ocserv 0.10.6
Niels Peen
niels at peen.ch
Wed Jul 15 01:54:47 PDT 2015
> On 15 Jul 2015, at 10:12, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
>
> On Thu, Jul 2, 2015 at 5:20 PM, Niels Peen <niels at peen.ch> wrote:
>>> - The worker processes will utilize the UDP socket address (if any),
>>> when reporting peer's address if the listen-clear-file option is set.
>> Is it possible to enable this feature for all connections? (Not just non-TLS connections.) The same functionality would be useful for TLS connections forwarded by a simple SNI selector like sniproxy.
>
> I'm wondering whether it makes sense to do that which is an ugly hack,
> instead of supporting the proxy protocol [0] from haproxy. It allows
> the proxy to send all the useful information at session initiation.
I can’t answer that. The reason I use sniproxy is because it allows
wild-cards and a large number of different selectors with minimal
overhead or configuration.
From a more general point of view I don’t think it’s unreasonable to
expect ocserv to be able to report which IP’s it’s communicating with
on both TCP and UDP as opposed to just TCP.
Best regards,
Niels
More information about the openconnect-devel
mailing list