Welcome! Log In Create A New Profile

Advanced

ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Thomas Glanzmann
December 15, 2016 11:10AM
Hello,
I would like to use ngx_stream_ssl_preread_module to multiplex between a
squid, nginx webserver and ocserv (ssl vpn). I setup nginx the following
way:

stream {
upstream webserver {
server 127.0.0.1:443;
}

upstream squidtls {
server 127.0.0.1:8081;
}

upstream ocserv {
server 88.198.249.254:4443;
}

map $ssl_preread_server_name $name {
proxy.glanzmann.de squidtls;
vpn.gmvl.de ocserv;
default webserver;
}

server {
proxy_protocol on;
listen 88.198.249.254:443;
listen [2a01:4f8:b0:2fff::2]:443;

proxy_pass $name;
ssl_preread on;
}
}

For the webserver and squid it works like a charm. However when I connect using
'openconnect' I get the ssl certificate of the webserver, but should get the ssl
certificate of the ocserv. I verified using tcpdump and wireshark that
openconnect sets the servername correctly. How can I debug this?

Is it possible to tell nginx to be more verbose so that I can see if it
extracts the SNI string of openconnect correctly or see that maybe nginx
is unable to conenct to the ocserv and falls back to the default?

Cheers,
Thomas
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Thomas Glanzmann December 15, 2016 11:10AM

Re: ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Roman Arutyunyan December 15, 2016 11:22AM

Re: ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Thomas Glanzmann December 15, 2016 11:52AM

Re: ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Roman Arutyunyan December 15, 2016 12:24PM

Re: ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Thomas Glanzmann December 15, 2016 04:28PM

Re: ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Roman Arutyunyan December 19, 2016 06:14AM

Re: ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Thomas Glanzmann December 15, 2016 11:24AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 63
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready