accel-ppp.conf

@@ -22,16 +22,13 @@ single-session=replace
 chap-secrets=/etc/ppp/chap-secrets
 
 [ppp]
-verbose=0
+verbose=5
 mtu=1550
 mru=1550
 accomp=allow
 pcomp=allow
 ipv4=prefer
-ipv6=prefer
+ipv6=allow
-ipv6-intf-id=random
-ipv6-peer-intf-id=calling-sid
-ipv6-accept-peer-intf-id=1
 lcp-echo-interval=30
 lcp-echo-failure=3
 lcp-echo-timeout=5
@@ -43,8 +40,9 @@ lcp-echo-timeout=5
 
 [sstp]
 port=443
-verbose=0
+verbose=5
-accept=ssl,proxy
+#accept=proxy,ssl
+accept=ssl
 ssl-pemfile=/etc/cert.pem
 ssl-keyfile=/etc/privkey.pem
 ssl-ca-file=/etc/ca.pem
@@ -68,22 +66,16 @@ tunnel=192.168.95.2-254,v4pool
 dns=2001:4860:4860::8888
 
 [ipv6-pool]
-#gw-ip6-address=fc00:b10c:3::ffff
+gw-ip6-address=fc00:b10c:0::
 fc00:b10c:0001::/48,64,name=v6pool
-
 fc00:b10c:0002::/48,64,name=v6pool-delegate
-delegate=fc00:b10c:0002::/48,64
 
 [ipv6-nd]
 verbose=1
-AdvManagedFlag=1
-
-[ipv6-dhcp]
-verbose=1
-route-via-gw=1
 
 [log]
-level=4
+#level=4
+level=5
 log-file=/dev/stdout
 log-debug=/dev/stdout
 log-emerg=/dev/stderr

compose.yaml

@@ -11,51 +11,10 @@ services:
       - ./ca.pem:/etc/ca.pem:ro
     expose:
       - "443/tcp"
-    devices:
-      - "/dev/ppp:/dev/ppp:rwm"
-    environment:
-      VIRTUAL_HOST: "api.bearns.me"
-      VIRTUAL_PROTO: "https"
-      VIRTUAL_PORT: 443
-    cap_add:
-      - NET_ADMIN
-    networks:
-      proxy-tier:
-        ipv6_address: "fc00:b10c:3::ffff"
-
-  stream:
-    build: ./nginx-stream
-    volumes:
-      - ./ca.pem:/etc/nginx/certs/chain.pem:ro
-      - ./cert.pem:/etc/nginx/certs/api.bearns.me/fullchain.pem:ro
-      - ./privkey.pem:/etc/nginx/certs/api.bearns.me/key.pem:ro
-    expose:
-      - "443/tcp"
     ports:
       - "443:443/tcp"
-    environment:
+    devices:
-      SNI_NAME: "api.bearns.me"
+      - "/dev/ppp:/dev/ppp:rwm"
-    networks:
-      - proxy-tier
-
-  proxy:
-    build: ./proxy
-    volumes:
-      - ./cert.pem:/etc/nginx/certs/cert.pem:ro
-      - ./privkey.pem:/etc/nginx/certs/privkey.pem:ro
-    expose:
-      - "443/tcp"
-    networks:
-      - proxy-tier
-
-networks:
-  proxy-tier:
-    enable_ipv6: true
-    ipam:
-      config:
-        - subnet: fc00:b10c:3::/64
 
-volumes:
+    cap_add:
-  certs:
+      - NET_ADMIN
-  vhost.d:
-  html:

nginx-stream/Dockerfile

@@ -1,17 +0,0 @@
-FROM nginx:alpine
-
-ENV HTTPS_UPSTREAM="proxy"
-ENV SSTP_UPSTREAM="sstp"
-ENV SNI_NAME="cloud.bearns.me"
-# self signed for client certification
-# put in /etc/nginx/certs/
-ENV CA_CERT="chain.pem"
-# put in /etc/nginx/certs/$SNI_NAME
-ENV CERT="fullchain.pem"
-ENV KEY="key.pem"
-
-RUN rm -f /etc/nginx/conf.d/default.conf
-
-COPY nginx.conf /etc/nginx/
-COPY *.conf.template /etc/nginx/templates/
-

nginx-stream/http.conf.template

@@ -1,37 +0,0 @@
-http {
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    server {
-        listen unix:/tmp/fallback-stream.socket ssl proxy_protocol;
-        server_name _;
-
-        ssl_certificate /etc/nginx/certs/${SNI_NAME}/${CERT};
-        ssl_certificate_key /etc/nginx/certs/${SNI_NAME}/${KEY};
-
-        access_log  /dev/stdout  main;
-
-        location / {
-            root   /usr/share/nginx/html;
-            index  index.html index.htm;
-        }
-
-        #error_page  404              /404.html;
-
-        # redirect server error pages to the static page /50x.html
-        #
-        error_page   500 502 503 504  /50x.html;
-        location = /50x.html {
-            root   /usr/share/nginx/html;
-        }
-
-        # deny access to .htaccess files, if Apache's document root
-        # concurs with nginx's one
-        #
-        #location ~ /\.ht {
-        #    deny  all;
-        #}
-    }
-}

nginx-stream/nginx.conf

@@ -1,12 +0,0 @@
-user  nginx;
-worker_processes  auto;
-
-error_log  /var/log/nginx/error.log notice;
-pid        /var/run/nginx.pid;
-
-
-events {
-    worker_connections  1024;
-}
-
-include /etc/nginx/conf.d/*.conf;

nginx-stream/stream.conf.template

@@ -1,61 +0,0 @@
-error_log /dev/stderr;
-
-stream {
-    log_format stream '"$ssl_preread_server_name" $remote_addr [$time_local] '
-                      '$protocol $status $bytes_sent $bytes_received "$upstream_addr" '
-                      '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
-
-    map $ssl_preread_server_name $sni_name {
-            ${SNI_NAME} cert-check;
-            default https;
-        }
-
-    upstream https {
-        server ${HTTPS_UPSTREAM}:443;
-    }
-
-    upstream cert-check {
-        server unix:/tmp/virtual-stream.socket;
-    }
-
-    server {
-        listen 443;
-        listen [::]:443;
-
-        access_log /dev/stdout stream;
-
-        proxy_pass $sni_name;
-        ssl_preread on;
-        # todo nginx-proxy by default don't listen proxy_protocol, enable it in both sides
-        #proxy_protocol on;
-    }
-
-    map $ssl_client_verify $name {
-        SUCCESS sstp;
-        default fallback;
-    }
-
-    upstream sstp {
-        server ${SSTP_UPSTREAM}:443;
-    }
-
-    upstream fallback {
-        server unix:/tmp/fallback-stream.socket;
-    }
-
-    server {
-        listen unix:/tmp/virtual-stream.socket ssl;
-
-        ssl_certificate /etc/nginx/certs/${SNI_NAME}/${CERT};
-        ssl_certificate_key /etc/nginx/certs/${SNI_NAME}/${KEY};
-
-        ssl_trusted_certificate /etc/nginx/certs/${CA_CERT};
-        ssl_verify_client optional;
-
-        # Doesn't work without it
-        proxy_ssl on;
-
-        proxy_pass $name;
-        proxy_protocol on;
-    }
-}

proxy/00-default.conf

@@ -1,7 +0,0 @@
-server {
-    listen 443 ssl;
-    server_name _;
-    ssl_certificate /etc/nginx/certs/cert.pem;
-    ssl_certificate_key /etc/nginx/certs/privkey.pem;
-    return       404;
-}

proxy/Dockerfile

@@ -1,3 +0,0 @@
-FROM nginx:alpine
-
-COPY 00-default.conf /etc/nginx/conf.d/