ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Thomas Glanzmann
Hello,
I would like to use ngx_stream_ssl_preread_module to multiplex between a
squid, nginx webserver and ocserv (ssl vpn). I setup nginx the following
way:

stream {
        upstream webserver {
                server 127.0.0.1:443;
        }

        upstream squidtls {
                server 127.0.0.1:8081;
        }

        upstream ocserv {
                server 88.198.249.254:4443;
        }

        map $ssl_preread_server_name $name {
                proxy.glanzmann.de squidtls;
                vpn.gmvl.de ocserv;
                default webserver;
        }

        server {
                proxy_protocol on;
                listen 88.198.249.254:443;
                listen [2a01:4f8:b0:2fff::2]:443;

                proxy_pass  $name;
                ssl_preread on;
        }
}

For the webserver and squid it works like a charm. However when I connect using
'openconnect' I get the ssl certificate of the webserver, but should get the ssl
certificate of the ocserv. I verified using tcpdump and wireshark that
openconnect sets the servername correctly. How can I debug this?

Is it possible to tell nginx to be more verbose so that I can see if it
extracts the SNI string of openconnect correctly or see that maybe nginx
is unable to conenct to the ocserv and falls back to the default?

Cheers,
        Thomas
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Roman Arutyunyan
Hi Thomas,

On Thu, Dec 15, 2016 at 05:08:41PM +0100, Thomas Glanzmann wrote:

> Hello,
> I would like to use ngx_stream_ssl_preread_module to multiplex between a
> squid, nginx webserver and ocserv (ssl vpn). I setup nginx the following
> way:
>
> stream {
>         upstream webserver {
>                 server 127.0.0.1:443;
>         }
>
>         upstream squidtls {
>                 server 127.0.0.1:8081;
>         }
>
>         upstream ocserv {
>                 server 88.198.249.254:4443;
>         }
>
>         map $ssl_preread_server_name $name {
>                 proxy.glanzmann.de squidtls;
>                 vpn.gmvl.de ocserv;
>                 default webserver;
>         }
>
>         server {
>                 proxy_protocol on;
>                 listen 88.198.249.254:443;
>                 listen [2a01:4f8:b0:2fff::2]:443;
>
>                 proxy_pass  $name;
>                 ssl_preread on;
>         }
> }
>
> For the webserver and squid it works like a charm. However when I connect using
> 'openconnect' I get the ssl certificate of the webserver, but should get the ssl
> certificate of the ocserv. I verified using tcpdump and wireshark that
> openconnect sets the servername correctly. How can I debug this?
>
> Is it possible to tell nginx to be more verbose so that I can see if it
> extracts the SNI string of openconnect correctly or see that maybe nginx
> is unable to conenct to the ocserv and falls back to the default?

You can try logging $ssl_preread_server_name in access_log.

And it can be a good idea to watch the debug log for ssl preread messages.

--
Roman Arutyunyan
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Thomas Glanzmann
In reply to this post by Thomas Glanzmann
Hello,

> How can someone debug ngx_stream_ssl_preread_module?

put the following line in the stream section:

error_log /var/log/nginx/sni_error.log debug;

Once done I found out that

2016/12/15 17:09:00 [error] 21043#0: *7426 recv() failed (104: Connection reset by peer) while proxying connection, client: 17.198.249.166, server: 88.198.249.254:443, upstream: "88.198.249.254:4443", bytes from/to client:0/0, bytes from/to upstream:0/316

And in my syslog I found out:

daemon:Dec 15 17:09:00 infra ocserv[21622]: worker:  worker-proxyproto.c:156: proxy-hdr: invalid v2 header
daemon:Dec 15 17:09:00 infra ocserv[21622]: worker:  worker-vpn.c:560: could not parse proxy protocol header; discarding connection
daemon:Dec 15 17:09:00 infra ocserv[18385]: main: 88.198.249.254:55976 user disconnected (reason: unspecified, rx: 0, tx: 0)

So it seems that the problem is that ocserv can't parse nginx proxy protocol
header. I'll dig deeper and report back once a solution is found.

Cheers,
        Thomas
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Thomas Glanzmann
In reply to this post by Roman Arutyunyan
Hello Roman,

> You can try logging $ssl_preread_server_name in access_log.

thank you. It seems that nginx is not able to extract the server_name
from openconnect correctly:

2a01:598:8181:37ef:95e1:682:4c98:449e - [15/Dec/2016:17:45:57 +0100] ""

When I connect with a browser:

2a01:598:8181:37ef:95e1:682:4c98:449e - [15/Dec/2016:17:46:20 +0100] "vpn.gmvl.de"

This seems to be one problem. And another problem seems that backend
communication between nginx and ocserv using the proxy protocol.

Here is tcpdump of the openconnect ssl handshake with nginx:

https://thomas.glanzmann.de/tmp/openconnect_sni.pcap

I'm using the command line 'openconnect vpn.gmvl.de'.

Cheers,
        Thomas
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Roman Arutyunyan
Hi Thomas,

On Thu, Dec 15, 2016 at 05:50:48PM +0100, Thomas Glanzmann wrote:

> Hello Roman,
>
> > You can try logging $ssl_preread_server_name in access_log.
>
> thank you. It seems that nginx is not able to extract the server_name
> from openconnect correctly:
>
> 2a01:598:8181:37ef:95e1:682:4c98:449e - [15/Dec/2016:17:45:57 +0100] ""
>
> When I connect with a browser:
>
> 2a01:598:8181:37ef:95e1:682:4c98:449e - [15/Dec/2016:17:46:20 +0100] "vpn.gmvl.de"
>
> This seems to be one problem. And another problem seems that backend
> communication between nginx and ocserv using the proxy protocol.
>
> Here is tcpdump of the openconnect ssl handshake with nginx:
>
> https://thomas.glanzmann.de/tmp/openconnect_sni.pcap
>
> I'm using the command line 'openconnect vpn.gmvl.de'.
Please try the attached patch.

--
Roman Arutyunyan

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

ssl-preread-relax (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Thomas Glanzmann
Hello Roman,

> Please try the attached patch.

thank you for the patch. The patch solves my SNI problem:

185.46.137.5 - [15/Dec/2016:22:25:00 +0100] "vpn.gmvl.de"

Cheers,
        Thomas
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Roman Arutyunyan
Hi Thomas,

On Thu, Dec 15, 2016 at 10:26:29PM +0100, Thomas Glanzmann wrote:
> Hello Roman,
>
> > Please try the attached patch.
>
> thank you for the patch. The patch solves my SNI problem:
>
> 185.46.137.5 - [15/Dec/2016:22:25:00 +0100] "vpn.gmvl.de"

Committed, thanks.

http://hg.nginx.org/nginx/rev/01adb18a5d23

--
Roman Arutyunyan
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx