Run SSH and HTTPS On The Same Port

I recently saw this SSH/HTTP(S) multiplexer on Github and tweeted that it looked amazing:

A couple of people responded that you should be able to do the samething with HAProxy or something similar but my experience with HAProxy has been that is temperamental so I didn’t want to mess with it.  After some more research I found a tool called SSLH that did what I wanted so I built a demo site at  sshttps.jgamblin.com that is running SSH and HTTPS on port 443.

How To Build It Yourself:

To demo this I used a $5 Ubuntu AWS lightsail instance with a valid DNS record (sshttps.jgamblin.com)

Base Out The System:

These commands will update the system, install SSLH and Apache, and install a valid TLS certificate from LetsEncrypt:

sudo apt update && sudo apt upgrade
sudo apt install sslh build-essential apache2
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto

Configure SSHL:

You need to edit the config so that <ETH0 IP> is the local (not public) IP:

sudo nano /etc/default/sslh
DAEMON_OPTS="--user sslh --listen <ETH0 IP>:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"

Configure Apache:

You just need to change Listen *:443 to Listen 127.0.0.1:443

sudo nano /etc/apache2/ports.conf   
<IfModule ssl_module>
        Listen 127.0.0.1:443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 127.0.0.1:443
</IfModule>

Reboot and Enjoy:

You can probably restart services but a  sudo reboot works here and you are good to go.  If you visit with a web browser you get the page:

…*but* you can now ssh into the box on port 443 using ssh ubuntu@sshttps.jgamblin.com -p 443

Closing Thoughts:

NMap only knows it is SSH if you use -sV:
I am looking forward to using this method in the future to stack services.  Let me know on twitter @jgamblin if you have any thoughts.

Site Footer