(please discard the earlier misfire, I was trying to wrap the log-lines) I have an openvpn server on stretch (with some backports stuff) in combination with sslh so that I can multiplex https and openvpn on port 443. This is needed so clients can get through a firewall.
Simplistic setup of sslh&openvpn means that openvpn and apache see all connects as coming from localhost, so I wanted to enable tcp-wrappers with geoip, but I can not get it to work. When I enable hosts.{allow,deny} I have, Starting with the symptoms and working down to my config: - firefox showing connection failed to httpps:// - log showing: Sep 10 15:38:10 garbo sslh[10550]: sslh-fork 1.18-1 started Sep 10 15:38:30 garbo geofilter: [10555] Mon, 10 Sep 2018 15:38:30\ +0200 uid:115 /usr/local/sbin/https-geofilter 192.168.2.201 Sep 10 15:38:30 garbo geofilter: [10555] allow: ALLOW connection\ from 192.168.2.201 (IP Address not found) Sep 10 16:14:17 garbo geofilter: [16004] Mon, 10 Sep 2018 16:14:17\ +0200 uid:115 /usr/local/sbin/https-geofilter 192.168.2.201 Sep 10 16:14:17 garbo geofilter: [16004] allow: ALLOW connection\ from 192.168.2.201 (IP Address not found) Sep 10 16:14:17 garbo sslh[10550]: warning: /etc/hosts.allow,\ line 5: process 16003 exited with signal 126 Sep 10 16:14:17 garbo sslh[10550]: aclexec returned 1 Sep 10 16:14:17 garbo sslh[10550]: connection from\ gt.alstadheim.priv.no.2.168.192.in-addr.arpa(192.168.2.201):\ access denied - Standard output where sslh is launched showing: /etc/init.d/sslh restart Restarting ssl/ssh multiplexer: sslh tls addr: localhost:https. libwrap service: https log_level: 5 family 2 2 [] openvpn addr: localhost:5555. libwrap service: openvpn log_level: 5 family 2 2 [] listening on: garbo.alstadheim.priv.no:https [] 148-252-110.153.3p.ntebredband.no:https [] timeout: 3 on-timeout: openvpn listening to 2 addresses . turning into sslh capabilities: = accepted fd 6 **** writing deferred on fd -1 probing for tls access denied ==== my config: ====== ---/etc/sslh/sslh.cfg:--- foreground: false; inetd: false; numeric: false transparent: false; timeout: 3; user: "sslh"; pidfile: "/var/run/sslh/sslh.pid"; syslog_facility: "auth"; protocols: ( { name: "tls";service: "https"; host: "localhost"; port: "443"; log_level: 5;}, { name: "openvpn"; service: "openvpn" ; host: "localhost"; port: "5555"; log_level: 5; } ); ---/etc/default/sslh--- RUN=yes DAEMON=/usr/sbin/sslh DAEMON_OPTS="-vv --user sslh --listen 192.168.2.2:443 --listen\ 148.252.110.153:443 --pidfile /var/run/sslh/sslh.pid --on-timeout\ openvpn -F/etc/sslh/sslh.cfg" ---/etc/hosts.deny--- rpc.ugidd: ALL #openvpn: ALL https: ALL #ssl: ALL #anyprot: ALL swat: ALL #sslh: ALL ---/etc/hosts.allow--- # rpc.ugidd: 192.168.2.0/24 # # next line is line 5 https: ALL:aclexec /usr/local/sbin/https-geofilter %a:\ severity auth.warning ---/usr/local/sbin/https-geofilter--- #!/bin/bash exec>/dev/null </dev/null 2>&1 # Ansible Managed: GeoIP aclexec script for Linux TCP wrappers. ## Source: http://www.axllent.org/docs/view/ssh-geoip # UPPERCASE space-separated country codes to ACCEPT /usr/bin/logger -t geofilter -p authpriv.warning "[$$] `/bin/date -R` uid:$UID $0 $*" ALLOW_COUNTRIES="NO SE" if [ $# -ne 1 ]; then echo "Usage: `basename $0` ip" 1>&2 exit 0 # return true in case of config issue fi COUNTRY=`/usr/bin/geoiplookup $1 | /usr/bin/awk -F ": " '{ print $2 }' | /usr/bin/awk -F "," '{ print $1 }' | /usr/bin/head -n 1` [[ $COUNTRY = "IP Address not found" || $ALLOW_COUNTRIES =~ $COUNTRY ]] && RESPONSE="ALLOW" || RESPONSE="DENY" if [ $RESPONSE = "ALLOW" ] then /usr/bin/logger -t geofilter -p authpriv.warning "[$$] allow: $RESPONSE connection from $1 ($COUNTRY)" || true true exit 0 else /usr/bin/logger -t geofilter -p authpriv.warning "[$$]deny: $RESPONSE connection from $1 ($COUNTRY)" || true false exit 1 fi ---------------------------------- My reading of this is that my aclexec-script gets called, and when 192.168.2.201 is not found, it logs ALLOW and returns with 'exit 0'. Then the parent-process (as seen by the PID) then erroneously complains that my script was terminated by a signal 126, and returns 1 (i.e. false) to sslh. I tried looking at the source-packages for sslh and tcp-wrappers, both for the versions in stretch, and for tcp-wrappers also the one in unstable, but I can not make sense of them.