Recognize Syncthing First Frame - sslh

I’m going to need to use sslh to share port 443 between Apache and Syncthing sync. (I can put the Syncthing web UI behind my Apache via reverse proxy.)

How can I uniquely recognize the first frame from an incoming Syncthing connection?

You can’t really, as it’s encrypted. You could try and identify a TLS handshake, but that might as well be anything.

Hmmm… I’ve only got port 443 to work with. I’ve got an Apache server as a reverse proxy on that port. It is front-end for several different web servers, via host name.

Does Syncthing include SNI ( in its TLS?

If SNI is part of the TLS Client Hello, I could use a host name like and then use sniproxy to route the traffic to either Apache or Syncthing based on the host name.

You cannot, because Syncthing needs to do the handshake in order to request and evaluate the client certificate. Syncthing does not send SNI.

OK. All my browsers use SNI. (Yes, I have control over that.) I’ll have to configure sniproxy such that

The only down-side of I can see is that hackers probing my port 443 by IP address will get sent to Syncthing, but they should fail the handshake.


1 Like

Yes, that might actually work.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.