does proxyprotocol work with tls?

[nitro322]

I'm struggling to get proxyprotocol working. I have things configured in a way that I believe are correct both with both sslh and the apache backend, but, but I get no response from apache every time I enable RemoteIPProxyProtocol On... unless I also enable RemoteIPProxyProtocolExceptions 127.0.0.1, which defeats the purpose. The only thing I can see that I'm doing different from the documentation is that I'm forwarding to an https rather than http endoint. Here's my config:

listen:
(
    { host: "xx.xx.xx.xx"; port: "443"; }
);

protocols:
(
    { name: "ssh"; host: "127.0.0.1"; port: "22"; },
    { name: "tls"; host: "127.0.0.1"; port: "443"; proxyprotocol: 2; },
);

sslh is listening on public:443 while apache is still listening on localhost:443. I'm doing this to limit the reconfiguration necessary with apache, as I have redirects in place forcing all traffic on port 80 to port 443. This works perfectly fine until I enable RemoteIPProxyProtocol, at which point I can no longer connect to apache through sslh at all. From what I could determine with my research based on these symptoms it seems that sslh is simply not adding the proxyprotocol header.

I was about to submit a bug report, but all examples I could find reference a plaintext http port for apache. So thought I'd ask first - can this work with end-to-end TLS? or will it only work if forwarding to port 80 or something?

[yrutschle]

Hello,

The only thing I can see that I'm doing different from the documentation is that I'm forwarding to an https rather than http endoint.

The documentation uses 8080, which is not really http more than https, but does use 'tls'

I was about to submit a bug report, but all examples I could find reference a plaintext http port for apache. So thought I'd ask first - _can_ this work with end-to-end TLS? or will it only work if forwarding to port 80 or something?

Yes, іt can! :D Essentially ProxyProtocol is protocol-independant, just it has to be supported by the end server. The configuration you're refering to is what I'm using personally, so I am pretty sure it works. Can you post your sslh and Apache configuration, with logs from both sides? Maybe use sslh' max verbose option to ensure we have everything.

[nitro322]

thanks for the reply. Good to know it can work, but puzzled even more why it isn't. Here's my whole sslh config:

verbose: 1;
user: "nobody";

listen:
(
    { host: "xx.xx.xx.xx"; port: "443"; }
);

protocols:
(
    { name: "ssh"; host: "127.0.0.1"; port: "22"; },
    { name: "tls"; host: "127.0.0.1"; port: "443"; proxyprotocol: 2; },
);

My apache config is complicated with a number of vhosts, but here's the relevant part:

Listen 80
Listen 127.0.0.1:443

<VirtualHost _default_:80>
    ServerName www.domain.com
    Redirect permanent / https://www.domain.com/
</VirtualHost>

<VirtualHost _default_:443>
    ServerName www.domain.com
    ServerAlias domain.com
    RemoteIPProxyProtocol On
    #RemoteIPTrustedProxy 127.0.0.1
    #RemoteIPProxyProtocolExceptions 127.0.0.1
</VirtualHost>

Below is the output for an incoming request when running as: sudo sslh --config /etc/default/sslh --foreground

accepted fd 4 (1 concurrent connections)
writing deferred on fd -1
hexdump of incoming packet:
0x000000: 16 03 01 02 00 01 00 01 fc 03 03 0b 20 d1 37 4b ............ .7K
0x000010: 7e 41 76 67 3e fd b4 d2 a5 2c e5 e5 ed bb 76 aa ~Avg>....,....v.
0x000020: fb 3c ac 19 fb 15 f4 69 35 87 90 20 26 4d bd da .<.....i5.. &M..
0x000030: 01 4a a5 2f 69 85 2d 78 bb 69 91 4a 35 07 bc 17 .J./i.-x.i.J5...
0x000040: e1 b0 95 a4 ad fc 2a ba 5a 09 1c 75 00 20 13 02 ......*.Z..u. ..
0x000050: 13 01 13 03 c0 2c c0 30 c0 2b c0 2f 00 9d 00 9c .....,.0.+./....
0x000060: c0 0a c0 14 c0 09 c0 13 00 35 00 2f 00 ff 01 00 .........5./....
0x000070: 01 93 00 00 00 14 00 12 00 00 0f 77 77 77 2e 64 ...........www.d
0x000080: 6f 6d 61 69 6e 31 2e 63 6f 6d 00 0b 00 04 03 00 omain1.com......
0x000090: 01 02 00 0a 00 0a 00 08 00 17 00 18 00 19 00 1d ................
0x0000a0: 00 10 00 0e 00 0c 02 68 32 08 68 74 74 70 2f 31 .......h2.http/1
0x0000b0: 2e 31 00 17 00 00 00 0d 00 18 00 16 06 01 06 03 .1..............
0x0000c0: 08 06 05 01 05 03 08 05 04 01 04 03 08 04 02 01 ................
0x0000d0: 02 03 00 2b 00 05 04 03 04 03 03 00 2d 00 02 01 ...+........-...
0x0000e0: 01 00 33 00 47 00 45 00 17 00 41 04 22 43 44 1b ..3.G.E...A."CD.
0x0000f0: fa dd 80 e4 af a7 c4 57 08 05 4e 5a 4f 6b 71 02 .......W..NZOkq.
0x000100: 38 37 c6 0e 97 5d 2f c2 14 b9 13 ac b6 b1 6d 02 87...]/.......m.
0x000110: ec fa a3 1b 83 be d7 6d 44 ab 53 dc 1f 80 0e d3 .......mD.S.....
0x000120: b3 39 bc 0a cc 7a fa e1 e5 71 b7 2f 00 15 00 d5 .9...z...q./....
0x000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0001b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0001c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0001d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0001e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0001f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000200: 00 00 00 00 00                                  .....
probing for ssh
probed for ssh: PROBE_NEXT
probing for tls
probed for tls: PROBE_MATCH
trying to connect to localhost.localdomain:443 family 2 len 16
tls:connection from yy.yy.yy.yy:9917 to www.domain.com:443 forwarded from localhost.localdomain:53404 to localhost.localdomain:443
flushing deferred data to fd 3
client socket closed
connection closed down
sslh-fork.c:215:accept:4:Interrupted system call
child died, 0 concurrent connections remaining
sslh-fork.c:184:waitpid:10:No child processes
accepted fd 4 (1 concurrent connections)

Trying to connect with with something like curl just gives me this:

$ curl -v https://www.domain.com/
*   Trying xx.xx.xx.xx:443...
* Connected to www.domain.com (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_ZERO_RETURN in connection to www.domain.com:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_ZERO_RETURN in connection to www.domain.com:443

It doesn't complete the TLS handshake. Trying openssl s_client gives me something similar. I don't get much in the apache logs, but I get some stray events coming through like this:

==> access_log <==
zz.zz.zz.zz - - [08/Oct/2025:09:05:49 -0500] "\x16\x03\x01" 400 226

==> ssl_error_log <==
[Wed Oct 08 09:06:12.555967 2025] [remoteip:error] [pid 23031:tid 23102] (70014)End of file found: [client 127.0.0.1:35568] AH10184: failed reading input

When I say stray I mean there's no 1:1 correlation. I can hit my site in curl or firefox repeatedly and get nothing in the logs... but every now and then a message like the above appears, and I don't know why. The zz.zz.zz.zz IP address in that access_log entry is not mine - it's some random source on the internet that does seem to be at least sort of making it through (though obviously not correctly given the hex path), but have no idea what's different about that one request vs. all others.

Sorry for the big dump of info. Does any of this give you a clue as to what might be wrong?