Tested with mikrotik ok

8 months ago · a4a7bf0187
parent 7a2079e3ef
commit a4a7bf0187
3 changed files with 72 additions and 15 deletions
--- a/accel-ppp.conf
+++ b/accel-ppp.conf
@ -40,9 +40,8 @@ lcp-echo-timeout=5

 [sstp]
 port=443
-verbose=5
-accept=proxy,ssl
-accept=ssl
+verbose=1
+accept=ssl,proxy
 ssl-pemfile=/etc/cert.pem
 ssl-keyfile=/etc/privkey.pem
 ssl-ca-file=/etc/ca.pem
@ -74,8 +73,7 @@ fc00:b10c:0002::/48,64,name=v6pool-delegate
 verbose=1

 [log]
-#level=4
-level=5
+level=4
 log-file=/dev/stdout
 log-debug=/dev/stdout
 log-emerg=/dev/stderr
--- a/nginx-stream/Dockerfile
+++ b/nginx-stream/Dockerfile
@ -2,6 +2,7 @@ FROM nginx:alpine

 ENV HTTPS_UPSTREAM="proxy"
 ENV SSTP_UPSTREAM="sstp"
+ENV SNI_NAME="api.bearns.me"
 ENV CA_CERT="ca.pem"

 COPY nginx.conf /etc/nginx/
--- a/nginx-stream/stream.conf.template
+++ b/nginx-stream/stream.conf.template
@ -1,22 +1,43 @@
 error_log /dev/stderr;

 stream {
-    map $ssl_client_verify $name {
-        SUCCESS sstp;
-        default https;
-    }
+    map $ssl_preread_server_name $sni_name {
+            ${SNI_NAME} cert-check;
+            default https;
+        }

    upstream https {
        server ${HTTPS_UPSTREAM}:443;
    }

+    upstream cert-check {
+        server unix:/tmp/virtual-stream.socket;
+    }
+
+    server {
+        listen 443;
+        listen [::]:443;
+
+        proxy_pass $sni_name;
+        ssl_preread on;
+        #proxy_protocol on;
+    }
+
+    map $ssl_client_verify $name {
+        SUCCESS sstp;
+        default fallback;
+    }
+
    upstream sstp {
        server ${SSTP_UPSTREAM}:443;
    }

+    upstream fallback {
+        server unix:/tmp/fallback-stream.socket;
+    }
+
    server {
-        listen 443 ssl;
-        listen [::]:443 ssl;
+        listen unix:/tmp/virtual-stream.socket ssl;

        ssl_certificate /etc/nginx/certs/cert.pem;
        ssl_certificate_key /etc/nginx/certs/privkey.pem;
@ -24,14 +45,51 @@ stream {
        ssl_trusted_certificate /etc/nginx/certs/${CA_CERT};
        ssl_verify_client optional;

-        proxy_half_close on;
-
        # Doesn't work without it
        proxy_ssl on;
-        proxy_ssl_session_reuse off;

        proxy_pass $name;
-        ssl_preread on;
        proxy_protocol on;
    }
+}
+
+http {
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    server {
+        listen unix:/tmp/fallback-stream.socket ssl proxy_protocol;
+        server_name _;
+
+        ssl_certificate /etc/nginx/certs/cert.pem;
+        ssl_certificate_key /etc/nginx/certs/privkey.pem;
+
+        ssl_trusted_certificate /etc/nginx/certs/${CA_CERT};
+
+        #access_log  /var/log/nginx/host.access.log  main;
+        access_log  /dev/stdout  main;
+
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+        }
+
+        #error_page  404              /404.html;
+
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+
+        # deny access to .htaccess files, if Apache's document root
+        # concurs with nginx's one
+        #
+        #location ~ /\.ht {
+        #    deny  all;
+        #}
+    }
 }