Use nginx ngx_stream_ssl_preread_module to connect to ocserv using proxy protocol v2

Thomas Glanzmann thomas at glanzmann.de
Thu Dec 15 08:32:03 PST 2016 

Hello,
I would like to use nginx sni proxy feature to dispatch ssl traffic to
ocserv. My setup is as follows:

nginx:

stream {
        upstream webserver {
                server 127.0.0.1:443;
        }

        upstream ocserv {
                server 88.198.249.254:4443;
        }

        map $ssl_preread_server_name $name {
                vpn.gmvl.de ocserv;
                default webserver;
        }

        server {
                proxy_protocol on;
                listen 88.198.249.254:443;
                listen [2a01:4f8:b0:2fff::2]:443;

                proxy_pass  $name;
                ssl_preread on;
        }
}

ocserv:
auth = "pam[gid-min=1000]"
listen-host = 88.198.249.254
tcp-port = 4443
udp-port = 443
run-as-user = nobody
run-as-group = nogroup
socket-file = /var/run/ocserv-socket
server-cert = /etc/letsencrypt.sh/certs/vpn.gmvl.de/fullchain.pem
server-key = /etc/letsencrypt.sh/certs/vpn.gmvl.de/privkey.pem
dh-params = /etc/nginx/dhparam.pem
isolate-workers = true
max-clients = 16
max-same-clients = 0
listen-proxy-proto = true
rate-limit-ms = 100
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = false
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
auth-timeout = 40
min-reauth-time = 120
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = gmvl.de
ipv4-network = 10.12.12.0
ipv4-netmask = 255.255.255.0
ipv6-network = 2a01:4f8:bb:4fd::/64
ipv6-subnet-prefix = 128
dns = 10.10.10.1
dns = 2a01:4f8:b0:2fff::2
ping-leases = false
route = default
cisco-client-compat = true
dtls-legacy = true

When I try to connect using openconnect I can see in the nginx
sni_error.log:

2016/12/15 17:09:00 [error] 21043#0: *7426 recv() failed (104: Connection reset by peer) while proxying connection, client: 17.198.249.166, server: 88.198.249.254:443, upstream: "88.198.249.254:4443", bytes from/to client:0/0, bytes from/to upstream:0/316

And in syslog:

daemon:Dec 15 17:09:00 infra ocserv[21622]: worker:  worker-proxyproto.c:156: proxy-hdr: invalid v2 header
daemon:Dec 15 17:09:00 infra ocserv[21622]: worker:  worker-vpn.c:560: could not parse proxy protocol header; discarding connection
daemon:Dec 15 17:09:00 infra ocserv[18385]: main: 88.198.249.254:55976 user disconnected (reason: unspecified, rx: 0, tx: 0)

It seems that ocserv does not understand the proxy protocol header from
nginx? Has anyone else tried a similar setup? Otherwise I'll try to
debug the problem and make a patch ready.

Cheers,
        Thomas

More information about the openconnect-devel mailing list