My Problem is in config.json of Windows 10 machine: A config that tunnels the received SSH traffic on port 22000 over TLS and sends it to 192.168.1.11:443
Upon trying to SSH with ssh -p 22000 root@localhost, I’m getting this complain on the Ubuntu side:
2023/06/03 19:31:07.802 ERROR layer4 handling connection {"remote": "192.168.1.5:1819", "error": "tls: first record does not look like a TLS handshake"}
I think it’s obvious that the SSH traffic is not TLS encrypted but is passed rather without any change.
Are you just using ssh -p 22000 root@localhost to ssh to remote host? You’ll also need to use ProxyCommand to tunnel ssh over tls. It can be specified in .ssh/config or command line arguments. Look here for examples.
Also you should put tls and proxy in your config like this.
My aim is to use caddy-l4 to encrypt the incoming SSH traffic to TLS and then send it to remote machine (where the opposite will happen); I did this scenario with Stunnel without the need for any other application in between.
Using ProxyCommand /usr/local/bin/socat - OPENSSL:localhost:22000,verify=0 in ~/.ssh/config is relegation of tunneling SSH over TLS to another application (but I’m trying to use caddy-l4 for that)
The problem now is this:
Can caddy-l4 wrap SSH traffic in TLS? if yes, what should I put in my json config file to do that?
Oh, you mean ssh to caddy-l4 like any other ssh server, then caddy-l4 encrypt this ssh connection with tls and forward it to another server which can descrypt this tls connection and handle the underlying ssh? Currently caddy-l4 doesn’t support this use case.
Yes, it can. The link shared by @WeidiDeng shows multiple working configs. The handler chain the layer4 app should start with a tls handler, followed by a proxy to your ssh backend server. Here’s reproduced working config with automatic TLS:
The logic for the handler chain is:
First terminate TLS, then proxy the enveloped bytes to the backend, which may be SSH or HTTP. The point is TLS is only a wrapper around those bytes.
Once again, I’m not talking about terminating TLS, I need TLS encapsulation.
Your config is for the server side (in my case, Ubuntu). As I stated in my original post, I have no issue in terminating TLS and proxying it to SSH server on port 22 (check the first config).
The problem is in client side (in my case, Windows 10); SSH traffic is coming on port 22000; How to encapsulate it into TLS and then proxy it to 192.168.1.11:443?
You should be able to proxy the incoming SSH to a TLS endpoint. I’m mobile right now but you can enable TLS on the proxy config, I think. If not, it’s a good feature request.
Sorry, I misunderstood. You can do that as well, but you’ll have to run an instance of caddy-l4 on the Windows machine as a proxy server to your upstream. Here’s working config:
Yeah, sorry. The L4 docs really need expansion. It was just kind of an experiment at first, but it’s really starting to prove itself so it’s probably time to flush out the rest of the docs.
Did you install the upstream’s root cert on your front machine? You’ll need to do that. Caddy generates a CA when using internal that it uses to sign certs, and the connecting Caddy instance needs to trust the cert being served by the upstream, and the easiest way to establish trust is to install the upstream’s root cert on the client.