This option was almost impossible to use in general and worked with
very few clients only (not including openconnect). That also meant that
it could not be tested. Removed to reduce maintenance to parameters
that are used in practice.
Resolves: #376
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Add support for gracefully stopping the server.
Add primer on using ocserv with L3 load balancer.
Resolves: #345
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
It is possible to specify multiple domains in X-CSTP-Default-Domain for
openconnect clients; make sure that this is documented.
Resolves: #328
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
The previously used HOSTNAME variable is being overriden by bash and
thus was not a reliable one. We switch to setting REMOTE_HOSTNAME,
but keep the HOSTNAME for compatibility.
This also changes 'test-pass-script' to check for the new variable.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
- this patch adds `listen-netns` parameter
- when set the listening socket will be created in the given namespace
it allows to properly segregate your traffic:
- do the backend traffic in the root namespace
- receive the VIP traffic in a given namespace
All this patch is widely inspired by haproxy implementation which allows
to bind each IP in a given namespace.
Resolves: #316
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
Capture all the required worker process state in a protobuf and
pass to worker via env. Snapshot all config files to ensure ocserv-sm
and ocserv-worker remain in sync. Split ocserv-worker functionality
into it's own executable with minimal dependencies.
Resolves: #285
Signed-off-by: Alan Jowett alanjo@microsoft.com
This permits the validation of OpenID Connect auth tokens OpenID
Connect is an OAuth 2.0 protocol used to identify a resource owner
(VPN client end-user) to a resource server (VPN server) intermediated
by an Authorization server.
Resolves: #240
Signed-off-by: Alan TG Jowett <alan.jowett@microsoft.com>
This option supports different listen addresses for tcp and
udp such as haproxy for tcp, but support dtls at the same time (haproxy
does not support UDP at the moment)
When a user explicitly disconnects after the session is open,
cleanup its entry immediatelly. That ensures that a radius
server will be notified sooner, while anyconnect clients which
disconnect early (before session is open), remain unaffected.
Resolves: #210
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
This clarifies how cookies are expired, and how they affect
session accounting in radius.
Relates #166
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This provides virtualized server configurations which take
effect after client connection when client hello is received.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That eliminates the need for autogen and also combines
doc/sample.config and manpage contents. Now the doc/sample.config
is the primary config documentation location.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This still prevents abuse, while allowing few more attempts than 5, which
are typically easily reached through software which remembers passwords.
At the same time increase the default ban time to 20 minutes.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This is needed to be able to retreive email from the Subject
Alternative Name from the certificate.
Signed-off-by: Johannes Sjøkvist <johannes@konsept-it.no>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
