trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Esmq <e...@163.com>
Subject Re:RE: ssl reverse proxy and ssl sni ?
Date Tue, 12 Mar 2013 09:52:11 GMT
ohh, i got it now~


i misunderstood the way that ats implement sni;


now i have successfully test the ssl sni.


with those config line in ssl_multicert.config:
dest_ip=zyq.test.com    ssl_cert_name=zyq.crt ssl_key_name=zyq.key
dest_ip=zy2.test.com    ssl_cert_name=zy2.crt ssl_key_name=zy2.key
dest_ip=zy3.test.com    ssl_cert_name=zy3.crt ssl_key_name=zy3.key


ats able to select the correct certificate to present to the client~


thanks all ^_^


At 2013-03-12 16:07:01,"Uri Shachar" <ushachar@hotmail.com> wrote:

>Hi,
>
>    I'm not sure I understand what you are trying to achieve.
>If the ATS is acting as a terminating reverse proxy (which is what I guess you are trying
to achieve):
>Receiving an HTTPS request on port 443 (Straight TLS -- Not an HTTP CONNECT request),
terminating the SSL connection and creating a new SSL connection upstream.
>
>It needs to present some certificate to the client. The certificate it selects can be
configured via the ssl_multicert config file -- the one that you have attached tells the ATS
to use a single cert for all origin servers. If you want it to be able to display the cert
for site X then you need to copy the certificate to the proxy and configure it in the ssl_multicert.config....
>(You also need to ensure that your browser sends SNI information -- All modern ones do
except for IE over Windows XP)
>
>If this isn't clear, could you send a cURL request/response?
>
>            Cheers,
>                     Uri
>
>________________________________
>> Date: Tue, 12 Mar 2013 11:22:15 +0800 
>> From: esmq@163.com 
>> To: users@trafficserver.apache.org 
>> Subject: Re:Re: ssl reverse proxy and ssl sni ? 
>>  
>> hi, Leif 
>>  
>> it seems does'nt work... following is my test config: 
>>  
>> ssl_multicert.config: 
>> dest_ip=*       ssl_cert_name=cert.pem ssl_key_name=key.pem 
>>  
>> records.config: 
>> CONFIG proxy.config.http.server_ports STRING 80 443:ssl 
>>  
>> remap.config: 
>> map https://.*.test.com/ https://$1.test.com/ 
>>  
>> with SNI and SSL Termination, i want when browser access  
>> https://a.test.com, shows the certificate of a.test.com; 
>>  
>> but the above configuration , show all the https sites the same  
>> certificate... 
>>  
>> i don't know wheather i misunderstand the sni and ssl termination, or  
>> the config is not correct~ 
>>  
>>  
>>  
>> At 2013-03-11 22:19:24, "Leif Hedstrom" <zwoop@apache.org> wrote: 
>> If you run a version of ATS that supports SNI, yes. Pretty sure v3.2.4  
>> does, for example. 
>>  
>> -- Leif 
>>  
>> On Mar 11, 2013, at 4:00 AM, Esmq <esmq@163.com<mailto:esmq@163.com>>
wrote: 
>>  
>> hi, all 
>>  
>> we know that an extension to TLS called Server Name Indication (SNI)  
>> ,enable web server to select a correct virtual domain 
>> and shows the borwser the cerficate containing the correct name... 
>>  
>> apache/nginx just do the right thing... 
>>  
>> and i know when configure ats as ssl reverse proxy, the cerficated  
>> shows to the browser is the cerficate that on ats, not the cerficated  
>> on the original server... 
>>  
>> so. when ats act as reverse proxy, does sni work? 
>>  
>>  
>>  
>> 		 	   		  

Mime
View raw message