIG in the Makefile.

  • libwrap. For Debian, this is contained in packages libwrap0-dev. You can compile with or without it using USELIBWRAP in the Makefile.

  • libsystemd, in package libsystemd-dev. You can compile with or without it using USESYSTEMD in the Makefile.

  • libcap, in package libcap-dev. You can compile with or without it using USELIBCAP in the Makefile

  • libbsd, to enable to change the process name (as shown in ps, so each forked process shows what protocol and what connection it is serving), which requires libbsd at runtime, and libbsd-dev at compile-time.

  • libpcre2, in package libpcre-dev. You can compile with or without it using ENABLE_REGEX in the Makefile.

  • libev-dev, in package libev-dev. If you build a binary specifically and do not build sslh-ev, you don’t need this.

For OpenSUSE, these are contained in packages libconfig9 and libconfig-dev in repository http://download.opensuse.org/repositories/multimedia:/libs/openSUSE_12.1/

For Fedora, you’ll need packages libconfig and libconfig-devel:

yum install libconfig libconfig-devel

If you want to rebuild sslh-conf.c (after a make distclean for example), you will also need to add conf2struct (v1.5) to your path.

The test scripts are written in Perl, and will require IO::Socket::INET6 (libio-socket-inet6-perl in Debian).

Compilation

After this, the Makefile should work:

make install

There are a couple of configuration options at the beginning of the Makefile:

  • USELIBWRAP compiles support for host access control (see hosts_access(3)), you will need libwrap headers and library to compile (libwrap0-dev in Debian).

  • USELIBCONFIG compiles support for the configuration file. You will need libconfig headers to compile (libconfig8-dev in Debian).

  • USESYSTEMD compiles support for using systemd socket activation. You will need systemd headers to compile (systemd-devel in Fedora).

  • USELIBBSD compiles support for updating the process name (as shown by ps).

Generating the configuration parser

The configuration file and command line parser is generated by conf2struct, from sslhconf.cfg, which generates sslh-conf.c and sslh-conf.h. The resulting files are included in the source so sslh can be built without conf2struct installed.

Further, to prevent build issues, sslh-conf.[ch] has no dependency to sslhconf.cfg in the Makefile. In the event of adding configuration settings, they need to be regenerated using make c2s.

Binaries

The Makefile produces three different executables: sslh-fork, sslh-select and sslh-ev:

  • sslh-fork forks a new process for each incoming connection. It is well-tested and very reliable, but incurs the overhead of many processes.
    If you are going to use sslh for a “small” setup (less than a dozen ssh connections and a low-traffic https server) then sslh-fork is probably more suited for you.

  • sslh-select uses only one thread, which monitors all connections at once. It only incurs a 16 byte overhead per connection. Also, if it stops, you’ll lose all connections, which means you can’t upgrade it remotely. If you are going to use sslh on a “medium” setup (a few hundreds of connections), or if you are on a system where forking is expensive (e.g. Windows), sslh-select will be better.

  • sslh-ev is similar to sslh-select, but uses libev as a backend. This allows using specific kernel APIs that allow to manage thousands of connections concurrently.

Installation

  • In general:

      make
      cp sslh-fork /usr/local/sbin/sslh
      cp basic.cfg /etc/sslh.cfg
              vi /etc/sslh.cfg
    
  • For Debian:

      cp scripts/etc.init.d.sslh /etc/init.d/sslh
    
  • For CentOS:

      cp scripts/etc.rc.d.init.d.sslh.centos /etc/rc.d/init.d/sslh
    

You might need to create links in /etc/rc.d so that the server start automatically at boot-up, e.g. under Debian:

update-rc.d sslh defaults