The option is all or nothing. If true then all the forwarded connections must have the header. On September 27, 2018 11:02:20 AM UTC, Volodymyr Litovka <doka.ua at gmail.com> wrote: >Hello, colleagues, > >I'm facing strange issue, connecting to ocserv (0.11.9-1, Ubuntu 18) >using openconnect (7.08, OSX) from behind NAT without any proxies >inline. > >When switching listen-proxy-proto to false, everything works like a >charm, but as soon as I switch this option to true, I'm getting the >following error on client side: > ># openconnect -u doka --pfs server.fqdn >POST https://server.fqdn/ >Connected to x.x.x.x:443 >SSL negotiation with server.fqdn >SSL connection failure: Error in the pull function. >Failed to open HTTPS connection to server.fqdn >Failed to obtain WebVPN cookie > >while server side says: > >ocserv[5105]: worker:? accepted proxy protocol connection >ocserv[5105]: worker:? worker-proxyproto.c:317: proxy-hdr: invalid v2 >header >ocserv[5105]: worker:? worker-vpn.c:572: could not parse proxy protocol > >header; discarding connection >ocserv[5103]: main: client:53370 worker terminated > >The question is: does listen-proxy-proto mandates proxy protocol in >negotiation? If so - does it mean that any connection without proxy >will >fail? If so - are there ways to ensure availability of VPN server for >any kind of connectivity conditions (i.e. with [transparent] proxy and >without proxy) (for clients, which can work from hotels, restaurants >and >where it's impossible to change connectivity options) > >Thank you! > >-- >Volodymyr Litovka > "Vision without Execution is Hallucination." -- Thomas Edison > > >_______________________________________________ >openconnect-devel mailing list >openconnect-devel at lists.infradead.org >http://lists.infradead.org/mailman/listinfo/openconnect-devel -- Sent from my mobile. Please excuse my brevity.
