Configure Ocserv on CentOS 6

2 Configure ocserv

3 How to host ocserv and a web server on the same port ?

One of the advantages of ocserv is that is an HTTPS-based protocol and it is often used over 443 to allow bypassing certain firewalls. However the 443 TCP port is typically used by an HTTP server on a system. This section will describe methods on how to collocate ocserv with a web server.

3.1 Method 1: SSL termination on external program (haproxy)

To collocate ocserv and an HTTPS server on port 443, haproxy (or similar proxy applications) could be used. haproxy allows forwarding the HTTPS port data to arbitrary servers, based on various criteria. This method, however, has the limitation that client certificate authentication cannot be enforced by ocserv as the SSL session is terminated at haproxy.

The configuration required for haproxy is something along the lines:

frontend www-https
bind 0.0.0.0:443 ssl crt /etc/ocserv/cert-key.pem
default_backend ocserv-backend backend ocserv-backend
server ocserv unix@/var/run/ocserv-conn.socket check

and ocserv must be configured to accept cleartext connections on ocserv-conn.socket file. That can be achieved using the following configuration snippet.

listen-clear-file = /var/run/ocserv-conn.socket

3.2 Method 2: SSL termination on ocserv (sniproxy)

An alternative method to collocate ocserv and an HTTPS server on port 443, is with sniproxy. Sniproxy allows sharing the HTTPS port as long as the clients advertise the host name they connect to using server name indication (SNI). This is true for the majority of web browsers today. For this to work the web server and ocserv have to be setup to use an alternative port, e.g., ocserv uses 4443, and the web server uses 4444. A configuration of sniproxy that will redirect the traffic to the appropriate server is shown below.

listener 0.0.0.0:443 {
protocol tls
table TableName #we set fallback to be ocserv as older versions of openconnect
#don't advertise the hostname they connect to.
fallback 127.0.0.1:4443
} table TableName {
# Match exact request hostnames
vpn.example.com 127.0.0.1:4443
www.example.com 127.0.0.1:4444
.*\\.net 127.0.0.1:4444
}

Both of the approaches incur a performance penalty and should be considered mostly for low-traffic VPN servers and web sites.

Author: rain

Created: 2016-06-28 二 22:06

Configure Ocserv on CentOS 6的更多相关文章

  1. How to intall and configure Haproxy on Centos

    Install Haproxy CentOS/RHEL 5 , 32 bit:# rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-r ...

  2. [scrapy-redis] install and configure scrapy-redis on CentOS 7 (1)

    0. 安装依赖 yum install -y zlib zlib-devel openssl openssl-devel bzip2 bzip2-devel sqlite-devel gcc wget ...

  3. Centos7 编译安装 Nginx PHP Mariadb Memcached 扩展 ZendOpcache扩展 (实测 笔记 Centos 7.3 + Mariadb 10.1.20 + Nginx 1.10.2 + PHP 7.1.0 + Laravel 5.3 )

    环境: 系统硬件:vmware vsphere (CPU:2*4核,内存2G,双网卡) 系统版本:CentOS-7-x86_64-Minimal-1611.iso 安装步骤: 1.准备 1.0 查看硬 ...

  4. Cenos7 编译安装 Mariadb Nginx PHP Memcache ZendOpcache (实测 笔记 Centos 7.0 + Mariadb 10.0.15 + Nginx 1.6.2 + PHP 5.5.19)

    环境: 系统硬件:vmware vsphere (CPU:2*4核,内存2G,双网卡) 系统版本:CentOS-7.0-1406-x86_64-DVD.iso 安装步骤: 1.准备 1.1 显示系统版 ...

  5. Configuring Network in CentOS 6.3 Virtual Box + Screenshots

    Configuring Network in CentOS 6.3 Virtual Box + Screenshots Posted: May 23, 2013 in Uncategorized Ta ...

  6. IP Failover Setup using Keepalived on CentOS/Redhat 6

    source url:http://tecadmin.net/ip-failover-setup-using-keepalived-on-centos-redhat-6/ Keepalived is ...

  7. 编译安装LNMP Centos 6.5 x64 + Nginx1.6.0 + PHP5.5.13 + Mysql5.6.19

    (来自:http://www.cnblogs.com/vicowong/archive/2011/12/01/2116212.html) 环境: 系统硬件:vmware vsphere (CPU:2* ...

  8. Centos7 编译安装 Nginx PHP Mariadb Memcache扩展 ZendOpcache扩展 (实测 笔记 Centos 7.0 + Mariadb 10.1.9 + Nginx 1.9.9 + PHP 5.5.30)

    环境: 系统硬件:vmware vsphere (CPU:2*4核,内存2G,双网卡) 系统版本:CentOS-7-x86_64-Minimal-1503-01.iso 安装步骤: 1.准备 1.1 ...

  9. How to Install Apache Tomcat 8.5 on CentOS 7.3

    How to Install Apache Tomcat 8.5 on CentOS 7.3 From: https://www.howtoforge.com/tutorial/how-to-inst ...

随机推荐

  1. prototype和__proto__

    一.prototype和__proto__的概念 prototype是函数的一个属性(每个函数都有一个prototype属性),这个属性是一个指针,指向一个对象.它是显示修改对象的原型的属性. __p ...

  2. 今天做项目用到框架,关于angual,然后自己整理了一番,自己上网也看了看。

    1. Angular 1.1. 库与框架的区别 jQuery:库 库一般都是封装了一些常用的方法 自己手动去调用这些方法,来完成我们的功能 $('#txt').val('我是小明'): $('div' ...

  3. Linux 学习手记(6): 磁盘、分区、MBR与GPT

    1. 磁盘在LINUX中的表示 Linux所有设备都被抽象为一个文件,保存在/dev目录下 设备名称一般为hd[a-z]或者sd[a-z]([a-z]为分区号),如:hda.hdb.sda.sdb I ...

  4. css居中完全指南(翻译)

    最近参加了百度的前端技术学院,任务4是要求一个元素在父元素中水平和垂直居中,提供的一篇文章对各种情况都进行了分析,很不错,英文也不是那么难懂,毕竟代码还是主体,翻译过来分享出来,翻译内容带有自己的理解 ...

  5. Eclipse Plug-in Hello world

    这一篇就简单说下一个hello world插件工程创建过程. 1.创建一个Plug-in Project     2.填写project name     3.第二个确认框勾上,然后直接下一步     ...

  6. JavaScript学习笔记-JSON对象

    JSON 是一种用来序列化对象.数组.数值.字符串.布尔值和 null 的语法.它基于 JavaScript 语法,但是又有区别:一些 JavaScript 值不是 JSON,而某些 JSON 不是 ...

  7. HTML5拖拽实例

    最近应该会用到,借用一下......小妹儿,你又变懒了 拖拽相关属性 draggable属性是html5的全局属性,是html5支持拖放操作的方式之一,用来表示元素是否可以被拖放,draggable有 ...

  8. ArcGIS JS 学习笔记1 用ArcGIS JS 实现仿百度地图的距离量测和面积量测

    一.开篇 在博客注册了三年,今天才决定写第一篇博客,警告自己不要懒!!! 二.关于ArcGIS JS 版本选择 在写这篇博客时ArcGIS JS 4.0正式版已经发布.它和3.x版本的不同是,Map不 ...

  9. cocoapods pod setup

    在终端  输入 pod setup  之后 你会发现 一直没有反应    会出现这种情况   如下图   你要耐心等一下. 直到看到Setup completed    就算是成功了.(你的网络要好) ...

  10. XML解析之SAX详解

    XML解析之SAX详解 本文属于作者原创 http://www.cnblogs.com/ldnh/ XML解析的五个步骤 1.打开文档 (void)parserDidStartDocument:(NS ...