On Wed, Jan 22, 2014 at 4:14 PM, Thomas Glanzmann <thomas at glanzmann.de> wrote: > Hello everyone, > I would like to extend nginx with a CONNECT statement which connects to > a TCP socket. Could someone walk me through which source files I need to > modify and which fucntions I should have a look at? > Or if there is anything else that can give me a quickstart? If the idea is to make ocserv run in parallel with a web server I've been thinking lately some alternatives. 1. Is to use TLS ALPN [0] and advertise the VPN server and have a kernel module that distributes the VPN service to the proper server (e.g. via a special setsockopt). 2. Use TLS ALPN on the web server (by reading the client hello in peek mode), and if it is a VPN connection pass the socket to ocserv. A minimal socket passing method has to be used. 3. Have a superserver that will forward the connection to the appropriate server (using ALPN or dns_name). sslh that was proposed by Jason sounds something close to that. The drawback of ALPN is that old clients that don't use ALPN wouldn't be distinguished. However, other fields of the TLS client hello can be used to distinguish the client (e.g., the dns_name of the server -> vpn.example.com will be forwarded to ocserv, while www.example.com will be handled by the server). [0]. http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-03 regards, Nikos
