The group functionality is available globally only and
there is no benefit from this option being per vhost.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This introduces the 'select-group-by-url' config option
that allows selecting an authgroup just by connecting to
a dedicated URI.
Signed-off-by: Marcin Ochab <marcin.ochab@gmail.com>
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Separated the logging logically from any remaining debugging
features. Introduced command line option for logging to stderr
only (for systemd and containers). The default log level is set
to (2) info.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
The VPN client that comes with the Cisco IP-Phone Enterprise
firmware is based on AnyConnect but was unable to authenticate
with ocserv.
The phone makes an initial GET request and looks for a cookie
named 'webvpn' that has an expiry attribute and a cookie named
'webvpnlogin' containing a non-empty value.
When username+password mode is configured, the phone will then
send a POST request containing those credentials. When using
certificate authentication an empty POST request is sent.
A handler that implements this new behaviour has been added
under the '/svc' path.
To use DTLS 'dtls-legacy' must be enabled and 'udp-port' must
be 443, a new 'cisco-svc-client-compat' option automatically
checks those settings.
New test cases test-pass-svc and test-cert-svc check the above
behaviour.
Older versions of the phone's firmware will fail to create the
DTLS tunnel if the cipher negotiated for HTTPS does not match
that selected for DTLS.
To work-around this either disable DTLS or only allow the
RSA-AES-256-CBC/SHA1 or RSA-AES-128-CBC/SHA1 cipher to be used.
doc/README-cisco-svc.md includes additional information.
Note: 'Enterprise' here is used to differentiate between that
firmware and the MPP (Multi-Platform) firmware which uses the
same hardware.
Signed-off-by: Gareth Palmer <gareth.palmer3@gmail.com>
This adds a "camouflage" functionality (looking and acting like an ordinary web server),
to prevent OCserv installations from being automatically scanned or blocked with active probing techniques.
Signed-off-by: Kirill Ovchinnikov <kirill.ovchinn@gmail.com>
Modified code to separate logging level from the debug-ability. Added new command line option -x or --traceable to control the pr_dumpable state (default is pr_dumpable false) Added config parameter for controlling the log-level the option is "log-level" it can also be specified on the commandline with -d or --debug.
Signed-off-by: Russell Young <ruyoung@microsoft.com>
By default, anyconnect clients will drop all traffic of a given IP
version if there is no IP address in that version assigned to the
client. The client-bypass-protocol option, if enabled, will send an
extra header to the clients telling anyconnect client to bypass VPN
tunnel if there is no IP assigned. No impact for openconnect clients,
this header will simply be ignored.
Signed-off-by: Florian Domain <f.domain@criteo.com>
This option was almost impossible to use in general and worked with
very few clients only (not including openconnect). That also meant that
it could not be tested. Removed to reduce maintenance to parameters
that are used in practice.
Resolves: #376
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Add support for gracefully stopping the server.
Add primer on using ocserv with L3 load balancer.
Resolves: #345
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
It is possible to specify multiple domains in X-CSTP-Default-Domain for
openconnect clients; make sure that this is documented.
Resolves: #328
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
The previously used HOSTNAME variable is being overriden by bash and
thus was not a reliable one. We switch to setting REMOTE_HOSTNAME,
but keep the HOSTNAME for compatibility.
This also changes 'test-pass-script' to check for the new variable.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
- this patch adds `listen-netns` parameter
- when set the listening socket will be created in the given namespace
it allows to properly segregate your traffic:
- do the backend traffic in the root namespace
- receive the VIP traffic in a given namespace
All this patch is widely inspired by haproxy implementation which allows
to bind each IP in a given namespace.
Resolves: #316
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
