Difference between Caddy-l4 and SSLH?

FlexMcMurphy · August 28, 2024, 11:17am

Hello,

In the past I have used sslh as a reverse proxy to access servers in my LAN from a single port exposed to the www.

I have just discovered Caddy and the Caddy-l4 app. I see some are using Caddy behind SSLH.

Does the Caddy-l4 app do all the same things SSLH does? What are the differences between the two? Why would you use one over the other?

Cheers,

Flex

matt · August 28, 2024, 5:32pm

Welcome! Good question; looks like SSLH is written in C, so it’s not memory-safe and could be subject to any of the critical memory vulnerabilities that plague C programs. Probably not something you want on your edge or handling security protocols like TLS or SSH.

I think one of the main differences is that Caddy-L4 is able to do advanced custom manipulation of streams, whereas SSLH looks like it is simply a multiplexer.

For example, Caddy-L4 can unwrap an inner TLS or SSH connection from within TLS, I don’t know if SSLH can do that. L4 also has advanced matching capabilities, being able to decode HTTP and TLS completely to make advanced routing decisions. L4’s matchers are composable, not merely a switch based on protocol properties.

But, I haven’t used SSLH and this is just from a quick glance at its README. So maybe someone who has used it can chime in.

FlexMcMurphy · August 28, 2024, 8:44pm

Thanks Matt. I’m looking forward to trying this out.

With SSLH, such is my understanding, to en/decapsulate a stream with tls you would use an additional tool like stunnel and to issue http connect you could use proxytunnel.

SSLH has various ways of behaving like a transparent proxy such as manipulating underlying firewall/iptables rules on Linux hosts so servers behind it can see the original client IP address and not just the IP of the host SSLH is running on. From what I can see Caddy-L4 can also do this but in some other way which is cool.

If anyone has other examples of differences between L4 and SSLH please include? New comers might find that helpful.

Cheers,

Flex

Rudiger_Schernthaner · September 24, 2024, 12:35pm

Hello,

I switched from nginx to caddy and the experience is great, much easier to setup.
However, I am still using sslh for multiplexing ssh and https on port 443.
From time to time sslh fails and I need to restart the service because otherwise all my web services are offline.
So I would like to move this multiplexing task to caddy (with the caddy-l4 plugin) as well.
But I don’t know how to write the correct caddyfile.
I found a caddyfile sample for multiplexing http and tls, how would i have to change this to multiplex ssh and https?
Thanks for your help!
Ruediger
P.S. The backend servers should receive the source IP so that fail2ban and similar stuff can still work.

{
layer4 {
127.0.0.1:5000 {
@insecure http
route @insecure {
proxy localhost:80
}
@secure tls
route @secure {
proxy localhost:443
}
}
}
}

Monviech · September 24, 2024, 4:59pm

This is what I use to multiplex ssh and the normal TLS terminated sites on the same port 443. SSH is restricted to internal IPs for me, otherwise the subroute can be deleted completely.

# Global Options
{
	servers {
		listener_wrappers {
			layer4 {
				@ssh_layer4 ssh
				route @ssh_layer4 {
					subroute {
						@allowed_ips remote_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
						route @allowed_ips {
							proxy 10.0.0.10:22 {
							}
						}
					}
				}
				route
			}
			tls
		}
	}
}

#Site Block
site1.example.com {
        reverse_proxy 192.168.1.1
}

Using Layer4 in the listener_wrapper makes it match before the http app and that enables (TCP) protocols on the HTTP and HTTPS ports to match and get routed someplace else. Then the route and tls statement sends it to the site blocks where the TLS terminated handling can begin.

Edit: For source IP you have to add the proxy protocol. It can be added to the layer4 too (check the docs). Never used it so I dont know how it works.

Rudiger_Schernthaner · September 26, 2024, 9:03am

Thank you so much for your help!
I’ve integrated your code into my Caddyfile (and removed the subroute) and now I can use SSH and TLS on port 443 with caddy only, sslh is gone
This is really impressive, before Caddy had to listen on 8443 , because sslh was sitting on 443, but not its only caddy directly on 443 and taking care of redirecting ssh to the internal port of the ssh server!
I really hope that the official caddy docker will integrate l4 soon, currently I am using https://hub.docker.com/r/cybergeek369/caddy-l4

Thanks a lot for caddy!
Ruediger
P.S. The backend servers receive the source IP without adding some proxy_procotol config into the caddyfile, seems to be done all automatically. AMAZING!