Back to Dashboard

Multi-arch (amd64 + arm64) static FROM scratch build, ~2.3 MB. SBOM-attested via Sigstore, signed git tags.

Trust posture

📋 SBOM ATTESTED🛡 TRIVY: 0 critical / high (advisory) · SCANNED 2026-07-10🏗 AMD64 + ARM64🔍 REPRODUCE THESE CHECKS LOCALLY
PULLS 82.3K
STARS 0

VERIFIABLE TRUST ARTIFACTS

Provenance

Build commit
ed67d41
Build digest
sha256:9c245be88b4cbb5b65528af0a6fd958e35a00c18200a1932d5564581efc40d35
Index digest
sha256:25fc249a88d7f7738a1151f25b531d723b65aa2b2ccd0957d39426d4b997a921
Manifest digest (amd64)
sha256:1c9eae494f4ca9cea845d7f169a675e950fc45906fb76adc66127116d085072c
Manifest digest (arm64)
sha256:334c0e51e03d909e600a4e02bd2188c31b19086a4f6d2cc6aa7c5f3ba6a8ff4d
SBOM attestation
34817697…
Trivy last scan
2026-07-10 20:42 UTC
Base image
Verify
gh attestation verify oci://ghcr.io/oorabona/sslh:v2.3.1-alpine --owner oorabona guide →

Security scan results

Trivy · last scan 2026-07-10

Last scan: (advisory mode — Trivy runs continue-on-error in CI; we surface findings, we do not block builds on them).

0Critical
0High
0Medium
0Low
0Info

No CRITICAL alerts at last scan (2026-07-10).

Top advisories (upstream, advisory)

    → Full report via gh api — see Verify Images.

    Explore

    Build lineagesha256:
    Build Lineage
    Build Digest sha256:9c245be88b4cbb5b65528af0a6fd958e35a00c18200a1932d5564581efc40d35
    Base Image
    OS_IMAGE_TAG latest
    Package summary n/a — runtime parsed
    Recent changes n/a — runtime parsed
    Build history n/a — runtime fetched

    Documentation

    README

    SSLH — Protocol Multiplexer in a 2 MB Container

    Docker Pulls Docker Image Size GHCR GitHub Stars

    Run SSH, HTTPS, OpenVPN, and XMPP on the same port. SSLH detects the protocol at connection time and forwards it to the right backend — a lifesaver on networks where only port 443 is open.

    Why this image

    • ~2 MBFROM scratch, no OS, no shell, no package manager
    • Static binaries — zero shared library CVEs to track
    • Multi-arch — amd64 / arm64 / arm/v7
    • 3 flavorssslh-ev (default, libev), sslh-select, sslh-fork
    • Auto-updated — CI tracks yrutschle/sslh releases
    • SBOM + attestation — every image ships with a Sigstore-signed SPDX

    Verify this image

    Every build ships a Sigstore-signed SBOM and a full Trivy scan — verify them yourself, no login required:

    gh attestation verify oci://ghcr.io/oorabona/sslh:latest --owner oorabona
    

    Full walkthrough (SBOM payload, Trivy findings, multi-arch manifest inspection, upstream dependency tracking) → https://oorabona.github.io/docker-containers/verify-images/

    Platforms

    • amd64 - x86_64 systems
    • arm64 - ARM 64-bit systems
    • arm/v7 - ARM 32-bit systems

    Features

    • FROM scratch - Absolute minimal attack surface (no OS, no shell)
    • Static binaries - Self-contained, no runtime dependencies
    • Multiple flavors - sslh-fork, sslh-select, sslh-ev included
    • Non-root execution - Runs as nobody user (uid 65534)
    • Stripped binaries - Minimal size (~2-3MB total image)

    Available SSLH flavors (v2.0+):

    • sslh-fork - Original SSLH project
    • sslh-select - Uses select instead of epoll
    • sslh-ev - Uses libev (default, best performance)

    How to run it?

    IMPORTANT: This is a FROM scratch image with no shell. Environment variables are NOT supported for configuration. You must provide full command line arguments.

    Basic Usage

    # Check version
    docker run --rm oorabona/sslh
    
    # Run with full command line
    docker run -d \
      --name sslh \
      -p 443:443 \
      oorabona/sslh \
      -f \
      -p 0.0.0.0:443 \
      --ssh ssh.example.com:22 \
      --tls backend.example.com:8443 \
      --openvpn vpn.example.com:1194
    

    Key arguments:

    • -f - Required: Keep process in foreground (Docker expects this)
    • -p <ip>:<port> - Listen address and port
    • --ssh <host>:<port> - SSH backend
    • --tls <host>:<port> - TLS/HTTPS backend
    • --openvpn <host>:<port> - OpenVPN backend

    Using Different Flavors

    By default, sslh-ev is used. To use a different flavor, override the entrypoint:

    # Use sslh-fork
    docker run -d --entrypoint /usr/local/bin/sslh-fork oorabona/sslh -f -p 0.0.0.0:443 ...
    
    # Use sslh-select
    docker run -d --entrypoint /usr/local/bin/sslh-select oorabona/sslh -f -p 0.0.0.0:443 ...
    

    Using docker-compose

    services:
      sslh:
        image: oorabona/sslh
        ports:
          - "443:443"
        command:
          - -f
          - -p
          - "0.0.0.0:443"
          - --ssh
          - "192.168.1.2:22"
          - --tls
          - "192.168.2.1:8443"
          - --openvpn
          - "192.168.2.1:1194"
        restart: unless-stopped
    

    Using a configuration file

    For complex configurations, use a config file:

    docker run -d \
      --name sslh \
      -p 443:443 \
      -v /path/to/sslh.cfg:/etc/sslh.cfg:ro \
      oorabona/sslh -f -F /etc/sslh.cfg
    

    Security

    Base Security

    • FROM scratch: No operating system, no shell, no package manager
    • Static linking: No shared library vulnerabilities
    • Minimal attack surface: Only sslh binary and CA certificates
    • Non-root: Runs as nobody user (uid 65534)
    # Maximum security runtime configuration
    docker run -d \
      --name sslh \
      --read-only \
      --cap-drop ALL \
      --cap-add NET_BIND_SERVICE \
      --security-opt no-new-privileges:true \
      -p 443:443 \
      oorabona/sslh -f -p 0.0.0.0:443 --ssh backend:22 --tls backend:8443
    

    Docker Compose Security Template

    services:
      sslh:
        image: ghcr.io/oorabona/sslh:latest
        read_only: true
        cap_drop:
          - ALL
        cap_add:
          - NET_BIND_SERVICE
        security_opt:
          - no-new-privileges:true
        ports:
          - "443:443"
        command:
          - -f
          - -p
          - "0.0.0.0:443"
          - --ssh
          - "backend:22"
          - --tls
          - "backend:8443"
        restart: unless-stopped
    

    SSLH Configuration Examples

    Configuration file format

    foreground: true;
    listen:
    (
      { host: "0.0.0.0"; port: "443"; }
    );
    
    protocols:
    (
      { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; fork: true; },
      { name: "openvpn"; host: "localhost"; port: "1194"; },
      { name: "xmpp"; host: "localhost"; port: "5222"; },
      { name: "http"; host: "localhost"; port: "80"; },
      { name: "tls"; host: "localhost"; port: "443"; log_level: 0; },
      { name: "anyprot"; host: "localhost"; port: "443"; }
    );
    

    Notes

    • UDP: Use config file (not command line). sslh-fork doesn’t support UDP.
    • Transparent proxy: Requires host network configuration. See SSLH documentation.

    For more examples, see the SSLH project.

    Building

    ./make build sslh
    

    Build Arguments

    • VERSION - Version tag for sslh release (e.g., v2.0.0). Defaults to latest
    • UPSTREAM_VERSION - Upstream version override for downloads. If provided, takes precedence over VERSION
    • OS_IMAGE_BASE - Base image name (default: alpine)
    • OS_IMAGE_TAG - Base image tag (default: latest)
    • NPROC - Number of parallel jobs for make compilation (default: 1)

    Example with custom arguments:

    ./make build sslh v2.0.0
    

    Licence

    MIT