Configure Ocserv on CentOS 6Table of Contents
- 1. Install Ocserv
- 2. Configure Ocserv
- 3. How to host Ocserv and a Web server on the same port?
- 3.1. Method 1:ssl termination on external program (HAPROXY)
- 3.2. Method 2:ssl termination on Ocserv (Sniproxy)
1Install Ocserv
Https://www.vultr.com/docs/setup-openconnect-vpn-server-for-cisco-anyconnect-on-ubuntu-14-04-x64
https://www.stunnel.info/%E5%9C%A8centos-6-5%E4%B8%8A%E9%85%8D%E7%BD%AEcisco-anyconnect-vpn/
Http://stackoverflow.com/questions/23085076/readline-readline-h-file-not-found
Https://www.youtube.com/watch?v=54WXQ3CmkGw
2Configure Ocserv
Http://www.infradead.org/ocserv/manual.html
3How to host Ocserv and a Web server on the same port?
One of the advantages of Ocserv is it's an https-based protocol and it's often used over 443 to allow bypassing Certai N Firewalls. However the 443 TCP port is typically used by an HTTP server on a system. This section would describe methods on what to Collocate Ocserv with a Web server.
3.1Method 1:SSL termination on external program (HAPROXY)
To Collocate Ocserv and a HTTPS server on port 443, haproxy (or similar proxies applications) could be used. Haproxy allows forwarding the HTTPS port data to arbitrary servers, based on various criteria. This method, however, have the limitation that client certificate authentication cannot be enforced by Ocserv as the SSL SE Ssion is terminated at Haproxy.
The configuration required for Haproxy is something along the lines:
frontend www-https
bind 0.0.0.0:443 ssl crt /etc/ocserv/cert-key.pem
default_backend ocserv-backend
backend ocserv-backend
server ocserv [email protected]/var/run/ocserv-conn.socket check
And Ocserv must is configured to the Accept cleartext connections on Ocserv-conn.socket file. That can is achieved using the following configuration snippet.
Listen-clear-file =/var/run/ocserv-conn.socket
3.2Method 2:ssl termination on Ocserv (Sniproxy)
An alternative method to Collocate Ocserv and a HTTPS server on port 443, are with Sniproxy. Sniproxy allows sharing the HTTPS port as long as the clients advertise the host name they connect to using server name in Dication (SNI). This is true for the majority of web browsers today. For the ocserv of the Web server and the alternative port, e.g, Ocserv uses 4443, and the We b Server uses 4444. A configuration of Sniproxy that would redirect the traffic to the appropriate server is shown below.
listener 0.0.0.0:443 {
protocol tls
table TableName
#we set fallback to be ocserv as older versions of openconnect
#don‘t advertise the hostname they connect to.
fallback 127.0.0.1:4443
}
table TableName {
# Match exact request hostnames
vpn.example.com 127.0.0.1:4443
www.example.com 127.0.0.1:4444
.*\\.net 127.0.0.1:4444
}
Both of the approaches incur a performance penalty and should be considered mostly for low-traffic VPN servers and web sit Es.
Author:rain
Created:2016-06-28 two 22:06
Configure Ocserv on CentOS 6