Implementing CONNECT in nginx

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Jan 22 11:44:11 EST 2014


On Wed, Jan 22, 2014 at 4:14 PM, Thomas Glanzmann <thomas at glanzmann.de> wrote:
> Hello everyone,
> I would like to extend nginx with a CONNECT statement which connects to
> a TCP socket. Could someone walk me through which source files I need to
> modify and which fucntions I should have a look at?
> Or if there is anything else that can give me a quickstart?

If the idea is to make ocserv run in parallel with a web server I've
been thinking lately some alternatives.

1. Is to use TLS ALPN [0] and advertise the VPN server and have a
kernel module that distributes the VPN service to the proper server
(e.g. via a special setsockopt).

2. Use TLS ALPN on the web server (by reading the client hello in peek
mode), and if it is a VPN connection pass the socket to ocserv.  A
minimal socket passing method has to be used.

3. Have a superserver that will forward the connection to the
appropriate server (using ALPN or dns_name). sslh that was proposed by
Jason sounds something close to that.

The drawback of ALPN is that old clients that don't use ALPN wouldn't
be distinguished. However, other fields of the TLS client hello can be
used to distinguish the client (e.g., the dns_name of the server ->
vpn.example.com will be forwarded to ocserv, while www.example.com
will be handled by the server).

[0]. http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-03

regards,
Nikos



More information about the openconnect-devel mailing list