[v2] sslh: update to 1.20
Commit Message
- New user and group sslh has been added.
- Added USELIBCAP to make transparent mode possible.
- red.up script has been added. If red IP changes, sslh will be restarted to run with the new IP.
- red.up script searches for sslh symlink in rc3.d, if nothing can be found, it will not start so it can be disabled via WUI (services.cgi).
- Symlinks for runlevels has been nevertheless added to sslh package to control it also via services.cgi.
- Configuration block has been added to sslh initscript.
- External IP address check will also be used for configure options.
- Configure provides currently only OpenVPN
- OpenVPN port will be automatically investigated.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
---
config/rootfiles/packages/sslh | 1 +
config/sslh/25-sslh | 17 +++++++++++++++++
lfs/initscripts | 3 ---
lfs/sslh | 16 +++++++++-------
src/initscripts/packages/sslh | 41 +++++++++++++++++++++++++++++++++--------
src/paks/sslh/install.sh | 16 +++++++++++++++-
src/paks/sslh/uninstall.sh | 4 +++-
7 files changed, 78 insertions(+), 20 deletions(-)
create mode 100644 config/sslh/25-sslh
Comments
Hi,
I think this patch is mostly fine. Just a couple of small questions.
> On 12 May 2019, at 05:24, Erik Kapfer <ummeegge@ipfire.org> wrote:
>
> - New user and group sslh has been added.
> - Added USELIBCAP to make transparent mode possible.
> - red.up script has been added. If red IP changes, sslh will be restarted to run with the new IP.
> - red.up script searches for sslh symlink in rc3.d, if nothing can be found, it will not start so it can be disabled via WUI (services.cgi).
> - Symlinks for runlevels has been nevertheless added to sslh package to control it also via services.cgi.
> - Configuration block has been added to sslh initscript.
> - External IP address check will also be used for configure options.
> - Configure provides currently only OpenVPN
> - OpenVPN port will be automatically investigated.
>
> Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
> ---
> config/rootfiles/packages/sslh | 1 +
> config/sslh/25-sslh | 17 +++++++++++++++++
> lfs/initscripts | 3 ---
> lfs/sslh | 16 +++++++++-------
> src/initscripts/packages/sslh | 41 +++++++++++++++++++++++++++++++++--------
> src/paks/sslh/install.sh | 16 +++++++++++++++-
> src/paks/sslh/uninstall.sh | 4 +++-
> 7 files changed, 78 insertions(+), 20 deletions(-)
> create mode 100644 config/sslh/25-sslh
>
> diff --git a/config/rootfiles/packages/sslh b/config/rootfiles/packages/sslh
> index 2c67aad3a..15d5ff8f9 100644
> --- a/config/rootfiles/packages/sslh
> +++ b/config/rootfiles/packages/sslh
> @@ -1,2 +1,3 @@
> +etc/rc.d/init.d/networking/red.up/25-sslh
> etc/rc.d/init.d/sslh
> usr/sbin/sslh
> diff --git a/config/sslh/25-sslh b/config/sslh/25-sslh
> new file mode 100644
> index 000000000..0b65d4309
> --- /dev/null
> +++ b/config/sslh/25-sslh
> @@ -0,0 +1,17 @@
> +#!/bin/bash
> +
> +# Check if SSLH has been enabled in WUI
> +if ls /etc/rc.d/rc3.d | grep -q '.*sslh' >/dev/null; then
I do not think that this is very elegant. Calling ls is shell scripts has many disadvantages.
Can we not just test for /etc/rc.d/rc3.d/S98sslh being present? We know the real path.
> + # If SSLH is enabled and running but red0 gets a new IP, restart SSLH
> + if pgrep 'sslh' > /dev/null; then
> + /etc/init.d/sslh restart
> + else
> + # If sslh is not running yet, start it
> + /etc/init.d/sslh start
> + fi
This is fine.
> +else
> + # If SSLH has been disabled on boot via services WUI, stop service
> + /etc/init.d/sslh stop
It should not be running in the first place here.
> +fi
> +
> +# EOF
> diff --git a/lfs/initscripts b/lfs/initscripts
> index 055e106d0..3173a04e4 100644
> --- a/lfs/initscripts
> +++ b/lfs/initscripts
> @@ -136,9 +136,6 @@ $(TARGET) :
> ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175
> ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175
> ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175
> - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh
> - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh
> - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh
> ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin
> ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin
> ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin
> diff --git a/lfs/sslh b/lfs/sslh
> index 100cec065..ab453c75d 100644
> --- a/lfs/sslh
> +++ b/lfs/sslh
> @@ -1,7 +1,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
> +# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 1.7a
> +VER = 1.20
>
> THISAPP = sslh-$(VER)
> DL_FILE = $(THISAPP).tar.gz
> @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
> DIR_APP = $(DIR_SRC)/$(THISAPP)
> TARGET = $(DIR_INFO)/$(THISAPP)
> PROG = sslh
> -PAK_VER = 5
> +PAK_VER = 6
>
> DEPS = ""
>
> @@ -44,7 +44,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d
> +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912
>
> install : $(TARGET)
>
> @@ -77,11 +77,13 @@ $(subst %,%_MD5,$(objects)) :
> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> @$(PREBUILD)
> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
> - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBWRAP=
> - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin
> + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBCAP=1 USELIBWRAP=
> + cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh
>
> - #install initscripts
> + # Install initscripts
> $(call INSTALL_INITSCRIPT,sslh)
> + # Install red.up
> + install -v -m 754 -D $(DIR_CONF)/sslh/25-sslh /etc/rc.d/init.d/networking/red.up/25-sslh
>
> @rm -rf $(DIR_APP)
> @$(POSTBUILD)
> diff --git a/src/initscripts/packages/sslh b/src/initscripts/packages/sslh
> index 43e58f392..f227ae9fb 100644
> --- a/src/initscripts/packages/sslh
> +++ b/src/initscripts/packages/sslh
> @@ -3,31 +3,56 @@
>
> # Based on sysklogd script from LFS-3.1 and earlier.
> # Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org
> +#
> +#############################################################
> +#
>
> . /etc/sysconfig/rc
> . $rc_functions
>
> +DAEMON="/usr/sbin/sslh"
> +PID="/var/run/sslh.pid"
> +
> +# Check external IP address and ports
> +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"
> +
> +# Investigate OpenVPN port
> +IPFIREOPENVPN=$(awk '/port/ { print $2 }' /var/ipfire/ovpn/server.conf)
> +
> +# Loopback interface
> +LO="127.0.0.1"
> +
> +# Used TCP ports
> +LISTENPORT="443"
> +OPENVPNPORT=${IPFIREOPENVPN}
> +
> +# Configuration options
> +DAEMON_OPTS="
> +--user sslh
> +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT}
> +--openvpn ${LO}:${OPENVPNPORT}
> +--pidfile ${PID}
> +-C /var/empty
> +"
> +
> case "$1" in
> start)
> boot_mesg "Starting SSLH Deamon..."
> -
> - LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"
> - if [ -z "${LOCAL_IP_ADDRESS}" ]; then
> + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then
> echo_failure
> boot_mesg -n "FAILURE:\n\nCould not determine" ${FAILURE}
> boot_mesg -n " your external IP address."
> boot_mesg "" ${NORMAL}
> exit 1
> fi
> -
> - loadproc /usr/sbin/sslh -u nobody \
> - -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 -l localhost:444
> + loadproc ${DAEMON} ${DAEMON_OPTS}
> evaluate_retval
> ;;
>
> stop)
> boot_mesg "Stopping SSLH Deamon..."
> - killproc /usr/sbin/sslh
> + killproc ${DAEMON}
> + rm -f ${PID}
> evaluate_retval
> ;;
>
> @@ -38,7 +63,7 @@ case "$1" in
> ;;
>
> status)
> - statusproc /usr/sbin/sslh
> + statusproc ${DAEMON}
> ;;
>
> *)
> diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh
> index 626884bdd..410dc9d83 100644
> --- a/src/paks/sslh/install.sh
> +++ b/src/paks/sslh/install.sh
> @@ -23,5 +23,19 @@
> #
> . /opt/pakfire/lib/functions.sh
> extract_files
> -ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh
> +
> +# Add user and group for sslh if not already done
> +if ! getent group sslh &>/dev/null; then
> + groupadd -g 131 sslh
> +fi
> +
> +if ! getent passwd sslh; then
> + useradd -u 123 -g sslh -c "SSLH daemon user" -d /var/empty -s /bin/false sslh
> +fi
Why are the user and group ID different? Is there a reason why they cannot be the same?
> +
> +# Set symlink for runlevels
> +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh
> +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh
> +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh
> +
> start_service --background ${NAME}
> diff --git a/src/paks/sslh/uninstall.sh b/src/paks/sslh/uninstall.sh
> index dca34ccbd..4dfa0b274 100644
> --- a/src/paks/sslh/uninstall.sh
> +++ b/src/paks/sslh/uninstall.sh
> @@ -24,4 +24,6 @@
> . /opt/pakfire/lib/functions.sh
> stop_service ${NAME}
> remove_files
> -rm -f /etc/rc.d/init.d/networking/red.up/50-sslh
> +
> +# Delete symlinks in runlevels
> +rm -f /etc/rc.d/rc?.d/???sslh;
> --
> 2.12.2
-Michael
Hi Michael,
sorry for the late reply.
On Mo, 2019-05-13 at 14:33 +0100, Michael Tremer wrote:
> Hi,
>
> I think this patch is mostly fine. Just a couple of small questions.
>
> > On 12 May 2019, at 05:24, Erik Kapfer <ummeegge@ipfire.org> wrote:
> >
> > - New user and group sslh has been added.
> > - Added USELIBCAP to make transparent mode possible.
> > - red.up script has been added. If red IP changes, sslh will be
> > restarted to run with the new IP.
> > - red.up script searches for sslh symlink in rc3.d, if nothing can
> > be found, it will not start so it can be disabled via WUI
> > (services.cgi).
> > - Symlinks for runlevels has been nevertheless added to sslh
> > package to control it also via services.cgi.
> > - Configuration block has been added to sslh initscript.
> > - External IP address check will also be used for configure
> > options.
> > - Configure provides currently only OpenVPN
> > - OpenVPN port will be automatically investigated.
> >
> > Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
> > ---
> > config/rootfiles/packages/sslh | 1 +
> > config/sslh/25-sslh | 17 +++++++++++++++++
> > lfs/initscripts | 3 ---
> > lfs/sslh | 16 +++++++++-------
> > src/initscripts/packages/sslh | 41
> > +++++++++++++++++++++++++++++++++--------
> > src/paks/sslh/install.sh | 16 +++++++++++++++-
> > src/paks/sslh/uninstall.sh | 4 +++-
> > 7 files changed, 78 insertions(+), 20 deletions(-)
> > create mode 100644 config/sslh/25-sslh
> >
> > diff --git a/config/rootfiles/packages/sslh
> > b/config/rootfiles/packages/sslh
> > index 2c67aad3a..15d5ff8f9 100644
> > --- a/config/rootfiles/packages/sslh
> > +++ b/config/rootfiles/packages/sslh
> > @@ -1,2 +1,3 @@
> > +etc/rc.d/init.d/networking/red.up/25-sslh
> > etc/rc.d/init.d/sslh
> > usr/sbin/sslh
> > diff --git a/config/sslh/25-sslh b/config/sslh/25-sslh
> > new file mode 100644
> > index 000000000..0b65d4309
> > --- /dev/null
> > +++ b/config/sslh/25-sslh
> > @@ -0,0 +1,17 @@
> > +#!/bin/bash
> > +
> > +# Check if SSLH has been enabled in WUI
> > +if ls /etc/rc.d/rc3.d | grep -q '.*sslh' >/dev/null; then
>
> I do not think that this is very elegant. Calling ls is shell scripts
> has many disadvantages.
>
> Can we not just test for /etc/rc.d/rc3.d/S98sslh being present? We
> know the real path.
Is
if readlink /etc/rc.d/rc3.d/*sslh > /dev/null; then
better in this place ?
>
> > + # If SSLH is enabled and running but red0 gets a new IP,
> > restart SSLH
> > + if pgrep 'sslh' > /dev/null; then
> > + /etc/init.d/sslh restart
> > + else
> > + # If sslh is not running yet, start it
> > + /etc/init.d/sslh start
> > + fi
>
> This is fine.
>
> > +else
> > + # If SSLH has been disabled on boot via services WUI, stop
> > service
> > + /etc/init.d/sslh stop
>
> It should not be running in the first place here.
Have tested this and if sslh will be disabled at boot via
webuserinterface
and the red IP is changing before a reboot of the machine the --listen
address from sslh do not change and sslh can not be used anymore.
# root @ ipfire in /etc/rc.d/init.d/networking/red.up [7:07:30]
$ ps aux | grep sslh
sslh 29632 0.0 0.1 17564 2124 ? Ss 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty
sslh 29633 0.0 0.0 17564 160 ? S 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty
# root @ ipfire-server in /etc/rc.d/init.d/networking/red.up [7:08:17]
$ setup
Changed red IP in setup to 192.168.2.33
# root @ ipfire in /etc/rc.d/init.d/networking/red.up [7:09:14]
$ ps aux | grep sslh
sslh 29632 0.0 0.1 17564 2124 ? Ss 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty
sslh 29633 0.0 0.0 17564 160 ? S 07:08 0:00 /usr/sbin/sslh --user sslh --listen 192.168.2.25 443 --openvpn 127.0.0.1 1194 --pidfile /var/run/sslh.pid -C /var/empty
Until a reboot the "EXTERNAL IP" listens to the old IP.
This is surely a rare case but to prevent also that one i added the
init stop. May you have another idea for this ?
>
> > +fi
> > +
> > +# EOF
> > diff --git a/lfs/initscripts b/lfs/initscripts
> > index 055e106d0..3173a04e4 100644
> > --- a/lfs/initscripts
> > +++ b/lfs/initscripts
> > @@ -136,9 +136,6 @@ $(TARGET) :
> > ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175
> > ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175
> > ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175
> > - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh
> > - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh
> > - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh
> > ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin
> > ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin
> > ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin
> > diff --git a/lfs/sslh b/lfs/sslh
> > index 100cec065..ab453c75d 100644
> > --- a/lfs/sslh
> > +++ b/lfs/sslh
> > @@ -1,7 +1,7 @@
> > ###################################################################
> > ############
> > #
> > #
> > # IPFire.org - A linux based
> > firewall #
> > -# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org>
> > #
> > +# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org>
> > #
> > #
> > #
> > # This program is free software: you can redistribute it and/or
> > modify #
> > # it under the terms of the GNU General Public License as published
> > by #
> > @@ -24,7 +24,7 @@
> >
> > include Config
> >
> > -VER = 1.7a
> > +VER = 1.20
> >
> > THISAPP = sslh-$(VER)
> > DL_FILE = $(THISAPP).tar.gz
> > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
> > DIR_APP = $(DIR_SRC)/$(THISAPP)
> > TARGET = $(DIR_INFO)/$(THISAPP)
> > PROG = sslh
> > -PAK_VER = 5
> > +PAK_VER = 6
> >
> > DEPS = ""
> >
> > @@ -44,7 +44,7 @@ objects = $(DL_FILE)
> >
> > $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> >
> > -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d
> > +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912
> >
> > install : $(TARGET)
> >
> > @@ -77,11 +77,13 @@ $(subst %,%_MD5,$(objects)) :
> > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> > @$(PREBUILD)
> > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf
> > $(DIR_DL)/$(DL_FILE)
> > - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING)
> > USELIBWRAP=
> > - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin
> > + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING)
> > USELIBCAP=1 USELIBWRAP=
> > + cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh
> >
> > - #install initscripts
> > + # Install initscripts
> > $(call INSTALL_INITSCRIPT,sslh)
> > + # Install red.up
> > + install -v -m 754 -D $(DIR_CONF)/sslh/25-sslh
> > /etc/rc.d/init.d/networking/red.up/25-sslh
> >
> > @rm -rf $(DIR_APP)
> > @$(POSTBUILD)
> > diff --git a/src/initscripts/packages/sslh
> > b/src/initscripts/packages/sslh
> > index 43e58f392..f227ae9fb 100644
> > --- a/src/initscripts/packages/sslh
> > +++ b/src/initscripts/packages/sslh
> > @@ -3,31 +3,56 @@
> >
> > # Based on sysklogd script from LFS-3.1 and earlier.
> > # Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org
> > +#
> > +#############################################################
> > +#
> >
> > . /etc/sysconfig/rc
> > . $rc_functions
> >
> > +DAEMON="/usr/sbin/sslh"
> > +PID="/var/run/sslh.pid"
> > +
> > +# Check external IP address and ports
> > +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"
> > +
> > +# Investigate OpenVPN port
> > +IPFIREOPENVPN=$(awk '/port/ { print $2 }'
> > /var/ipfire/ovpn/server.conf)
> > +
> > +# Loopback interface
> > +LO="127.0.0.1"
> > +
> > +# Used TCP ports
> > +LISTENPORT="443"
> > +OPENVPNPORT=${IPFIREOPENVPN}
> > +
> > +# Configuration options
> > +DAEMON_OPTS="
> > +--user sslh
> > +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT}
> > +--openvpn ${LO}:${OPENVPNPORT}
> > +--pidfile ${PID}
> > +-C /var/empty
> > +"
> > +
> > case "$1" in
> > start)
> > boot_mesg "Starting SSLH Deamon..."
> > -
> > - LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"
> > - if [ -z "${LOCAL_IP_ADDRESS}" ]; then
> > + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then
> > echo_failure
> > boot_mesg -n "FAILURE:\n\nCould not determine"
> > ${FAILURE}
> > boot_mesg -n " your external IP address."
> > boot_mesg "" ${NORMAL}
> > exit 1
> > fi
> > -
> > - loadproc /usr/sbin/sslh -u nobody \
> > - -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222
> > -l localhost:444
> > + loadproc ${DAEMON} ${DAEMON_OPTS}
> > evaluate_retval
> > ;;
> >
> > stop)
> > boot_mesg "Stopping SSLH Deamon..."
> > - killproc /usr/sbin/sslh
> > + killproc ${DAEMON}
> > + rm -f ${PID}
> > evaluate_retval
> > ;;
> >
> > @@ -38,7 +63,7 @@ case "$1" in
> > ;;
> >
> > status)
> > - statusproc /usr/sbin/sslh
> > + statusproc ${DAEMON}
> > ;;
> >
> > *)
> > diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh
> > index 626884bdd..410dc9d83 100644
> > --- a/src/paks/sslh/install.sh
> > +++ b/src/paks/sslh/install.sh
> > @@ -23,5 +23,19 @@
> > #
> > . /opt/pakfire/lib/functions.sh
> > extract_files
> > -ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh
> > +
> > +# Add user and group for sslh if not already done
> > +if ! getent group sslh &>/dev/null; then
> > + groupadd -g 131 sslh
> > +fi
> > +
> > +if ! getent passwd sslh; then
> > + useradd -u 123 -g sslh -c "SSLH daemon user" -d /var/empty
> > -s /bin/false sslh
> > +fi
>
> Why are the user and group ID different? Is there a reason why they
> cannot be the same?
I used the ID´s which are used in other distributions but i have
changed GID/UID to '123' .
>
> > +
> > +# Set symlink for runlevels
> > +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh
> > +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh
> > +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh
> > +
> > start_service --background ${NAME}
> > diff --git a/src/paks/sslh/uninstall.sh
> > b/src/paks/sslh/uninstall.sh
> > index dca34ccbd..4dfa0b274 100644
> > --- a/src/paks/sslh/uninstall.sh
> > +++ b/src/paks/sslh/uninstall.sh
> > @@ -24,4 +24,6 @@
> > . /opt/pakfire/lib/functions.sh
> > stop_service ${NAME}
> > remove_files
> > -rm -f /etc/rc.d/init.d/networking/red.up/50-sslh
> > +
> > +# Delete symlinks in runlevels
> > +rm -f /etc/rc.d/rc?.d/???sslh;
> > --
> > 2.12.2
>
> -Michael
>
Thanks again for looking into this.
Have ask also in the testing topic in the forum for some howto´s for
the transparent mode which invloves also some IPTables if LAN machines
(which i couldn´t test) are invloved and have get also some help
from there so a wiki can also include some little more extended
paragraphs for sslh.
If we find a proper solution for the outstanding questions i can send
the updated patch and would then also start with the wiki for sslh.
Best,
Erik
On Mo, 2019-05-13 at 14:33 +0100, Michael Tremer wrote:
> Hi,
>
> I think this patch is mostly fine. Just a couple of small questions.
>
> > On 12 May 2019, at 05:24, Erik Kapfer <ummeegge@ipfire.org> wrote:
> >
> > - New user and group sslh has been added.
> > - Added USELIBCAP to make transparent mode possible.
> > - red.up script has been added. If red IP changes, sslh will be
> > restarted to run with the new IP.
> > - red.up script searches for sslh symlink in rc3.d, if nothing can
> > be found, it will not start so it can be disabled via WUI
> > (services.cgi).
> > - Symlinks for runlevels has been nevertheless added to sslh
> > package to control it also via services.cgi.
> > - Configuration block has been added to sslh initscript.
> > - External IP address check will also be used for configure
> > options.
> > - Configure provides currently only OpenVPN
> > - OpenVPN port will be automatically investigated.
> >
> > Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
> > ---
> > config/rootfiles/packages/sslh | 1 +
> > config/sslh/25-sslh | 17 +++++++++++++++++
> > lfs/initscripts | 3 ---
> > lfs/sslh | 16 +++++++++-------
> > src/initscripts/packages/sslh | 41
> > +++++++++++++++++++++++++++++++++--------
> > src/paks/sslh/install.sh | 16 +++++++++++++++-
> > src/paks/sslh/uninstall.sh | 4 +++-
> > 7 files changed, 78 insertions(+), 20 deletions(-)
> > create mode 100644 config/sslh/25-sslh
> >
> > diff --git a/config/rootfiles/packages/sslh
> > b/config/rootfiles/packages/sslh
> > index 2c67aad3a..15d5ff8f9 100644
> > --- a/config/rootfiles/packages/sslh
> > +++ b/config/rootfiles/packages/sslh
> > @@ -1,2 +1,3 @@
> > +etc/rc.d/init.d/networking/red.up/25-sslh
> > etc/rc.d/init.d/sslh
> > usr/sbin/sslh
> > diff --git a/config/sslh/25-sslh b/config/sslh/25-sslh
> > new file mode 100644
> > index 000000000..0b65d4309
> > --- /dev/null
> > +++ b/config/sslh/25-sslh
> > @@ -0,0 +1,17 @@
> > +#!/bin/bash
> > +
> > +# Check if SSLH has been enabled in WUI
> > +if ls /etc/rc.d/rc3.d | grep -q '.*sslh' >/dev/null; then
>
> I do not think that this is very elegant. Calling ls is shell scripts
> has many disadvantages.
>
> Can we not just test for /etc/rc.d/rc3.d/S98sslh being present? We
> know the real path.
>
> > + # If SSLH is enabled and running but red0 gets a new IP,
> > restart SSLH
> > + if pgrep 'sslh' > /dev/null; then
> > + /etc/init.d/sslh restart
> > + else
> > + # If sslh is not running yet, start it
> > + /etc/init.d/sslh start
> > + fi
>
> This is fine.
>
> > +else
> > + # If SSLH has been disabled on boot via services WUI, stop
> > service
> > + /etc/init.d/sslh stop
>
> It should not be running in the first place here.
>
> > +fi
> > +
> > +# EOF
> > diff --git a/lfs/initscripts b/lfs/initscripts
> > index 055e106d0..3173a04e4 100644
> > --- a/lfs/initscripts
> > +++ b/lfs/initscripts
> > @@ -136,9 +136,6 @@ $(TARGET) :
> > ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175
> > ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175
> > ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175
> > - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh
> > - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh
> > - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh
> > ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin
> > ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin
> > ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin
> > diff --git a/lfs/sslh b/lfs/sslh
> > index 100cec065..ab453c75d 100644
> > --- a/lfs/sslh
> > +++ b/lfs/sslh
> > @@ -1,7 +1,7 @@
> > ###################################################################
> > ############
> > #
> > #
> > # IPFire.org - A linux based
> > firewall #
> > -# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org>
> > #
> > +# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org>
> > #
> > #
> > #
> > # This program is free software: you can redistribute it and/or
> > modify #
> > # it under the terms of the GNU General Public License as published
> > by #
> > @@ -24,7 +24,7 @@
> >
> > include Config
> >
> > -VER = 1.7a
> > +VER = 1.20
> >
> > THISAPP = sslh-$(VER)
> > DL_FILE = $(THISAPP).tar.gz
> > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
> > DIR_APP = $(DIR_SRC)/$(THISAPP)
> > TARGET = $(DIR_INFO)/$(THISAPP)
> > PROG = sslh
> > -PAK_VER = 5
> > +PAK_VER = 6
> >
> > DEPS = ""
> >
> > @@ -44,7 +44,7 @@ objects = $(DL_FILE)
> >
> > $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> >
> > -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d
> > +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912
> >
> > install : $(TARGET)
> >
> > @@ -77,11 +77,13 @@ $(subst %,%_MD5,$(objects)) :
> > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> > @$(PREBUILD)
> > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf
> > $(DIR_DL)/$(DL_FILE)
> > - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING)
> > USELIBWRAP=
> > - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin
> > + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING)
> > USELIBCAP=1 USELIBWRAP=
> > + cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh
> >
> > - #install initscripts
> > + # Install initscripts
> > $(call INSTALL_INITSCRIPT,sslh)
> > + # Install red.up
> > + install -v -m 754 -D $(DIR_CONF)/sslh/25-sslh
> > /etc/rc.d/init.d/networking/red.up/25-sslh
> >
> > @rm -rf $(DIR_APP)
> > @$(POSTBUILD)
> > diff --git a/src/initscripts/packages/sslh
> > b/src/initscripts/packages/sslh
> > index 43e58f392..f227ae9fb 100644
> > --- a/src/initscripts/packages/sslh
> > +++ b/src/initscripts/packages/sslh
> > @@ -3,31 +3,56 @@
> >
> > # Based on sysklogd script from LFS-3.1 and earlier.
> > # Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org
> > +#
> > +#############################################################
> > +#
> >
> > . /etc/sysconfig/rc
> > . $rc_functions
> >
> > +DAEMON="/usr/sbin/sslh"
> > +PID="/var/run/sslh.pid"
> > +
> > +# Check external IP address and ports
> > +EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"
> > +
> > +# Investigate OpenVPN port
> > +IPFIREOPENVPN=$(awk '/port/ { print $2 }'
> > /var/ipfire/ovpn/server.conf)
> > +
> > +# Loopback interface
> > +LO="127.0.0.1"
> > +
> > +# Used TCP ports
> > +LISTENPORT="443"
> > +OPENVPNPORT=${IPFIREOPENVPN}
> > +
> > +# Configuration options
> > +DAEMON_OPTS="
> > +--user sslh
> > +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT}
> > +--openvpn ${LO}:${OPENVPNPORT}
> > +--pidfile ${PID}
> > +-C /var/empty
> > +"
> > +
> > case "$1" in
> > start)
> > boot_mesg "Starting SSLH Deamon..."
> > -
> > - LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"
> > - if [ -z "${LOCAL_IP_ADDRESS}" ]; then
> > + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then
> > echo_failure
> > boot_mesg -n "FAILURE:\n\nCould not determine"
> > ${FAILURE}
> > boot_mesg -n " your external IP address."
> > boot_mesg "" ${NORMAL}
> > exit 1
> > fi
> > -
> > - loadproc /usr/sbin/sslh -u nobody \
> > - -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222
> > -l localhost:444
> > + loadproc ${DAEMON} ${DAEMON_OPTS}
> > evaluate_retval
> > ;;
> >
> > stop)
> > boot_mesg "Stopping SSLH Deamon..."
> > - killproc /usr/sbin/sslh
> > + killproc ${DAEMON}
> > + rm -f ${PID}
> > evaluate_retval
> > ;;
> >
> > @@ -38,7 +63,7 @@ case "$1" in
> > ;;
> >
> > status)
> > - statusproc /usr/sbin/sslh
> > + statusproc ${DAEMON}
> > ;;
> >
> > *)
> > diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh
> > index 626884bdd..410dc9d83 100644
> > --- a/src/paks/sslh/install.sh
> > +++ b/src/paks/sslh/install.sh
> > @@ -23,5 +23,19 @@
> > #
> > . /opt/pakfire/lib/functions.sh
> > extract_files
> > -ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh
> > +
> > +# Add user and group for sslh if not already done
> > +if ! getent group sslh &>/dev/null; then
> > + groupadd -g 131 sslh
> > +fi
> > +
> > +if ! getent passwd sslh; then
> > + useradd -u 123 -g sslh -c "SSLH daemon user" -d /var/empty
> > -s /bin/false sslh
> > +fi
>
> Why are the user and group ID different? Is there a reason why they
> cannot be the same?
>
> > +
> > +# Set symlink for runlevels
> > +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh
> > +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh
> > +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh
> > +
> > start_service --background ${NAME}
> > diff --git a/src/paks/sslh/uninstall.sh
> > b/src/paks/sslh/uninstall.sh
> > index dca34ccbd..4dfa0b274 100644
> > --- a/src/paks/sslh/uninstall.sh
> > +++ b/src/paks/sslh/uninstall.sh
> > @@ -24,4 +24,6 @@
> > . /opt/pakfire/lib/functions.sh
> > stop_service ${NAME}
> > remove_files
> > -rm -f /etc/rc.d/init.d/networking/red.up/50-sslh
> > +
> > +# Delete symlinks in runlevels
> > +rm -f /etc/rc.d/rc?.d/???sslh;
> > --
> > 2.12.2
>
> -Michael
>
@@ -1,2 +1,3 @@
+etc/rc.d/init.d/networking/red.up/25-sslh
etc/rc.d/init.d/sslh
usr/sbin/sslh
new file mode 100644
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Check if SSLH has been enabled in WUI
+if ls /etc/rc.d/rc3.d | grep -q '.*sslh' >/dev/null; then
+ # If SSLH is enabled and running but red0 gets a new IP, restart SSLH
+ if pgrep 'sslh' > /dev/null; then
+ /etc/init.d/sslh restart
+ else
+ # If sslh is not running yet, start it
+ /etc/init.d/sslh start
+ fi
+else
+ # If SSLH has been disabled on boot via services WUI, stop service
+ /etc/init.d/sslh stop
+fi
+
+# EOF
@@ -136,9 +136,6 @@ $(TARGET) :
ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175
ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175
ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175
- ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh
- ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh
- ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh
ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin
ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin
ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 1.7a
+VER = 1.20
THISAPP = sslh-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = sslh
-PAK_VER = 5
+PAK_VER = 6
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d
+$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912
install : $(TARGET)
@@ -77,11 +77,13 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBWRAP=
- cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin
+ cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBCAP=1 USELIBWRAP=
+ cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh
- #install initscripts
+ # Install initscripts
$(call INSTALL_INITSCRIPT,sslh)
+ # Install red.up
+ install -v -m 754 -D $(DIR_CONF)/sslh/25-sslh /etc/rc.d/init.d/networking/red.up/25-sslh
@rm -rf $(DIR_APP)
@$(POSTBUILD)
@@ -3,31 +3,56 @@
# Based on sysklogd script from LFS-3.1 and earlier.
# Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org
+#
+#############################################################
+#
. /etc/sysconfig/rc
. $rc_functions
+DAEMON="/usr/sbin/sslh"
+PID="/var/run/sslh.pid"
+
+# Check external IP address and ports
+EXTERNAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"
+
+# Investigate OpenVPN port
+IPFIREOPENVPN=$(awk '/port/ { print $2 }' /var/ipfire/ovpn/server.conf)
+
+# Loopback interface
+LO="127.0.0.1"
+
+# Used TCP ports
+LISTENPORT="443"
+OPENVPNPORT=${IPFIREOPENVPN}
+
+# Configuration options
+DAEMON_OPTS="
+--user sslh
+--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT}
+--openvpn ${LO}:${OPENVPNPORT}
+--pidfile ${PID}
+-C /var/empty
+"
+
case "$1" in
start)
boot_mesg "Starting SSLH Deamon..."
-
- LOCAL_IP_ADDRESS="$(</var/ipfire/red/local-ipaddress)"
- if [ -z "${LOCAL_IP_ADDRESS}" ]; then
+ if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then
echo_failure
boot_mesg -n "FAILURE:\n\nCould not determine" ${FAILURE}
boot_mesg -n " your external IP address."
boot_mesg "" ${NORMAL}
exit 1
fi
-
- loadproc /usr/sbin/sslh -u nobody \
- -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 -l localhost:444
+ loadproc ${DAEMON} ${DAEMON_OPTS}
evaluate_retval
;;
stop)
boot_mesg "Stopping SSLH Deamon..."
- killproc /usr/sbin/sslh
+ killproc ${DAEMON}
+ rm -f ${PID}
evaluate_retval
;;
@@ -38,7 +63,7 @@ case "$1" in
;;
status)
- statusproc /usr/sbin/sslh
+ statusproc ${DAEMON}
;;
*)
@@ -23,5 +23,19 @@
#
. /opt/pakfire/lib/functions.sh
extract_files
-ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh
+
+# Add user and group for sslh if not already done
+if ! getent group sslh &>/dev/null; then
+ groupadd -g 131 sslh
+fi
+
+if ! getent passwd sslh; then
+ useradd -u 123 -g sslh -c "SSLH daemon user" -d /var/empty -s /bin/false sslh
+fi
+
+# Set symlink for runlevels
+ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh
+ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh
+ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh
+
start_service --background ${NAME}
@@ -24,4 +24,6 @@
. /opt/pakfire/lib/functions.sh
stop_service ${NAME}
remove_files
-rm -f /etc/rc.d/init.d/networking/red.up/50-sslh
+
+# Delete symlinks in runlevels
+rm -f /etc/rc.d/rc?.d/???sslh;