Configure Ocserv on CentOS 6

2 Configure ocserv

3 How to host ocserv and a web server on the same port ?

One of the advantages of ocserv is that is an HTTPS-based protocol and it is often used over 443 to allow bypassing certain firewalls. However the 443 TCP port is typically used by an HTTP server on a system. This section will describe methods on how to collocate ocserv with a web server.

3.1 Method 1: SSL termination on external program (haproxy)

To collocate ocserv and an HTTPS server on port 443, haproxy (or similar proxy applications) could be used. haproxy allows forwarding the HTTPS port data to arbitrary servers, based on various criteria. This method, however, has the limitation that client certificate authentication cannot be enforced by ocserv as the SSL session is terminated at haproxy.

The configuration required for haproxy is something along the lines:

frontend www-https
bind 0.0.0.0:443 ssl crt /etc/ocserv/cert-key.pem
default_backend ocserv-backend backend ocserv-backend
server ocserv unix@/var/run/ocserv-conn.socket check

and ocserv must be configured to accept cleartext connections on ocserv-conn.socket file. That can be achieved using the following configuration snippet.

listen-clear-file = /var/run/ocserv-conn.socket

3.2 Method 2: SSL termination on ocserv (sniproxy)

An alternative method to collocate ocserv and an HTTPS server on port 443, is with sniproxy. Sniproxy allows sharing the HTTPS port as long as the clients advertise the host name they connect to using server name indication (SNI). This is true for the majority of web browsers today. For this to work the web server and ocserv have to be setup to use an alternative port, e.g., ocserv uses 4443, and the web server uses 4444. A configuration of sniproxy that will redirect the traffic to the appropriate server is shown below.

listener 0.0.0.0:443 {
protocol tls
table TableName #we set fallback to be ocserv as older versions of openconnect
#don't advertise the hostname they connect to.
fallback 127.0.0.1:4443
} table TableName {
# Match exact request hostnames
vpn.example.com 127.0.0.1:4443
www.example.com 127.0.0.1:4444
.*\\.net 127.0.0.1:4444
}

Both of the approaches incur a performance penalty and should be considered mostly for low-traffic VPN servers and web sites.

Author: rain

Created: 2016-06-28 二 22:06

Configure Ocserv on CentOS 6的更多相关文章

  1. How to intall and configure Haproxy on Centos

    Install Haproxy CentOS/RHEL 5 , 32 bit:# rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-r ...

  2. [scrapy-redis] install and configure scrapy-redis on CentOS 7 (1)

    0. 安装依赖 yum install -y zlib zlib-devel openssl openssl-devel bzip2 bzip2-devel sqlite-devel gcc wget ...

  3. Centos7 编译安装 Nginx PHP Mariadb Memcached 扩展 ZendOpcache扩展 (实测 笔记 Centos 7.3 + Mariadb 10.1.20 + Nginx 1.10.2 + PHP 7.1.0 + Laravel 5.3 )

    环境: 系统硬件:vmware vsphere (CPU:2*4核,内存2G,双网卡) 系统版本:CentOS-7-x86_64-Minimal-1611.iso 安装步骤: 1.准备 1.0 查看硬 ...

  4. Cenos7 编译安装 Mariadb Nginx PHP Memcache ZendOpcache (实测 笔记 Centos 7.0 + Mariadb 10.0.15 + Nginx 1.6.2 + PHP 5.5.19)

    环境: 系统硬件:vmware vsphere (CPU:2*4核,内存2G,双网卡) 系统版本:CentOS-7.0-1406-x86_64-DVD.iso 安装步骤: 1.准备 1.1 显示系统版 ...

  5. Configuring Network in CentOS 6.3 Virtual Box + Screenshots

    Configuring Network in CentOS 6.3 Virtual Box + Screenshots Posted: May 23, 2013 in Uncategorized Ta ...

  6. IP Failover Setup using Keepalived on CentOS/Redhat 6

    source url:http://tecadmin.net/ip-failover-setup-using-keepalived-on-centos-redhat-6/ Keepalived is ...

  7. 编译安装LNMP Centos 6.5 x64 + Nginx1.6.0 + PHP5.5.13 + Mysql5.6.19

    (来自:http://www.cnblogs.com/vicowong/archive/2011/12/01/2116212.html) 环境: 系统硬件:vmware vsphere (CPU:2* ...

  8. Centos7 编译安装 Nginx PHP Mariadb Memcache扩展 ZendOpcache扩展 (实测 笔记 Centos 7.0 + Mariadb 10.1.9 + Nginx 1.9.9 + PHP 5.5.30)

    环境: 系统硬件:vmware vsphere (CPU:2*4核,内存2G,双网卡) 系统版本:CentOS-7-x86_64-Minimal-1503-01.iso 安装步骤: 1.准备 1.1 ...

  9. How to Install Apache Tomcat 8.5 on CentOS 7.3

    How to Install Apache Tomcat 8.5 on CentOS 7.3 From: https://www.howtoforge.com/tutorial/how-to-inst ...

随机推荐

  1. 每天一命令 git reset

    在使用git的时候不免遇到commit的时候commit了错误的代码的时候,这时候就需要用到git的常用命令之一  reset了. reset顾名思义为重置.重置的是HEAD指针,可以使HEAD指针移 ...

  2. IO流(三)__字节流 标准输入输出流 转换流

    一.字节流:FileInputStream 和FileOutputStream 基本操作和字符流类相同,没有flush,但是close还是要的 复制一个字节流文件 private static voi ...

  3. 一个ORM的实现(附源代码)

    1 前言 经过一段时间的编写,终于有出来一个稳定的版本,期间考虑了多种解决方案也偷偷学了下园子里面大神们的作品. 已经有很多的ORM框架,为什么要自己实现一个?我的原因是在遇到特殊需求时,可以在ORM ...

  4. json 对象 数组

    一.json写法以及获得其数据的方法 var jsons={ name:'wen', age:12, price:'qq' } console.log(typeof jsons);//object c ...

  5. Repeater分页代码

    //ASP.NET中的DataList和Repeater提供了简单快速的方法來显示,其间,我们可以使用<ItemTemplate>更是使我们能随心所欲的控制数据的排放样式! //.可惜的是 ...

  6. SharePoint Error - An unrecognized HTTP response was received when attempting to crawl this item

    SharePoint 2013爬网报错 An unrecognized HTTP response was received when attempting to crawl this item. V ...

  7. [转]很详细的devexpress应用案例

    很详细的devexpress应用案例,留着以后参考. 注:转载自http://***/zh-CN/App/Feature.aspx?AppId=50021 UPMS(User Permissions ...

  8. ArcEngine中合并断开的线要素(根据几何判断)

    在上一篇ArcEngine环境下合并断开的线要素(根据属性)随笔中介绍了如何通过shp文件属性表中相同的属性字段进行线要素的合并.今天刚把通过几何条件判断的方式连接断开的线要素的ArcGIS 插件完成 ...

  9. 为Autodesk Viewer添加自定义工具条

    如果你参加过我们近期的活动,你就会频繁的听到我们现在正在做的Autodesk Viewer大模型浏览器,这是一个不需要下载任何插件,基于WebGL技术的浏览器,可以支持几十种数据格式.同时viewer ...

  10. swift 2.2 语法 (中)

    前言: 1.此文中的语法会根据Swift的升级变动而更新. 2.如果需要请移步 -> swift2.2 语法(上).swift 2.2语法(下) 函数 和C语言一样,swift也有函数,性质和我 ...