Proxy HTTPS requests to Web-server

[alex-eri]

For serving http and sstp it will be great feature.

[sorz]

Current sstp-server actually do not implement HTTP stack, while
proxing HTTP requests need a full HTTP stack . I don't really want to do that.

I prefer let the web server proxing SSTP traffic to SSTP server. However, I tried it with nginx,
it complain that the content-length value is too large then reject this HTTP request.

For now, you may bind SSTP on other port while HTTPS still on TCP 443.
Or let sniproxy (or nginx with ngx_stream_ssl_preread_module) listen 443, and
proxy TLS traffic to web server or SSTP server depending domain name on the TLS request.

[deba12]

I have absolute success with nginx infront of sstpd will cleanup configuration and post it here

[deba12]

start sstpd without ssl

/usr/local/bin/sstpd -p 444 --local 192.168.10.1 --remote 192.168.10.0/24 -n

place it at the end of nginx.conf (you will need mod_stream and mod_ssl_stream enabled and nginx 1.9)

stream {
	error_log /tmp/stream_error_sstpd.log;

	upstream sstpd {
		server 127.0.0.1:444;
	}

	server {
		listen 443 so_keepalive=on ssl;
		ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
		ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
		ssl_certificate     /etc/letsencrypt/live/xxxx/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/xxxx/privkey.pem;
		ssl_session_cache   shared:SSL:10m;
		ssl_session_timeout 10m;

		proxy_connect_timeout 300s;
		proxy_timeout 300s;
		proxy_pass sstpd;
	}
}

then based on certificate/server name you can proxy your http(s) requests back or something like that :)
i haven't test it

[sorz]

Yes, it's same as sniproxy + nginx solution, just replace the sniproxy with new features on ngixn.

To conexist with web service, you need bind nginx's HTTPS service on a non-443 port, then using ngx_stream_ssl_preread_module to proxy HTTPS to HTTPS, SSTP to SSTP, base on their server names. (And enable PROXY protocol on nginx's stream and http sides, may also on SSTP server, in future :)

I did this to running HTTP + ocserv on a server.

[alex-eri]

in stream module nginx cant parse url or http method or server name. so not posible to run with site.

[sorz]

ngx_stream_ssl_preread_module can parse server name from TLS.

[caoli5288]

You need nginx >= 1.11.5 compiled with --with-stream_ssl_preread_module(it's default to el's pre-build rpm package) and then folow those step.

1, make your blog bind to a private addr like 127.0.0.1:443.

server {
    listen 127.0.0.1:443 ssl;
    server_name blog.sample.com;
    ....
}

2, make your sstpd bind to another private addr. (Note: You can always use 127.x.y.z without really bind it to any interface) simply start it with sstpd --local 127.0.0.2 -p 443 ....

3, edit your nginx.conf add those lines outside http statment.

http {
    // any statement here
}

stream {
    map $ssl_preread_server_name $name {
        px.sample.com px; # <your proxy domain> <name defined below>
        default blog;
    }

    upstream blog {
        server 127.0.0.1:443;
    }

    upstream px {
        server 127.0.0.2:443;
    }

    server {
        listen 123.123.123.123:443; # Your public ip addr here
        proxy_pass $name;
        ssl_preread on;
    }
}

4, restart your nginx and enjoy. :-) be tested. everything works well. @sorz can your add this to your project document? 来不及发pr了，吃个早餐赶去上班（逃

[netheril96]

Is it possible to do the same but with caddy as the front?