Configure Ocserv on CentOS 6

2 Configure ocserv

3 How to host ocserv and a web server on the same port ?

One of the advantages of ocserv is that is an HTTPS-based protocol and it is often used over 443 to allow bypassing certain firewalls. However the 443 TCP port is typically used by an HTTP server on a system. This section will describe methods on how to collocate ocserv with a web server.

3.1 Method 1: SSL termination on external program (haproxy)

To collocate ocserv and an HTTPS server on port 443, haproxy (or similar proxy applications) could be used. haproxy allows forwarding the HTTPS port data to arbitrary servers, based on various criteria. This method, however, has the limitation that client certificate authentication cannot be enforced by ocserv as the SSL session is terminated at haproxy.

The configuration required for haproxy is something along the lines:

frontend www-https
bind 0.0.0.0:443 ssl crt /etc/ocserv/cert-key.pem
default_backend ocserv-backend backend ocserv-backend
server ocserv unix@/var/run/ocserv-conn.socket check

and ocserv must be configured to accept cleartext connections on ocserv-conn.socket file. That can be achieved using the following configuration snippet.

listen-clear-file = /var/run/ocserv-conn.socket

3.2 Method 2: SSL termination on ocserv (sniproxy)

An alternative method to collocate ocserv and an HTTPS server on port 443, is with sniproxy. Sniproxy allows sharing the HTTPS port as long as the clients advertise the host name they connect to using server name indication (SNI). This is true for the majority of web browsers today. For this to work the web server and ocserv have to be setup to use an alternative port, e.g., ocserv uses 4443, and the web server uses 4444. A configuration of sniproxy that will redirect the traffic to the appropriate server is shown below.

listener 0.0.0.0:443 {
protocol tls
table TableName #we set fallback to be ocserv as older versions of openconnect
#don't advertise the hostname they connect to.
fallback 127.0.0.1:4443
} table TableName {
# Match exact request hostnames
vpn.example.com 127.0.0.1:4443
www.example.com 127.0.0.1:4444
.*\\.net 127.0.0.1:4444
}

Both of the approaches incur a performance penalty and should be considered mostly for low-traffic VPN servers and web sites.

Author: rain

Created: 2016-06-28 二 22:06

Configure Ocserv on CentOS 6的更多相关文章

  1. How to intall and configure Haproxy on Centos

    Install Haproxy CentOS/RHEL 5 , 32 bit:# rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-r ...

  2. [scrapy-redis] install and configure scrapy-redis on CentOS 7 (1)

    0. 安装依赖 yum install -y zlib zlib-devel openssl openssl-devel bzip2 bzip2-devel sqlite-devel gcc wget ...

  3. Centos7 编译安装 Nginx PHP Mariadb Memcached 扩展 ZendOpcache扩展 (实测 笔记 Centos 7.3 + Mariadb 10.1.20 + Nginx 1.10.2 + PHP 7.1.0 + Laravel 5.3 )

    环境: 系统硬件:vmware vsphere (CPU:2*4核,内存2G,双网卡) 系统版本:CentOS-7-x86_64-Minimal-1611.iso 安装步骤: 1.准备 1.0 查看硬 ...

  4. Cenos7 编译安装 Mariadb Nginx PHP Memcache ZendOpcache (实测 笔记 Centos 7.0 + Mariadb 10.0.15 + Nginx 1.6.2 + PHP 5.5.19)

    环境: 系统硬件:vmware vsphere (CPU:2*4核,内存2G,双网卡) 系统版本:CentOS-7.0-1406-x86_64-DVD.iso 安装步骤: 1.准备 1.1 显示系统版 ...

  5. Configuring Network in CentOS 6.3 Virtual Box + Screenshots

    Configuring Network in CentOS 6.3 Virtual Box + Screenshots Posted: May 23, 2013 in Uncategorized Ta ...

  6. IP Failover Setup using Keepalived on CentOS/Redhat 6

    source url:http://tecadmin.net/ip-failover-setup-using-keepalived-on-centos-redhat-6/ Keepalived is ...

  7. 编译安装LNMP Centos 6.5 x64 + Nginx1.6.0 + PHP5.5.13 + Mysql5.6.19

    (来自:http://www.cnblogs.com/vicowong/archive/2011/12/01/2116212.html) 环境: 系统硬件:vmware vsphere (CPU:2* ...

  8. Centos7 编译安装 Nginx PHP Mariadb Memcache扩展 ZendOpcache扩展 (实测 笔记 Centos 7.0 + Mariadb 10.1.9 + Nginx 1.9.9 + PHP 5.5.30)

    环境: 系统硬件:vmware vsphere (CPU:2*4核,内存2G,双网卡) 系统版本:CentOS-7-x86_64-Minimal-1503-01.iso 安装步骤: 1.准备 1.1 ...

  9. How to Install Apache Tomcat 8.5 on CentOS 7.3

    How to Install Apache Tomcat 8.5 on CentOS 7.3 From: https://www.howtoforge.com/tutorial/how-to-inst ...

随机推荐

  1. Java自定义一个字典类(Dictionary)

    标准Java库只包含Dictionary的一个变种,名为:Hashtable.(散列表) Java的散列表具有与AssocArray相同的接口(因为两者都是从Dictionary继承来的).但有一个方 ...

  2. GJM :FPSCalc-简单FPS观测类 [转载]

    版权声明:本文原创发表于 [请点击连接前往] ,未经作者同意必须保留此段声明!如有侵权请联系我删帖处理! FPSCalc--简单FPS观测类 利用Unity做的手游项目很多时候要保证流畅度,流畅度最直 ...

  3. GJM : Taurus.MVC 2.0 开源发布:WebAPI开发教程 [转载]

    Taurus.MVC 2.0 开源发布:WebAPI开发教程 转载自http://www.cnblogs.com/cyq1162/p/6069020.html 因是新手  粘贴时有一个版权问题 本文原 ...

  4. 数据库热备之SQLServer的数据库镜像实施笔记

    / 最初在为公司设计SQLServer数据库镜像的时候,首先考虑的是高可用性(三台计算机,一台见证服务器,一台做主数据库,一台做镜像) 在虚拟机环境下部署成功,一切都是那么的完美.故障转移3秒之内就可 ...

  5. 不简单的SQL查询和排序语句

    真不简单!! 一:使用select语句进行查询 语法: SELECT    <列名> FROM      <表名> [WHERE    <查询条件表达式>] [OR ...

  6. [AngularJS] 使用AngularAMD动态加载Controller

    [AngularJS] 使用AngularAMD动态加载Controller 前言 使用AngularJS来开发Single Page Application(SPA)的时候,可以选用AngularU ...

  7. Exif.js 读取图像的元数据

    Exif.js 提供了 JavaScript 读取图像的原始数据的功能扩展,例如:拍照方向.相机设备型号.拍摄时间.ISO 感光度.GPS 地理位置等数据. 注意事项: EXIF 数据主要来自拍摄的照 ...

  8. Midnight.js – 实现奇妙的固定头部切换效果

    Midnight.js 是一款 jQuery 插件,在页面滚动的时候实现多个头设计之间的切换,所以你总是有一个头与它下面的内容层叠,看起来效果很不错. Midnight.js 可以让你轻松实现这种切换 ...

  9. Listbox与Listbox with key的区别

    标准解释: ListboxVisualization as listbox in which a list of entries is displayed with one short descrip ...

  10. SharePoint 2013 PowerShell命令备份还原报错

    错误截图: 文字描述: Restore-SPSite : <nativehr>0x80070003</nativehr><nativestack></nati ...