On Tue, Sep 23, 2014 at 11:32 AM, Alexander Rumyantsev <alexander at rumyantsev.com> wrote: >>> P.S. I think the mode of external ssl termination with unix socket support will be very useful in ocserv. >> >> Do you have some more information on that? Is there a known "protocol" >> to forward SSL connections to another process which listens to unix >> sockets? It would be even more interesting if there was not any >> termination at all and the SSL session was forwarded as is (e.g., via >> file descriptor passing). > I mean pure external SSL termination. I understand, that it limits functionality of ocserv, but in some cases it seems useful to me. > That's how I see this: openconnect establishes ssl-session with haproxy, which, in its order, establishes pure http session without SSL/TLS with ocserv as a backend through unix socket. > Once again, I want to share IP-address and standard 443 port between ocserv and http-server, using User-Agent http header as a distinguisher. > By now, if haproxy determines OpenConnect/AnyConnect client, it makes an SSL connection to backend, ocserv. It works, but I think it's a useless CPU overhead in my case. > In case of browser connection, haproxy establishes http session with nginx by unix socket, acting as SSL terminator for http-server. > Haproxy, in TCP mode, of course, can forward SSL session, but in this case I cannot route requests to different backends based on HTTP information. It seems it was quite simple to add. I've added the "unix-conn-file" configuration option in git master which accepts plaintext connections over the socket if specified. regards, Nikos
