ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Thomas Glanzmann thomas at glanzmann.de
Thu Dec 15 16:08:41 UTC 2016


Hello,
I would like to use ngx_stream_ssl_preread_module to multiplex between a
squid, nginx webserver and ocserv (ssl vpn). I setup nginx the following
way:

stream {
        upstream webserver {
                server 127.0.0.1:443;
        }

        upstream squidtls {
                server 127.0.0.1:8081;
        }

        upstream ocserv {
                server 88.198.249.254:4443;
        }

        map $ssl_preread_server_name $name {
                proxy.glanzmann.de squidtls;
                vpn.gmvl.de ocserv;
                default webserver;
        }

        server {
                proxy_protocol on;
                listen 88.198.249.254:443;
                listen [2a01:4f8:b0:2fff::2]:443;

                proxy_pass  $name;
                ssl_preread on;
        }
}

For the webserver and squid it works like a charm. However when I connect using
'openconnect' I get the ssl certificate of the webserver, but should get the ssl
certificate of the ocserv. I verified using tcpdump and wireshark that
openconnect sets the servername correctly. How can I debug this?

Is it possible to tell nginx to be more verbose so that I can see if it
extracts the SNI string of openconnect correctly or see that maybe nginx
is unable to conenct to the ocserv and falls back to the default?

Cheers,
        Thomas


More information about the nginx mailing list