ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect
Roman Arutyunyan
arut at nginx.com
Thu Dec 15 16:20:19 UTC 2016
Hi Thomas,
On Thu, Dec 15, 2016 at 05:08:41PM +0100, Thomas Glanzmann wrote:
> Hello,
> I would like to use ngx_stream_ssl_preread_module to multiplex between a
> squid, nginx webserver and ocserv (ssl vpn). I setup nginx the following
> way:
>
> stream {
> upstream webserver {
> server 127.0.0.1:443;
> }
>
> upstream squidtls {
> server 127.0.0.1:8081;
> }
>
> upstream ocserv {
> server 88.198.249.254:4443;
> }
>
> map $ssl_preread_server_name $name {
> proxy.glanzmann.de squidtls;
> vpn.gmvl.de ocserv;
> default webserver;
> }
>
> server {
> proxy_protocol on;
> listen 88.198.249.254:443;
> listen [2a01:4f8:b0:2fff::2]:443;
>
> proxy_pass $name;
> ssl_preread on;
> }
> }
>
> For the webserver and squid it works like a charm. However when I connect using
> 'openconnect' I get the ssl certificate of the webserver, but should get the ssl
> certificate of the ocserv. I verified using tcpdump and wireshark that
> openconnect sets the servername correctly. How can I debug this?
>
> Is it possible to tell nginx to be more verbose so that I can see if it
> extracts the SNI string of openconnect correctly or see that maybe nginx
> is unable to conenct to the ocserv and falls back to the default?
You can try logging $ssl_preread_server_name in access_log.
And it can be a good idea to watch the debug log for ssl preread messages.
--
Roman Arutyunyan
More information about the nginx
mailing list