Run Ocserv VPN Server & Apache/Nginx on the Same Box with HAProxy

Stipulations

To comply with this tutorial, it’s assumed that you’ve already arrange an OpenConnect VPN server with Let’s Encrypt TLS server certificates. If not, please comply with one of many following tutorials.

Make OpenConnect VPN server and internet server use port 443 on the identical time

By default, OpenConnect VPN server listens on port 443. If you have already got Apache/Nginx listening on port 443, then ocserv can’t bind to port 443. You may configure ocserv to pay attention on one other port, however it’s going to require end-users to specify the port in shopper Software program which you need to keep away from should you care about consumer expertise.

Usually a port can solely be utilized by one course of. Nevertheless, we will use HAproxy (Excessive Availability Proxy) and SNI (Server Identify Indication) to make ocserv and Apache/Nginx use port 443 on the identical time.

Ocserv Configuration

First, edit ocserv configuration file.

sudo nano /and so on/ocserv/ocserv.conf

Uncomment the next line. This can permit ocserv to acquire the shopper IP handle as an alternative of HAproxy IP handle.

listen-proxy-proto = true

Then discover the next line.

#listen-host = [IP|HOSTNAME]

Change it to

listen-host = 127.0.0.1

This can make ocserv pay attention on 127.0.0.1 as a result of later HAproxy might want to pay attention on the general public IP handle. Save and shut the file. Then restart ocserv.

sudo systemctl restart ocserv

Subsequent, we additionally have to make the online server pay attention on localhost solely, as an alternative of listening on public IP handle.

Nginx Configuration

For those who use Nginx, edit the server block file.

sudo nano /and so on/nginx/conf.d/instance.com.conf

Within the SSL server block, discover the next directive.

pay attention 443 ssl;

Change it to

pay attention 127.0.0.2:443 ssl;

This time we make it pay attention on 127.0.0.2:443 as a result of 127.0.0.1:443 is already taken by ocserv. Save and shut the file. The Nginx primary configuration file /and so on/nginx/nginx.conf and the default server block /and so on/nginx/sites-enabled/default would possibly embody a default digital host listening on 443, so that you would possibly have to edit this file too.

Then restart Nginx.

sudo systemctl restart nginx

Apache Configuration

For those who use Apache internet server, edit your digital host file.

Debian/Ubuntu

sudo nano /and so on/apache2/sites-enabled/instance.com.conf

CentOS/RHEL

sudo nano /and so on/httpd/conf.d/instance.com.conf

Within the SSL digital host, change

To

This time we make it pay attention on 127.0.0.2:443 as a result of 127.0.0.1:443 is already taken by ocserv. Save and shut the file.

Then edit the /and so on/apache2/ports.conf file on Debian/Ubuntu.

sudo nano /and so on/apache2/ports.conf

Edit the/and so on/httpd/conf.d/ssl.conf file on CentOS/RHEL.

sudo nano /and so on/httpd/conf.d/ssl.conf

Change

Hear 443

To

Hear 127.0.0.2:443

Save and shut the file. Restart Apache.

sudo systemctl restart apache2

or

sudo systemctl restart httpd

HAProxy Configuration

Now set up HAproxy.

sudo apt set up haproxy

or

sudo dnf set up haproxy

Begin HAProxy

sudo systemctl begin haproxy

Edit configuration file.

sudo nano /and so on/haproxy/haproxy.cfg

For those who use Nginx, copy and paste the next traces to the tip of the file. Substitute 12.34.56.78 with the general public IP handle of your server. Substitute vpn.instance.com with the area title utilized by ocserv and www.instance.com with the area title utilized by your internet server.

frontend https
bind 12.34.56.78:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content material settle for if { req_ssl_hello_type 1 }

use_backend ocserv if
use_backend nginx if req_ssl_sni -i www.instance.com
use_backend nginx if

default_backend ocserv

backend ocserv
mode tcp
choice ssl-hello-chk
server ocserv 127.0.0.1:443 send-proxy-v2

backend nginx
mode tcp
choice ssl-hello-chk
server nginx 127.0.0.2:443 verify

For those who use Apache, copy and paste the next traces to the tip of the file. Substitute 12.34.56.78 with the general public IP handle of your server. Substitute vpn.instance.com with the area title utilized by ocserv and www.instance.com with the area title utilized by your internet server.

frontend https
bind 12.34.56.78:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content material settle for if { req_ssl_hello_type 1 }

use_backend ocserv if
use_backend apache if req_ssl_sni -i www.instance.com
use_backend apache if

default_backend ocserv

backend ocserv
mode tcp
choice ssl-hello-chk
server ocserv 127.0.0.1:443 send-proxy-v2

backend apache
mode tcp
choice ssl-hello-chk
server apache 127.0.0.2:443 verify

Save and shut the file. Then restart HAproxy.

sudo systemctl restart haproxy

Within the configuration above, we utilized the SNI (Server Identify Indication) characteristic in TLS to distinguish VPN site visitors and regular HTTPS site visitors

• When vpn.instance.com is within the TLS Consumer Whats up, HAProxy redirect Site visitors to the ocserv backend.
• When www.instance.com is within the TLS Consumer Whats up, HAProxy redirect site visitors to the apache/nginx backend.
• If the shopper doesn’t specify the server title in TLS Consumer Whats up, then HAproxy will use the default backend (ocserv).

You may check this setup with the openssl instrument. First, run the next command a number of instances.

echo | openssl s_client -connect your-server-IP:443 | grep topic

We didn’t specify server title within the above command, so HAproxy will at all times cross the request to the default backend (ocserv), and its certificates shall be despatched to the shopper. Subsequent, run the next two instructions.

echo | openssl s_client -servername www.instance.com -connect your-server-IP:443 | grep topic

echo | openssl s_client -servername vpn.instance.com -connect your-server-IP:443 | grep topic

Now we specified the server title within the instructions, so HAproxy will cross requests in accordance with the SNI guidelines we outlined. Observe that the Cisco AnyConnect App doesn’t help TLS SNI, so it’s higher to set ocserv because the default backend in HAProxy configuration file.

When renewing Let’s Encrypt certificates on your web site it’s really useful that you just use the http-01 problem as an alternative of tls-alpn-01 problem, as a result of HAproxy is listening on port 443 of the general public IP handle, so it may possibly intrude with the renewal course of.

sudo certbot renew –preferred-challenges http-01

Fixing HAproxy Error

In case your Apache/Nginx Web site doesn’t present up in your browser and also you see the next messages in haproxy log (/var/log/haproxy.log)

Server nginx/nginx is DOWN, cause: Socket error, data: “Connection reset by peer

backend nginx has no server accessible!

Layer6 invalid response

It may be your backend Nginx internet server is utilizing a TLS certificates with OCSP should staple extension. Nginx doesn’t ship the OCSP staple info on the primary HTTP request. To make it work, you should definitely add a resolver in your Nginx digital host configuration like beneath.

….
ssl_trusted_certificate /and so on/letsencrypt/stay/www.instance.com/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8;
….

Save and shut the file. Then restart Nginx.

sudo systemctl restart nginx

Additionally, contemplate eradicating the well being verify for the backend server in HAproxy. So change

server nginx 127.0.0.2:443 verify

To

server nginx 127.0.0.2:443

Save and shut the file. Then restart HAproxy.

sudo systemctl restart haproxy

Wrapping Up

I hope this tutorial helped you run OpenConnect VPN server and Apache/Nginx on the identical field. As at all times, should you discovered this put up helpful, then subscribe to our free publication to get extra ideas and methods. Take care ?