Configure Ocserv on CentOS 6

2 Configure ocserv

3 How to host ocserv and a web server on the same port ?

One of the advantages of ocserv is that is an HTTPS-based protocol and it is often used over 443 to allow bypassing certain firewalls. However the 443 TCP port is typically used by an HTTP server on a system. This section will describe methods on how to collocate ocserv with a web server.

3.1 Method 1: SSL termination on external program (haproxy)

To collocate ocserv and an HTTPS server on port 443, haproxy (or similar proxy applications) could be used. haproxy allows forwarding the HTTPS port data to arbitrary servers, based on various criteria. This method, however, has the limitation that client certificate authentication cannot be enforced by ocserv as the SSL session is terminated at haproxy.

The configuration required for haproxy is something along the lines:

frontend www-https

    bind 0.0.0.0:443 ssl crt /etc/ocserv/cert-key.pem

    default_backend ocserv-backend

backend ocserv-backend

    server ocserv unix@/var/run/ocserv-conn.socket check

and ocserv must be configured to accept cleartext connections on ocserv-conn.socket file. That can be achieved using the following configuration snippet.

listen-clear-file = /var/run/ocserv-conn.socket

3.2 Method 2: SSL termination on ocserv (sniproxy)

An alternative method to collocate ocserv and an HTTPS server on port 443, is with sniproxy. Sniproxy allows sharing the HTTPS port as long as the clients advertise the host name they connect to using server name indication (SNI). This is true for the majority of web browsers today. For this to work the web server and ocserv have to be setup to use an alternative port, e.g., ocserv uses 4443, and the web server uses 4444. A configuration of sniproxy that will redirect the traffic to the appropriate server is shown below.

listener 0.0.0.0:443 {

   protocol tls

   table TableName

   #we set fallback to be ocserv as older versions of openconnect

   #don't advertise the hostname they connect to.

   fallback 127.0.0.1:4443

}

table TableName {

   # Match exact request hostnames

   vpn.example.com 127.0.0.1:4443

   www.example.com 127.0.0.1:4444

   .*\\.net    127.0.0.1:4444

}

Both of the approaches incur a performance penalty and should be considered mostly for low-traffic VPN servers and web sites.

Author: rain

Created: 2016-06-28 二 22:06

Configure Ocserv on CentOS 6的更多相关文章

  1. How to intall and configure Haproxy on Centos

    Install Haproxy CentOS/RHEL 5 , 32 bit:# rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-r ...

  2. [scrapy-redis] install and configure scrapy-redis on CentOS 7 (1)

    0. 安装依赖 yum install -y zlib zlib-devel openssl openssl-devel bzip2 bzip2-devel sqlite-devel gcc wget ...

  3. Centos7 编译安装 Nginx PHP Mariadb Memcached 扩展 ZendOpcache扩展 (实测 笔记 Centos 7.3 + Mariadb 10.1.20 + Nginx 1.10.2 + PHP 7.1.0 + Laravel 5.3 )

    环境: 系统硬件:vmware vsphere (CPU:2*4核,内存2G,双网卡) 系统版本:CentOS-7-x86_64-Minimal-1611.iso 安装步骤: 1.准备 1.0 查看硬 ...

  4. Cenos7 编译安装 Mariadb Nginx PHP Memcache ZendOpcache (实测 笔记 Centos 7.0 + Mariadb 10.0.15 + Nginx 1.6.2 + PHP 5.5.19)

    环境: 系统硬件:vmware vsphere (CPU:2*4核,内存2G,双网卡) 系统版本:CentOS-7.0-1406-x86_64-DVD.iso 安装步骤: 1.准备 1.1 显示系统版 ...

  5. Configuring Network in CentOS 6.3 Virtual Box + Screenshots

    Configuring Network in CentOS 6.3 Virtual Box + Screenshots Posted: May 23, 2013 in Uncategorized Ta ...

  6. IP Failover Setup using Keepalived on CentOS/Redhat 6

    source url:http://tecadmin.net/ip-failover-setup-using-keepalived-on-centos-redhat-6/ Keepalived is ...

  7. 编译安装LNMP Centos 6.5 x64 + Nginx1.6.0 + PHP5.5.13 + Mysql5.6.19

    (来自:http://www.cnblogs.com/vicowong/archive/2011/12/01/2116212.html) 环境: 系统硬件:vmware vsphere (CPU:2* ...

  8. Centos7 编译安装 Nginx PHP Mariadb Memcache扩展 ZendOpcache扩展 (实测 笔记 Centos 7.0 + Mariadb 10.1.9 + Nginx 1.9.9 + PHP 5.5.30)

    环境: 系统硬件:vmware vsphere (CPU:2*4核,内存2G,双网卡) 系统版本:CentOS-7-x86_64-Minimal-1503-01.iso 安装步骤: 1.准备 1.1 ...

  9. How to Install Apache Tomcat 8.5 on CentOS 7.3

    How to Install Apache Tomcat 8.5 on CentOS 7.3 From: https://www.howtoforge.com/tutorial/how-to-inst ...

随机推荐

  1. 2005年IT行业趋势Top10

    未来三年内对组织有潜在的重大影响IT趋势.这里的IT趋势的摘要: 1. 计算位于任何地方 智能手机,平板,电视盒,可穿戴设备,可连接的屏幕,对于适应移动用户所求要的整体环境的需求在不断增强.这会继续提 ...

  2. 静态代码审查工具FxCop插件开发(c#)

    FxCop是一款微软官方提供的.net平台代码审查工具,目的是检查我们编写的程序集的代码是否符合规范.FxCop默认提供的是微软默认的审查规则,而且该规则符合<Framework DesignG ...

  3. windows 安装 go语言

    下载地址:http://www.cnblogs.com/osfipin/p/4856839.html. 官方教程说明: Windows 对于Windows用户,Go项目提供两种安装选项(从源码安装除外 ...

  4. [deviceone开发]-do_Viewshower的动画效果示例

    一.简介 do_Viewshower组件也支持View之间的过场动画,支持大概12种,这个示例随机的切换12种动画中的一种,而且每次切换的动画时间不一样.直观的展示12种动画的效果.适合初学者. 二. ...

  5. 原生JS:Number对象详解

    Number对象 本文参考MDN做的详细整理,方便大家参考MDN JavaScript 的 Number 对象是经过封装的能让你处理数字值的对象.Number 对象由 Number() 构造器创建. ...

  6. 实现a标签中的各种点击(onclick)事件的方法

    我们常用的在a标签中有点击事件:1. a href="javascript:js_method();"这是我们平台上常用的方法,但是这种方法在传递this等参数的时候很容易出问题, ...

  7. ae动态显示属性表————切记DataTable中要先Add(row)之后再往里传值。

    public partial class FrmAttributeTable : Form { private AxMapControl m_MapCtl; public FrmAttributeTa ...

  8. sharepoint app 开发环境配置

    1. 配置脚本如下: .通过打开命令提示符并键入以下命令来确保 spadmin 和 sptimer 服务正在运行. net start spadminv4 net start sptimerv4 .作 ...

  9. mysql 时间函数转换

    1 NOW() //当前时间 2 SYSDATE() //当前时间 3 CURRENT_TIMESTAMP 4 以'YYYY-MM-DD HH:MM:SS'或YYYYMMDDHHMMSS格式返回当前的 ...

  10. Android图表类库:WilliamChart

    WilliamChart是基于Views的Android图表类库,帮助开发者在Android应用中实现折线图.柱状图和堆叠柱状图.数值发生变化时图表也会以动画的效果发生变化. At the momen ...