This tutorial shall be displaying you find out how to run OpenConnect VPN server (ocserv) and Apache/Nginx on the identical field with HAProxy. OpenConnect (ocserv) is an open-source implementation of the Cisco AnyConnect VPN protocol.
Stipulations
To comply with this tutorial, it’s assumed that you’ve already arrange an OpenConnect VPN server with Let’s Encrypt TLS server certificates. If not, please comply with one of many following tutorials.
Make OpenConnect VPN server and internet server use port 443 on the identical time
By default, OpenConnect VPN server listens on port 443. If you have already got Apache/Nginx listening on port 443, then ocserv can’t bind to port 443. You may configure ocserv to pay attention on one other port, however it’s going to require end-users to specify the port in shopper Software program which you need to keep away from should you care about consumer expertise.
Usually a port can solely be utilized by one course of. Nevertheless, we will use HAproxy (Excessive Availability Proxy) and SNI (Server Identify Indication) to make ocserv and Apache/Nginx use port 443 on the identical time.
Ocserv Configuration
First, edit ocserv configuration file.
sudo nano /and so on/ocserv/ocserv.conf
Uncomment the next line. This can permit ocserv to acquire the shopper IP handle as an alternative of HAproxy IP handle.
listen-proxy-proto = true
Then discover the next line.
#listen-host = [IP|HOSTNAME]
Change it to
listen-host = 127.0.0.1
This can make ocserv pay attention on 127.0.0.1 as a result of later HAproxy might want to pay attention on the general public IP handle. Save and shut the file. Then restart ocserv.
sudo systemctl restart ocserv
Subsequent, we additionally have to make the online server pay attention on localhost solely, as an alternative of listening on public IP handle.
Nginx Configuration
For those who use Nginx, edit the server block file.
sudo nano /and so on/nginx/conf.d/instance.com.conf
Within the SSL server block, discover the next directive.
pay attention 443 ssl;
Change it to
pay attention 127.0.0.2:443 ssl;
This time we make it pay attention on 127.0.0.2:443 as a result of 127.0.0.1:443 is already taken by ocserv. Save and shut the file. The Nginx primary configuration file /and so on/nginx/nginx.conf and the default server block /and so on/nginx/sites-enabled/default would possibly embody a default digital host listening on 443, so that you would possibly have to edit this file too.
Then restart Nginx.
sudo systemctl restart nginx
Apache Configuration
For those who use Apache internet server, edit your digital host file.
Debian/Ubuntu
sudo nano /and so on/apache2/sites-enabled/instance.com.conf
CentOS/RHEL
sudo nano /and so on/httpd/conf.d/instance.com.conf
Within the SSL digital host, change
To
This time we make it pay attention on 127.0.0.2:443 as a result of 127.0.0.1:443 is already taken by ocserv. Save and shut the file.
Then edit the /and so on/apache2/ports.conf file on Debian/Ubuntu.
sudo nano /and so on/apache2/ports.conf
Edit the/and so on/httpd/conf.d/ssl.conf file on CentOS/RHEL.
sudo nano /and so on/httpd/conf.d/ssl.conf
Change
Hear 443
To
Hear 127.0.0.2:443
Save and shut the file. Restart Apache.
sudo systemctl restart apache2
or
sudo systemctl restart httpd
HAProxy Configuration
Now set up HAproxy.
sudo apt set up haproxy
or
sudo dnf set up haproxy
Begin HAProxy
sudo systemctl begin haproxy
Edit configuration file.
sudo nano /and so on/haproxy/haproxy.cfg
For those who use Nginx, copy and paste the next traces to the tip of the file. Substitute 12.34.56.78 with the general public IP handle of your server. Substitute vpn.instance.com with the area title utilized by ocserv and www.instance.com with the area title utilized by your internet server.
frontend https
bind 12.34.56.78:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content material settle for if { req_ssl_hello_type 1 }
use_backend ocserv if
use_backend nginx if req_ssl_sni -i www.instance.com
use_backend nginx if
default_backend ocserv
backend ocserv
mode tcp
choice ssl-hello-chk
server ocserv 127.0.0.1:443 send-proxy-v2
backend nginx
mode tcp
choice ssl-hello-chk
server nginx 127.0.0.2:443 verify
For those who use Apache, copy and paste the next traces to the tip of the file. Substitute 12.34.56.78 with the general public IP handle of your server. Substitute vpn.instance.com with the area title utilized by ocserv and www.instance.com with the area title utilized by your internet server.
frontend https
bind 12.34.56.78:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content material settle for if { req_ssl_hello_type 1 }
use_backend ocserv if
use_backend apache if req_ssl_sni -i www.instance.com
use_backend apache if
default_backend ocserv
backend ocserv
mode tcp
choice ssl-hello-chk
server ocserv 127.0.0.1:443 send-proxy-v2
backend apache
mode tcp
choice ssl-hello-chk
server apache 127.0.0.2:443 verify
Save and shut the file. Then restart HAproxy.
sudo systemctl restart haproxy
Within the configuration above, we utilized the SNI (Server Identify Indication) characteristic in TLS to distinguish VPN site visitors and regular HTTPS site visitors
- When vpn.instance.com is within the TLS Consumer Whats up, HAProxy redirect Site visitors to the ocserv backend.
- When www.instance.com is within the TLS Consumer Whats up, HAProxy redirect site visitors to the apache/nginx backend.
- If the shopper doesn’t specify the server title in TLS Consumer Whats up, then HAproxy will use the default backend (ocserv).
You may check this setup with the openssl instrument. First, run the next command a number of instances.
echo | openssl s_client -connect your-server-IP:443 | grep topic
We didn’t specify server title within the above command, so HAproxy will at all times cross the request to the default backend (ocserv), and its certificates shall be despatched to the shopper. Subsequent, run the next two instructions.
echo | openssl s_client -servername www.instance.com -connect your-server-IP:443 | grep topic
echo | openssl s_client -servername vpn.instance.com -connect your-server-IP:443 | grep topic
Now we specified the server title within the instructions, so HAproxy will cross requests in accordance with the SNI guidelines we outlined. Observe that the Cisco AnyConnect App doesn’t help TLS SNI, so it’s higher to set ocserv because the default backend in HAProxy configuration file.
When renewing Let’s Encrypt certificates on your web site it’s really useful that you just use the http-01 problem as an alternative of tls-alpn-01 problem, as a result of HAproxy is listening on port 443 of the general public IP handle, so it may possibly intrude with the renewal course of.
sudo certbot renew –preferred-challenges http-01
Fixing HAproxy Error
In case your Apache/Nginx Web site doesn’t present up in your browser and also you see the next messages in haproxy log (/var/log/haproxy.log)
Server nginx/nginx is DOWN, cause: Socket error, data: “Connection reset by peer
backend nginx has no server accessible!
Layer6 invalid response
It may be your backend Nginx internet server is utilizing a TLS certificates with OCSP should staple extension. Nginx doesn’t ship the OCSP staple info on the primary HTTP request. To make it work, you should definitely add a resolver in your Nginx digital host configuration like beneath.
….
ssl_trusted_certificate /and so on/letsencrypt/stay/www.instance.com/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
….
Save and shut the file. Then restart Nginx.
sudo systemctl restart nginx
Additionally, contemplate eradicating the well being verify for the backend server in HAproxy. So change
server nginx 127.0.0.2:443 verify
To
server nginx 127.0.0.2:443
Save and shut the file. Then restart HAproxy.
sudo systemctl restart haproxy
Wrapping Up
I hope this tutorial helped you run OpenConnect VPN server and Apache/Nginx on the identical field. As at all times, should you discovered this put up helpful, then subscribe to our free publication to get extra ideas and methods. Take care ?
Charge this tutorial
[Total: 0 Average: 0]haproxy ocserv,ocserv/config,haproxy openvpn,ocserv split-dns,openconnect vpn config,ocserv banned ip,openconnect server setup,ocserv vs openvpn,open connect server windows,ssl vpn server linux,openconnect server windows,ocserv search domain