利用Haproxy使Ocserv和HTTPS工作在同一端口

#/etc/haproxy/haproxy.cfg
frontend https-in
    bind *:443
    tcp-request inspect-delay 3s
    tcp-request content accept if { req.ssl_hello_type 1 }

    acl tls req.ssl_hello_type 1
    acl has_sni req.ssl_sni -m found

    use_backend ocserv if tls { req.ssl_sni -i [ocserv domain] }
    use_backend https-out if tls { req.ssl_sni -i [domian] }

backend ocserv
    mode tcp
    option ssl-hello-chk
    server server-vpn 127.0.0.1:999 send-proxy-v2 # ocserv工作在本地999端口

backend https-out
    server server-web 127.0.0.1:4443 check #https工作在本地4443端口
#/etc/ocserv/ocserv.conf
listen-proxy-proto = true

参考

HAProxy forwarding to HTTPS sites

How to share the same port for VPN and HTTP