ocserv proxy protocol support

Niels Peen niels at peen.ch
Sat Aug 22 10:31:05 PDT 2015 

> On 22 Aug 2015, at 13:26, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote:
> 
> On Fri, 2015-08-21 at 22:31 +0200, Niels Peen wrote:
>> Hi,
>> 
>> I’m now using haproxy’s proxy protocol go get the client’s real IP 
>> address to ocserv. (As opposed to using sniproxy and losing this 
>> information.)
>> 
>> It works very well for Radius, which now receives the clients real IP 
>> address. 
>> Two questions:
>> 1) occtl and the script variable REAL_IP still show 127.0.0.1 as the 
>> client’s IP address. Is this expected?
> 
> No really, it seems like an omission as these use cases were not
> considered.
> 
>> 2) I understand the proxy protocol also communicates the destination 
>> address.  Can this destination address be made available to the 
>> connect script? (E.g. IP_REAL_LOCAL.)
> 
> I've made a patch to correct (1) and also add (2), but it is not tested
> yet. If you want to check it, it is at the ip-real branch of ocserv.

I can confirm the real IP address now shows up in occtl. 

Unable to test the script variables as configuring a connect script now causes below login failure. Removing the connect script from the configuration, or reverting to the regular 0.10.7 release fixes the issue.

Aug 23 00:54:10 soup ocserv[4495]: sec-mod: using 'radius' authentication to authenticate user (session: 4oHQ4)
Aug 23 00:54:10 soup ocserv[4495]: radius-auth: communicating username (niels at vpn) and password
Aug 23 00:54:10 soup ocserv[4495]: rc_conf_int: config option radius_deadtime was not set
Aug 23 00:54:10 soup ocserv[4495]: radius-auth: opening session 4oHQ4GGoryZZVv+bbNXwdA==
Aug 23 00:54:10 soup ocserv[4495]: rc_conf_int: config option radius_deadtime was not set
Aug 23 00:54:10 soup ocserv[4495]: sec-mod: initiating session for user 'niels at vpn' (session: 4oHQ4)
Aug 23 00:54:10 soup ocserv[4370]: main[niels at vpn]: X:54077 new user session
Aug 23 00:54:10 soup ocserv[4370]: main[niels at vpn]: X:54077 failed authentication attempt for user 'niels at vpn'
Aug 23 00:54:10 soup ocserv[4370]: main[niels at vpn]: X:54077 user logged in
Aug 23 00:54:10 soup ocserv[5309]: worker[niels at vpn]: X error receiving cookie authentication reply
Aug 23 00:54:10 soup ocserv[5309]: worker[niels at vpn]: X failed cookie authentication attempt
Aug 23 00:54:10 soup ocserv[4370]: main[niels at vpn]: X:54077 user disconnected
Aug 23 00:54:10 soup ocserv[4495]: sec-mod: temporarily closing session for niels at vpn (session: 4oHQ4)

Thanks,
niels

More information about the openconnect-devel mailing list