Configure Ocserv on CentOS 6, ocservcentos

Source: Internet
Author: User
Tags haproxy

Configure Ocserv on CentOS 6, ocservcentos
Configure Ocserv on CentOS 6 Table of Contents

  • 1. Install ocserv
  • 2. Configure ocserv
  • 3. How to host ocserv and a web server on the same port?
    • 3.1. Method 1: SSL termination on external program (haproxy)
    • 3.2. Method 2: SSL termination on ocserv (sniproxy)
1 Install ocserv
  • Reference pages:

Https://www.vultr.com/docs/setup-openconnect-vpn-server-for-cisco-anyconnect-on-ubuntu-14-04-x64

Https://www.stunnel.info/%E5%9C%A8centos-6-5%E4%B8%8A%E9%85%8D%E7%BD%AEcisco-anyconnect-vpn/

Http://stackoverflow.com/questions/23085076/readline-readline-h-file-not-found

Https://www.youtube.com/watch? V = 54WXQ3CmkGw

2 Configure ocserv
  • Reference pages:

Http://www.infradead.org/ocserv/manual.html

3 How to host ocserv and a web server on the same port?

One of the advantages of ocserv is that is an HTTPS-based protocol and it is often used over 443 to allow bypassing certain firewils. however the 443 TCP port is typically used by an HTTP server on a system. this section will describe methods on how to collocate ocserv with a web server.

3.1 Method 1: SSL termination on external program (haproxy)

To collocate ocserv and an HTTPS server on port 443, haproxy (or similar proxy applications) cocould be used. haproxy allows forwarding the HTTPS port data to arbitrary servers, based on various criteria. this method, however, has the limitation that client certificate authentication cannot be enforced by ocserv as the SSL session is terminated at haproxy.

The configuration required for haproxy is something along the lines:

frontend www-https    bind 0.0.0.0:443 ssl crt /etc/ocserv/cert-key.pem    default_backend ocserv-backendbackend ocserv-backend    server ocserv unix@/var/run/ocserv-conn.socket check

And ocserv must be configured to accept cleartext connections on ocserv-conn.socket file. That can be achieved using the following configuration snippet.

listen-clear-file = /var/run/ocserv-conn.socket
3.2 Method 2: SSL termination on ocserv (sniproxy)

An alternative method to collocate ocserv and an HTTPS server on port 443, is with sniproxy. sniproxy allows sharing the HTTPS port as long as the clients advertise the host name they connect to using server name indication (SNI ). this is true for the majority of web browsers today. for this to work the web server and ocserv have to be setup to use an alternative port, e.g ., ocserv uses 4443, and the web server uses 4444. A configuration of sniproxy that will redirect the traffic to the appropriate server is shown below.

listener 0.0.0.0:443 {   protocol tls   table TableName   #we set fallback to be ocserv as older versions of openconnect    #don't advertise the hostname they connect to.   fallback 127.0.0.1:4443}table TableName {   # Match exact request hostnames   vpn.example.com 127.0.0.1:4443   www.example.com 127.0.0.1:4444   .*\\.net    127.0.0.1:4444}


Both of the approaches incur a performance penalty and shoshould be considered mostly for low-traffic VPN servers and web sites.

Author: rain

Created:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.