For those that don’t know, sslh is a TCP port multiplexer. This basically means that you can serve both
ssh traffic from the same port. It’s most useful for circumventing corporate firewalls that block TCP port 22 (i.e.
ssh), but allow TCP port 443 (i.e.
https) by serving both on TCP port 443.
In the default configuration, however, all connections that go through
sslh look to
apache as if they came from
localhost. This isn’t ideal if you want to run something like
fail2ban to block malicious
ssh login attempts.
sslh does have an option to do “transparent” proxying so
apache think that the connections have come from the right place. In this post, I’ll describe how I set this up on my machine.