-
Notifications
You must be signed in to change notification settings - Fork 373
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker: Transparent mode not working #394
Comments
In my case the problem seems to be the absence of ipv6 as I only use ipv4. So I need to wait for the merge of #392, I guess. Edit:
But the sslh user (Permission denied) problem still exists. |
you need to add --cap-add CAP_NET_ADMIN to be able to add iptables and routing rules
will likey not work with transparent mode. For the transparent mode to work in docker, sslh must be in the same host as your https service (i.e. reachable by localhost). So either you will need to use --network="container:sslh" to your other container or set your --network="host" for sslh |
After some infrastructure changes the following config without And I pulled the new docker image with the changes of #392. (Due to github comment formatting I added ' to the +. When I add the
The new adding Anyway, when I comment the ipv6 lines out and restart the container, the logs reporting this:
Both tls and ssh are not functional. Log says:
Is this possible what I am trying to achive? I found this in the documentations (I have overlooked that so far):
|
This indicate that the old rules were not properly removed which would also mean that the other iptables rules are not removed properly as well. So most likely, the old rules caused the kernel to not mark the packages properly due to this rule:
and resulted in the 'tls: lost incoming connection ' as each time docker restart it will give a different uid for each internal user in the container. That what I think is happening. Can you also check if your sysctls are set:
This is working as expected. It just check if your system (or docker container) has ipv6 enabled. The error "modprobe: can't change directory to '/lib/modules': No such file or directory" is occurring due to missing kernel modules in container. I haven't really looked in to it yet. But if your not using ipv6 it shouldn't affect things too much. edit: it probably requires ipv6 to be enabled in docker. https://docs.docker.com/config/daemon/ipv6/ for it to automatically set ip6tables rules on the host.
I think so. But if your using the docker the rules should be automatically set and will more or less just work. (If your using host mode u need to set the sysctl manually) |
I tried something similar. This is my logs and config: system-sslh | --transparent flag is set
system-sslh | Configuring iptables and routing...
system-sslh | + iptables -t raw -A PREROUTING '!' -i lo -d 127.0.0.0/8 -j DROP
system-sslh | + iptables -t mangle -A POSTROUTING '!' -o lo -s 127.0.0.0/8 -j DROP
system-sslh | + iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
system-sslh | + iptables -t mangle -A OUTPUT '!' -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
system-sslh | + ip rule add fwmark 0x1 lookup 100
system-sslh | + ip route add local 0.0.0.0/0 dev lo table 100
system-sslh | + cat /proc/sys/net/ipv6/conf/all/disable_ipv6
system-sslh | + '[' 0 -eq 0 ]
system-sslh | + ip6tables -t raw -A PREROUTING '!' -i lo -d ::1/128 -j DROP
system-sslh | modprobe: can't change directory to '/lib/modules': No such file or directory
system-sslh | ip6tables v1.8.9 (legacy): can't initialize ip6tables table `raw': Table does not exist (do you need to insmod?)
system-sslh | Perhaps ip6tables or your kernel needs to be upgraded.
system-sslh | + ip6tables -t mangle -A POSTROUTING '!' -o lo -s ::1/128 -j DROP
system-sslh | modprobe: can't change directory to '/lib/modules': No such file or directory
system-sslh | ip6tables v1.8.9 (legacy): can't initialize ip6tables table `mangle': Table does not exist (do you need to insmod?)
system-sslh | Perhaps ip6tables or your kernel needs to be upgraded.
system-sslh | + ip6tables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
system-sslh | modprobe: can't change directory to '/lib/modules': No such file or directory
system-sslh | modprobe: can't change directory to '/lib/modules': No such file or directory
system-sslh | modprobe: can't change directory to '/lib/modules': No such file or directory
system-sslh | modprobe: can't change directory to '/lib/modules': No such file or directory
system-sslh | modprobe: can't change directory to '/lib/modules': No such file or directory
system-sslh | modprobe: can't change directory to '/lib/modules': No such file or directory
system-sslh | ip6tables v1.8.9 (legacy): unknown option "--set-xmark"
system-sslh | Try `ip6tables -h' or 'ip6tables --help' for more information.
system-sslh | + ip6tables -t mangle -A OUTPUT '!' -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
system-sslh | modprobe: can't change directory to '/lib/modules': No such file or directory
system-sslh | modprobe: can't change directory to '/lib/modules': No such file or directory
system-sslh | modprobe: can't change directory to '/lib/modules': No such file or directory
system-sslh | modprobe: can't change directory to '/lib/modules': No such file or directory
system-sslh | modprobe: can't change directory to '/lib/modules': No such file or directory
system-sslh | modprobe: can't change directory to '/lib/modules': No such file or directory
system-sslh | ip6tables v1.8.9 (legacy): can't initialize ip6tables table `mangle': Table does not exist (do you need to insmod?)
system-sslh | Perhaps ip6tables or your kernel needs to be upgraded.
system-sslh | + ip -6 rule add fwmark 0x1 lookup 100
system-sslh | + ip -6 route add local ::/0 dev lo table 100
system-sslh | + set -e
system-sslh | + set +x
system-sslh | Executing with user 'sslh': sslh --transparent --config=/config/sslh.conf
system-sslh | tls:connection from 192.168.0.170:60300 to server.local:8443 forwarded from 192.168.0.170:60300 to localhost:https
system-sslh | ssh:connection from 192.168.0.170:49254 to server.local:8443 forwarded from 192.168.0.170:49254 to localhost:ssh
system-sslh | tls:connection from 192.168.0.170:49256 to server.local:8443 forwarded from 192.168.0.170:49256 to localhost:https
system-sslh | tls:connection from 192.168.0.170:43038 to server.local:8443 forwarded from 192.168.0.170:43038 to localhost:https
system-sslh | tls:connection from 192.168.0.169:43128 to server.local:8443 forwarded from 192.168.0.169:43128 to localhost:https
system-sslh | tls:connection from 192.168.0.169:43144 to server.local:8443 forwarded from 192.168.0.169:43144 to localhost:https
system-sslh | tls:connection from 192.168.0.169:43148 to server.local:8443 forwarded from 192.168.0.169:43148 to localhost:https
system-sslh | tls:connection from 192.168.0.169:43168 to server.local:8443 forwarded from 192.168.0.169:43168 to localhost:https
system-sslh | ssh:connection from 192.168.0.170:34102 to server.local:8443 forwarded from 192.168.0.170:34102 to localhost:ssh Docker compose config: sslh:
build: https://github.com/klementng/sslh.git#docker/transparent-patch
container_name: system-sslh
environment:
- TZ=${TZ}
cap_add:
- NET_ADMIN
- NET_RAW
# sysctls:
# - net.ipv4.conf.default.route_localnet=1
# - net.ipv4.conf.all.route_localnet=1
volumes:
- ./sslh:/config
# - /lib/modules:/lib/modules
command:
- '--transparent'
# - '--foreground'
# - '--listen=0.0.0.0:8443'
# - '--openvpn=localhost:1194'
# - '--http=localhost:80'
# - '--tls=localhost:443'
# - '--ssh=localhost:22'
# - '--verbose-probe-info=7'
# - '--verbose-probe-error=7'
- '--config=/config/sslh.conf'
# networks:
# default:
# ipv4_address: 172.20.0.50
network_mode: host
# ports:
# - 0.0.0.0:443:8443 #sslh
# - 0.0.0.0:80:80 #nginx http
restart: unless-stopped
sslh config file: foreground: true;
transparent: true;
timeout: 3;
# Logging configuration
# Value: 1: stdout; 2: syslog; 3: stdout+syslog; 4: logfile; ...; 7: all
verbose-config: 0; # print configuration at startup
verbose-config-error: 7; # print configuration errors
verbose-connections: 7; # trace established incoming address to forward address
verbose-connections-error: 7; # connection errors
verbose-connections-try: 0; # connection attempts towards targets
verbose-fd: 0; # file descriptor activity, open/close/whatnot
verbose-packets: 0; # hexdump packets on which probing is done
verbose-probe-info: 0; # what's happening during the probe process
verbose-probe-error: 0; # failures and problems during probing
verbose-system-error: 0; # system call problem, i.e. malloc, fork, failing
verbose-int-error: 0; # internal errors, the kind that should never happen
#logfile: "/config/sslh.log"
logfile: "/dev/null";
listen:
(
{ host: "0.0.0.0"; port: "8443"; },
# { host: "0.0.0.0"; port: "443"; is_udp: true; },
);
protocols:
(
{ name: "tls"; host: "localhost"; port: "443";},
{ name: "openvpn"; host: "localhost"; port: "1194";},
{ name: "ssh"; host: "localhost"; port: "22"; keepalive: true;},
{ name: "anyprot"; host: "localhost"; port: "443";},
# { name: "wireguard"; host: "localbox"; port: "51820"; is_udp: true; transparent:false; fork: false},
# { name: "anyprot"; host: "localbox"; port: "51820"; is_udp: true; transparent:false; keepalive: true},
);
on-timeout: "tls"; |
Hmm still no luck I'm afraid. What I did: Then I added (After container creation and bevor first start I commented the ipv6 blocks out, just in case)
sslh.conf
Log keeps telling me:
When using Is there anything I can do to help investigate this further? |
You need to run on your host: sysctl -w net.ipv4.conf.default.route_localnet=1
sysctl -w net.ipv4.conf.all.route_localnet=1
My last guess on what the issue may be is:
Otherwise you can try using the examples I gave in #390, using sslh container as the main networking container (i.e. setting --network="container:sslh" for your other docker containers |
This did the trick! 👍 What I've got now for (future) reference: On docker host executed:
Running as docker container:
sslh:
sslh.conf
swag:
openssh:
Conclusion: Do I now have to worry about any safety issues due to all involved containers are running with Btw: The documentaion Transparent proxy mentions that
Am I not doing this? (Well, with having sslh running in docker, too.) Maybe our findings can help other user with their setup for this particular use case? |
You don't have to run all the involved container with --net=host. Only sslh needs it. You could just expose the port for the other container using docker port mapping/binding.
You could by using the other method of achieving transparent mode which should be more secure but i don't think security should be too much of an issue. Using --net=host is more or less the same as installing sslh directly on the system (with some additional docker isolation) . |
Hello,
I am using docker for running sslh. This works without problems.
Working config:
sudo docker create --name=sslh -p 192.168.178.56:443:443 -e TZ=Europe/Berlin --restart=unless-stopped ghcr.io/yrutschle/sslh:master --foreground --listen=0.0.0.0:443 --tls=192.168.178.56:9443 --ssh 192.168.178.55:22
sudo docker container start sslh
Now I want to extend my config and use the transparent mode (as I understand it from the documentation):
sudo docker create --name=sslh --cap-add CAP_NET_RAW -p 192.168.178.56:443:443 -e TZ=Europe/Berlin --restart=unless-stopped ghcr.io/yrutschle/sslh:master --foreground --transparent --listen=0.0.0.0:443 --tls=192.168.178.56:9443 --ssh 192.168.178.55:22
sudo docker container start sslh
But this is not working. When I check the logs with
sudo docker logs sslh
I got the following output:I played a little bit with the init script. My guess is, when executing the container-entrypoint.sh the first time with root, everything is fine. In the second itaration when dropping privileges the sslh user is not allowed to do this.
# Drop privileges and run as sslh user
sslh_cmd="${entrypoint:+${bin}} ${@}"
echo "Executing with user 'sslh': ${sslh_cmd}"
Does anybody have an idea what could possibly go wrong here?
The text was updated successfully, but these errors were encountered: