Hello,
In the past I have used sslh as a reverse proxy to access servers in my LAN from a single port exposed to the www.
I have just discovered Caddy and the Caddy-l4 app. I see some are using Caddy behind SSLH.
Does the Caddy-l4 app do all the same things SSLH does? What are the differences between the two? Why would you use one over the other?
Cheers,
Flex
Welcome! Good question; looks like SSLH is written in C, so it’s not memory-safe and could be subject to any of the critical memory vulnerabilities that plague C programs. Probably not something you want on your edge or handling security protocols like TLS or SSH.
I think one of the main differences is that Caddy-L4 is able to do advanced custom manipulation of streams, whereas SSLH looks like it is simply a multiplexer.
For example, Caddy-L4 can unwrap an inner TLS or SSH connection from within TLS, I don’t know if SSLH can do that. L4 also has advanced matching capabilities, being able to decode HTTP and TLS completely to make advanced routing decisions. L4’s matchers are composable, not merely a switch based on protocol properties.
But, I haven’t used SSLH and this is just from a quick glance at its README. So maybe someone who has used it can chime in.
Thanks Matt. I’m looking forward to trying this out.
With SSLH, such is my understanding, to en/decapsulate a stream with tls you would use an additional tool like stunnel and to issue http connect you could use proxytunnel.
SSLH has various ways of behaving like a transparent proxy such as manipulating underlying firewall/iptables rules on Linux hosts so servers behind it can see the original client IP address and not just the IP of the host SSLH is running on. From what I can see Caddy-L4 can also do this but in some other way which is cool.
If anyone has other examples of differences between L4 and SSLH please include? New comers might find that helpful.
Cheers,
Flex
4 posts were split to a new topic: SSH Multiplexing with layer-4