External SSL termination

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Tue Sep 23 07:46:54 PDT 2014


On Tue, Sep 23, 2014 at 11:32 AM, Alexander Rumyantsev
<alexander at rumyantsev.com> wrote:
>>> P.S. I think the mode of external ssl termination with unix socket support will be very useful in ocserv.
>>
>> Do you have some more information on that? Is there a known "protocol"
>> to forward SSL connections to another process which listens to unix
>> sockets? It would be even more interesting if there was not any
>> termination at all and the SSL session was forwarded as is (e.g., via
>> file descriptor passing).
> I mean pure external SSL termination. I understand, that it limits functionality of ocserv, but in some cases it seems useful to me.
> That's how I see this: openconnect establishes ssl-session with haproxy, which, in its order, establishes pure http session without SSL/TLS with ocserv as a backend through unix socket.
> Once again, I want to share IP-address and standard 443 port between ocserv and http-server, using User-Agent http header as a distinguisher.
> By now, if haproxy determines OpenConnect/AnyConnect client, it makes an SSL connection to backend, ocserv. It works, but I think it's a useless CPU overhead in my case.
> In case of browser connection, haproxy establishes http session with nginx by unix socket, acting as SSL terminator for http-server.
> Haproxy, in TCP mode, of course, can forward SSL session, but in this case I cannot route requests to different backends based on HTTP information.

It seems it was quite simple to add. I've added the "unix-conn-file"
configuration option in git master which accepts plaintext connections
over the socket if specified.

regards,
Nikos



More information about the openconnect-devel mailing list