trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: SSL-termination redirect loop
Date Wed, 07 May 2014 08:08:07 GMT
Hi

Am 06.05.2014 17:59, schrieb Ethan Lai:
> You can set "CONFIG proxy.config.url_remap.pristine_host_hdr INT 1" to keep request's
Host header.

yes, but it still would need to invent DNS names for some hundret domains
and reconfigure the nameservers - in that case a cert on the origin is
cheaper for sites wit forced ssl:-)

> And, yes, I also think its a bug, lower precedence type, `redirect` here, should not
be matched again if higher
> precedence type, `map` here, were matched.
> I've provided a patch here <https://issues.apache.org/jira/secure/attachment/12637293/no_redirect_after_map.patch>,
> one patch of TS-2344 <https://issues.apache.org/jira/browse/TS-2344>. You can try
it if building trafficserver
> yourself.

thank you!

i will give feedback ASAP, building ATS as my own RPMs
need some time for other tasks currently :-(

> 2014-05-06 19:31 GMT+08:00 Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>:
> 
> 
> 
>     Am 06.05.2014 13:06, schrieb Ethan Lai:
>     > I'd suggest use different names
> 
>     that don't work because it would break the *automatic*
>     configuration of ATS / dnsmasq based on webservices
>     working with the real origin-configs
> 
>     as well it would break php applications seeing
>     http://real-webspace.local/ as URL and so no longer
>     correctly fix href="http://domain/folder/file.ext"
>     to href="/folder/file.ext" by save content with
>     WYSIWG editors
> 
>     the current solution works perfectly for some
>     hundret domains without touch ATS manually
>     and care about the origin, it only breaks
>     if ATS is supposed to do SSL-offloading
>     and force the client to https
> 
>     IMHO that is a bug - the redirect statement
>     should not affect the right side of a map
>     in reverse proxy mode
> 
>     > Add DNS: real-webspace.local   192.168.196.3
>     >
>     > redirect http://webspace.local https://webspace.local
>     > map https://webspace.local http://real-webspace.local
>     >
>     > 2014-05-06 18:37 GMT+08:00 Reindl Harald:
>     >
>     >     Hi
>     >
>     >     the settings below (which only make no sense without
>     >     the underlying DNS views) are resulting in a redirect
>     >     loop  but why?
>     >
>     >     redirect http://webspace.local https://webspace.local
>     >     map https://webspace.local http://webspace.local
>     >
>     >     * DNS-View external:    webspace.local -> 192.168.196.2 (192.168.196.2
= ATS)
>     >     * DNS-View ATS machine: webspace.local -> 192.168.196.3 (192.168.196.3
= Origin)
>     >
>     >     the reason for that views is that this way automatic configuration of
>     >     ATS and dnsmasq based on webservices can be done and the decision using
>     >     the proxy or directly point to the origin is done with the public DNS
>     >     _____________________________________________________
>     >
>     >     these two mappings are working fine with http and https
>     >     so i assume the problem is that the non-http-origin URL
>     >     triggers also teh redirect above
>     >
>     >     map http://webspace.local http://webspace.local
>     >     map https://webspace.local http://webspace.local
>     >     _____________________________________________________
>     >
>     >     these mappings also working because the origin itself
>     >     is also accessed with https, but the idea of the config
>     >     above is that ATS doing SSL termination, forcing the
>     >     client to use https but the origin has no SSL
>     >
>     >     redirect http://webspace.local https://webspace.local
>     >     map https://webspace.local https://webspace.local
> 
> 

-- 

Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofm├╝hlgasse 17
CTO / CISO / Software-Development
m: +43 (676) 40 221 40, p: +43 (1) 595 3999 33
icq: 154546673, http://www.thelounge.net/

http://www.thelounge.net/signature.asc.what.htm


Mime
View raw message