I'm trying to set up OpenVPN to listen on port 443, and then pass all HTTPS traffic to Apache, by using the port-share option. Relevant config snippets are:
OpenVPN
local ${PUBLIC_IP}
port 443
port-share localhost 443
Apache with SSL
Listen localhost:443
My OpenVPN client connects just fine, but when opening the HTTPS enabled page, I get errors. Firefox says:
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
Curl says
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
The request ends up on Apache, since I see in the error logs the following messages:
[Wed Oct 06 01:10:20 2010] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01
[Wed Oct 06 01:11:04 2010] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01
[Wed Oct 06 01:11:51 2010] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01
The messages entry for a HTTPS connection is
Oct 6 01:13:21 ns1 openvpn[20154]: Re-using SSL/TLS context
Oct 6 01:13:21 ns1 openvpn[20154]: LZO compression initialized
Oct 6 01:13:21 ns1 openvpn[20154]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Oct 6 01:13:21 ns1 openvpn[20154]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Oct 6 01:13:21 ns1 openvpn[20154]: Local Options hash (VER=V4): 'c0103fa8'
Oct 6 01:13:21 ns1 openvpn[20154]: Expected Remote Options hash (VER=V4): '69109d17'
Oct 6 01:13:21 ns1 openvpn[20154]: TCP connection established with ${CLIENT_IP}:56203
Oct 6 01:13:21 ns1 openvpn[20154]: TCPv4_SERVER link local: [undef]
Oct 6 01:13:21 ns1 openvpn[20154]: TCPv4_SERVER link remote: ${CLIENT_IP}:56203
Oct 6 01:13:21 ns1 openvpn[20154]: ${CLIENT_IP}:56203 Non-OpenVPN client protocol detected
Oct 6 01:13:21 ns1 openvpn[20154]: TCP/UDP: Closing socket
Using httpd-2.2.3-43.el5.centos and openvpn-2.1.1-2.el5 .
What should I do to make port sharing work?
Update: Using
port 443
port-share localhost 10443
and
Listen localhost:10443
makes no difference.
Update 2 : some command output
[root@ns1 ~]# openvpn --help | grep port-share
--port-share host port : When run in TCP mode, proxy incoming HTTPS sessions
[root@ns1 ~]# netstat -nltp | grep 443
tcp 0 0 127.0.0.1:10443 0.0.0.0:* LISTEN 20088/httpd
tcp 0 0 ${PUBLIC_IP}:443 0.0.0.0:* LISTEN 20066/openvpn
-
the
port-shareoption sets the port the other application is listening.What you want to do, it to configure
port-share 10443
and set Apache to listen on port 10443:
Listen <your-public-ip>:10443
That's because two applications can't open same port at once.
Robert Munteanu : Thanks for your reply. OpenVPN binds on the public address, while Apache binds on localhost. I'll change the Apache port when I have the chance, but two applications _can_ bind on the same port, given that they use different addresses.Hubert Kario : yes, true, but it's likely that openVPN will redirect to the same IP, not localhost (that would be the sane thing to do)Robert Munteanu : I actually meant to say `port-share localhost 443`. I tried `port-share localhost 10443`, but it still did not work, same error.Hubert Kario : ah, sorry, I was saying one thing and showing config for the other. I'd guess that apache has to listen on the same IP openvpn is listening, that is, public, not localhost. Updated my answer.Hubert Kario : One more thing, are you sure your version of openvpn does support this option? (try with `openvpn --help | grep port-share`). And are you sure that apache listens on the configured port and has SSL working?Robert Munteanu : Please see my update. And SSL is working, yes.Robert Munteanu : Well ... SSL was working fine but the virtualhost was declared as ${SERVER_NAME}:443 . Once I changed to ${SERVER_NAME}:10443 all was fine. Thanks for your help.From Hubert Kario -
OpenVPN's port-share option allows you to redirect traffic to another HTTPS site , not to a regular web server; the error you're seeing
[error] [client 127.0.0.1] Invalid method in request \x16\x03\x01occurs when an SSL request is sent to a non-0SSL site. I can reproduce the error by using
port-share localhost 80(instead of 443) If you set up your HTTPS site correctly then port-sharing will work.
HTH,
JJK
From janjust
0 comments:
Post a Comment