Hello,
I deployed Ocserv v1.1.6 as a container and got a domain certificate
from Letsencrypt. If I only expose the port of Ocserv container and
connect to it directly, everything works fine.
However, if I add HAProxy and set `listen-proxy-proto = true` in
Ocserv. I’ll get the error `worker[username]: [container-ip]
worker-vpn.c:1544: error parsing CSTP data. sec-mod: temporarily
closing session for username.`, and the client starts trying
reconnecting and the server just closes the session again and again.
Btw, I have to add `ssl verify none` option, otherwise, I’ll get error
`worker: 172.18.0.2 warning: Received record packet of unknown type
71. GnuTLS error (at worker-vpn.c:861): An unexpected TLS packet was
received.` I also set up the SSL in Nginx config, and I also need to
add `ssl verify none` to access the web page. So I guess this issue is
related with HAProxy.
Here’s my HAProxy config:
defaults
mode tcp
fontend tls-in
bind :443 tfo ssl crt /etc/ssl/certs/priv-fullchain-bundle.pem
tcp-request inspect-delay 5s
default_backend ocserv
backend ocserv
server ocserv ocserv:443 send-proxy-v2 ssl verify none
Please let me know if you have any ideas. It might be a big help. Thanks.
Best regards,
Xiaohong
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
