From a4a7bf0187d736b63701e83c2aaa1b17efa71081 Mon Sep 17 00:00:00 2001 From: Terekhin Alexandr Date: Sun, 15 Dec 2024 03:26:02 +0300 Subject: [PATCH] Tested with mikrotik ok --- accel-ppp.conf | 8 ++-- nginx-stream/Dockerfile | 1 + nginx-stream/stream.conf.template | 78 +++++++++++++++++++++++++++---- 3 files changed, 72 insertions(+), 15 deletions(-) diff --git a/accel-ppp.conf b/accel-ppp.conf index c267073..564c087 100644 --- a/accel-ppp.conf +++ b/accel-ppp.conf @@ -40,9 +40,8 @@ lcp-echo-timeout=5 [sstp] port=443 -verbose=5 -accept=proxy,ssl -accept=ssl +verbose=1 +accept=ssl,proxy ssl-pemfile=/etc/cert.pem ssl-keyfile=/etc/privkey.pem ssl-ca-file=/etc/ca.pem @@ -74,8 +73,7 @@ fc00:b10c:0002::/48,64,name=v6pool-delegate verbose=1 [log] -#level=4 -level=5 +level=4 log-file=/dev/stdout log-debug=/dev/stdout log-emerg=/dev/stderr diff --git a/nginx-stream/Dockerfile b/nginx-stream/Dockerfile index 3bed434..c03a5c4 100644 --- a/nginx-stream/Dockerfile +++ b/nginx-stream/Dockerfile @@ -2,6 +2,7 @@ FROM nginx:alpine ENV HTTPS_UPSTREAM="proxy" ENV SSTP_UPSTREAM="sstp" +ENV SNI_NAME="api.bearns.me" ENV CA_CERT="ca.pem" COPY nginx.conf /etc/nginx/ diff --git a/nginx-stream/stream.conf.template b/nginx-stream/stream.conf.template index 74f1ff6..60397e9 100644 --- a/nginx-stream/stream.conf.template +++ b/nginx-stream/stream.conf.template @@ -1,22 +1,43 @@ error_log /dev/stderr; stream { - map $ssl_client_verify $name { - SUCCESS sstp; - default https; - } + map $ssl_preread_server_name $sni_name { + ${SNI_NAME} cert-check; + default https; + } upstream https { server ${HTTPS_UPSTREAM}:443; } + upstream cert-check { + server unix:/tmp/virtual-stream.socket; + } + + server { + listen 443; + listen [::]:443; + + proxy_pass $sni_name; + ssl_preread on; + #proxy_protocol on; + } + + map $ssl_client_verify $name { + SUCCESS sstp; + default fallback; + } + upstream sstp { server ${SSTP_UPSTREAM}:443; } + upstream fallback { + server unix:/tmp/fallback-stream.socket; + } + server { - listen 443 ssl; - listen [::]:443 ssl; + listen unix:/tmp/virtual-stream.socket ssl; ssl_certificate /etc/nginx/certs/cert.pem; ssl_certificate_key /etc/nginx/certs/privkey.pem; @@ -24,14 +45,51 @@ stream { ssl_trusted_certificate /etc/nginx/certs/${CA_CERT}; ssl_verify_client optional; - proxy_half_close on; - # Doesn't work without it proxy_ssl on; - proxy_ssl_session_reuse off; proxy_pass $name; - ssl_preread on; proxy_protocol on; } +} + +http { + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + server { + listen unix:/tmp/fallback-stream.socket ssl proxy_protocol; + server_name _; + + ssl_certificate /etc/nginx/certs/cert.pem; + ssl_certificate_key /etc/nginx/certs/privkey.pem; + + ssl_trusted_certificate /etc/nginx/certs/${CA_CERT}; + + #access_log /var/log/nginx/host.access.log main; + access_log /dev/stdout main; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} + } } \ No newline at end of file