Trying to get SSLH transparent mode to work properly

[Xaero]

I don't think there's an SSLH docker for unraid; so I'm using https://github.com/shaddysignal/sslh-hub

Configuration is as follows:
Privileged
Host networking
Extra params:

-e LISTEN_IP=0.0.0.0 -e HTTPS_PORT=18443 -e LISTEN_PORT=48443 -e SSH_HOST=192.168.1.74 -e HTTPS_HOST=192.168.1.74 -e OPENVPN_HOST=192.168.1.74

192.168.1.74 is my Unraid box. Yes, I realize that makes the "SSH_HOST" my unraid box. Don't worry, SSH is disabled in unraid, it's actually going to a docker.

Everything "works" right now, except that when users connect from outside my network the internal requests are seen as having come from the unraid box docker lan:

sshd[8232]: Accepted password for [user] from 172.17.0.7 port 36792 ssh2

This is problematic as the docker has both fail2ban and denyhosts running within it. Eventually, malicious attempts come, regardless of what you do. For example, an ip range (now blocked at the router) slammed with a wave of invalid SSH attempts, which put 172.17.0.7 on the hosts.deny list for ssh. Now I can't get in, until I manually clear that list.

So I looked into it and "transparent" mode seems to be what I need to use in SSLH. So, I opened the docker entrypoint script, and added "--transparent" to the arguments list, before all the rest. This is when I had to switch from not privileged to privileged - so I know the parameter is accepted and doing "something" but requests are still being seen as from within the internal docker network.

Has anyone messed with this at all?
Is it worth pursuing this any further? Ideally I don't want to have to add another box to just do my SSLH and HTTPS forwarding with a custom Let's Encrypt + Nginx + sslh + ssh + denyhosts + fail2ban just to get remote access over 443 while sharing the port with other services...

[ekim]

Did you have any luck with this? 

 

Looking at setting up the same docker on my UnRaid server at the moment.