ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Roman Arutyunyan arut at nginx.com
Thu Dec 15 16:20:19 UTC 2016


Hi Thomas,

On Thu, Dec 15, 2016 at 05:08:41PM +0100, Thomas Glanzmann wrote:
> Hello,
> I would like to use ngx_stream_ssl_preread_module to multiplex between a
> squid, nginx webserver and ocserv (ssl vpn). I setup nginx the following
> way:
> 
> stream {
>         upstream webserver {
>                 server 127.0.0.1:443;
>         }
> 
>         upstream squidtls {
>                 server 127.0.0.1:8081;
>         }
> 
>         upstream ocserv {
>                 server 88.198.249.254:4443;
>         }
> 
>         map $ssl_preread_server_name $name {
>                 proxy.glanzmann.de squidtls;
>                 vpn.gmvl.de ocserv;
>                 default webserver;
>         }
> 
>         server {
>                 proxy_protocol on;
>                 listen 88.198.249.254:443;
>                 listen [2a01:4f8:b0:2fff::2]:443;
> 
>                 proxy_pass  $name;
>                 ssl_preread on;
>         }
> }
> 
> For the webserver and squid it works like a charm. However when I connect using
> 'openconnect' I get the ssl certificate of the webserver, but should get the ssl
> certificate of the ocserv. I verified using tcpdump and wireshark that
> openconnect sets the servername correctly. How can I debug this?
> 
> Is it possible to tell nginx to be more verbose so that I can see if it
> extracts the SNI string of openconnect correctly or see that maybe nginx
> is unable to conenct to the ocserv and falls back to the default?

You can try logging $ssl_preread_server_name in access_log.

And it can be a good idea to watch the debug log for ssl preread messages.

-- 
Roman Arutyunyan


More information about the nginx mailing list