[Question] sslh running in host mode blocks apt update

Question

[Question] sslh running in host mode blocks apt update

scmanjarrez opened this issue 9 months ago · comments

Hi,
First of all, thanks for your program, it's an amazing tool!! I'd like to ask if is it normal that running sslh under docker compose (network_mode: host) blocks the traffic from apt? When sslh is enabled, apt update gets stuck in:

Err:1 https://download.docker.com/linux/debian bullseye InRelease
  Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 18.67.240.19 443]
Err:2 http://security.debian.org/debian-security bullseye-security InRelease
  Connection failed [IP: 151.101.134.132 80]
Err:3 http://deb.debian.org/debian bullseye InRelease
  Connection failed [IP: 151.101.134.132 80]
Err:4 http://archive.raspberrypi.org/debian bullseye InRelease
  Connection failed [IP: 93.93.135.117 80]
0% [Waiting for headers]^C

Yves Rutschle · Answer 1 · Fri Jan 05 2024 20:38:32 GMT+0800 (China Standard Time)

What is your architecture? sslh is supposed to be on the server side, treating incoming connections; apt is a client that performs outgoing connections; unless you configured apt to go through a proxy that uses sslh, I don't see how sslh would be on apt's path?

Sergio C · Answer 2 · Fri Jan 05 2024 21:09:25 GMT+0800 (China Standard Time)

Hi, thanks for your response.
I'm running sslh in my raspberry (aarch64), which I use as a server for a bunch of services (http server, openvpn, etc).

This is my sslh configuration:

version: "3"

services:
  sslh:
    build: https://github.com/yrutschle/sslh.git
    container_name: sslh
    environment:
      - TZ="Europe/Madrid"
    cap_add:
      - NET_ADMIN
      - NET_RAW
      - NET_BIND_SERVICE
    # must be set manually
    #sysctls:
    #  - net.ipv4.conf.default.route_localnet=1
    #  - net.ipv4.conf.all.route_localnet=1
    command: --transparent --foreground --listen=0.0.0.0:443 --tls=localhost:8443 --openvpn=localhost:4443
    network_mode: host
    restart: always

If sslh container is up, I'm not able to run apt, it just freezes until timeout.

❯ uname -a
Linux pi4 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr  3 17:24:16 BST 2023 aarch64 GNU/Linux
❯ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye
❯ docker compose up -d
[+] Running 1/0
 ✔ Container sslh  Running                                                                                                                                                                                    0.0s
❯ sudo apt update
Err:1 https://download.docker.com/linux/debian bullseye InRelease
  Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 3.160.231.103 443]
Err:2 http://deb.debian.org/debian bullseye InRelease
  Connection failed [IP: 151.101.134.132 80]
Err:3 http://security.debian.org/debian-security bullseye-security InRelease
  Connection failed [IP: 151.101.134.132 80]
Err:4 http://archive.raspberrypi.org/debian bullseye InRelease
  Connection failed [IP: 93.93.135.117 80]
0% [Waiting for headers]^C
❯ docker compose down
[+] Running 1/1
 ✔ Container sslh  Removed                                                                                                                                                                                    0.4s
❯ sudo apt update
Hit:1 http://deb.debian.org/debian bullseye InRelease
Get:2 http://security.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 http://archive.raspberrypi.org/debian bullseye InRelease [23.6 kB]
Get:5 https://download.docker.com/linux/debian bullseye InRelease [43.3 kB]
Get:6 http://security.debian.org/debian-security bullseye-security/main Sources [165 kB]
Get:7 http://security.debian.org/debian-security bullseye-security/main arm64 Packages [260 kB]
Get:8 http://security.debian.org/debian-security bullseye-security/main armhf Packages [261 kB]
Get:9 http://archive.raspberrypi.org/debian bullseye/main armhf Packages [313 kB]
Get:10 http://archive.raspberrypi.org/debian bullseye/main arm64 Packages [307 kB]
Fetched 1,465 kB in 2s (740 kB/s)
^Cading package lists... 9%
  ~/sslh                                                                                                                                                                                          INT ✘  4s 
❯

Yves Rutschle · Answer 3 · Fri Jan 05 2024 21:12:47 GMT+0800 (China Standard Time)

Maybe try without --transparent and especially the iptables rules that go with it? (Maybe it interferes with unexpected traffic?) 5 janv. 2024 14:09:40 Sergio C ***@***.***>:

…

Hi, thanks for your response. I'm running sslh in my raspberry (aarch64), which I use as a server for a bunch of services (http server, openvpn, etc). This is my sslh configuration: version: "3" services: sslh: build: https://github.com/yrutschle/sslh.git container_name: sslh environment: - TZ="Europe/Madrid" cap_add: - NET_ADMIN - NET_RAW - NET_BIND_SERVICE # must be set manually #sysctls: # - net.ipv4.conf.default.route_localnet=1 # - net.ipv4.conf.all.route_localnet=1 command: --transparent --foreground --listen=0.0.0.0:443 --tls=localhost:8443 --openvpn=localhost:4443 network_mode: host restart: always If sslh container is up, I'm not able to run apt, it just freezes until timeout. ❯ uname -a Linux pi4 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux ❯ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 11 (bullseye) Release: 11 Codename: bullseye ❯ docker compose up -d [+] Running 1/0 ✔ Container sslh Running 0.0s ❯ sudo apt update Err:1 https://download.docker.com/linux/debian bullseye InRelease Could not wait for server fd - select (11: Resource temporarily unavailable) [IP: 3.160.231.103 443] Err:2 http://deb.debian.org/debian bullseye InRelease Connection failed [IP: 151.101.134.132 80] Err:3 http://security.debian.org/debian-security bullseye-security InRelease Connection failed [IP: 151.101.134.132 80] Err:4 http://archive.raspberrypi.org/debian bullseye InRelease Connection failed [IP: 93.93.135.117 80] 0% [Waiting for headers]^C ❯ docker compose down [+] Running 1/1 ✔ Container sslh Removed 0.4s ❯ sudo apt update Hit:1 http://deb.debian.org/debian bullseye InRelease Get:2 http://security.debian.org/debian-security bullseye-security InRelease [48.4 kB] Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB] Get:4 http://archive.raspberrypi.org/debian bullseye InRelease [23.6 kB] Get:5 https://download.docker.com/linux/debian bullseye InRelease [43.3 kB] Get:6 http://security.debian.org/debian-security bullseye-security/main Sources [165 kB] Get:7 http://security.debian.org/debian-security bullseye-security/main arm64 Packages [260 kB] Get:8 http://security.debian.org/debian-security bullseye-security/main armhf Packages [261 kB] Get:9 http://archive.raspberrypi.org/debian bullseye/main armhf Packages [313 kB] Get:10 http://archive.raspberrypi.org/debian bullseye/main arm64 Packages [307 kB] Fetched 1,465 kB in 2s (740 kB/s) ^Cading package lists... 9%  ~/sslh   INT ✘  4s  ❯ — Reply to this email directly, view it on GitHub[#413 (comment)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/ABGAU73INR7ENBUEVZR2RVDYM73Q7AVCNFSM6AAAAAA7DMXD4KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZYGYZTONJSGM]. You are receiving this because you commented. [Image de pistage][https://github.com/notifications/beacon/ABGAU7Z5MTB3KD4OST3YJDDYM73Q7A5CNFSM6AAAAAA7DMXD4KWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTP7G55G.gif]

Sergio C · Answer 4 · Fri Jan 05 2024 21:23:34 GMT+0800 (China Standard Time)

That did the trick! Why was that happening? I found "transparent" in the examples when used with host network_mode.