trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: SSL-termination redirect loop
Date Thu, 08 May 2014 10:41:41 GMT
Hi

confirmed, with https://issues.apache.org/jira/secure/attachment/12637293/no_redirect_after_map.patch
SSL termination works like a charme as expected with and without force client->ATS to encryption
and
have the connection to the origin unencrypted

in other words: patch included in production build

thank you!

Am 06.05.2014 17:59, schrieb Ethan Lai:
> You can set "CONFIG proxy.config.url_remap.pristine_host_hdr INT 1" to keep request's
Host header.
> 
> And, yes, I also think its a bug, lower precedence type, `redirect` here, should not
be matched again if higher
> precedence type, `map` here, were matched.
> I've provided a patch here <https://issues.apache.org/jira/secure/attachment/12637293/no_redirect_after_map.patch>,
> one patch of TS-2344 <https://issues.apache.org/jira/browse/TS-2344>.   You can
try it if building trafficserver
> yourself.
> 
> 2014-05-06 19:31 GMT+08:00 Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>:
> 
> 
> 
>     Am 06.05.2014 13:06, schrieb Ethan Lai:
>     > I'd suggest use different names
> 
>     that don't work because it would break the *automatic*
>     configuration of ATS / dnsmasq based on webservices
>     working with the real origin-configs
> 
>     as well it would break php applications seeing
>     http://real-webspace.local/ as URL and so no longer
>     correctly fix href="http://domain/folder/file.ext"
>     to href="/folder/file.ext" by save content with
>     WYSIWG editors
> 
>     the current solution works perfectly for some
>     hundret domains without touch ATS manually
>     and care about the origin, it only breaks
>     if ATS is supposed to do SSL-offloading
>     and force the client to https
> 
>     IMHO that is a bug - the redirect statement
>     should not affect the right side of a map
>     in reverse proxy mode
> 
>     > Add DNS: real-webspace.local   192.168.196.3
>     >
>     > redirect http://webspace.local https://webspace.local
>     > map https://webspace.local http://real-webspace.local
>     >
>     > 2014-05-06 18:37 GMT+08:00 Reindl Harald:
>     >
>     >     Hi
>     >
>     >     the settings below (which only make no sense without
>     >     the underlying DNS views) are resulting in a redirect
>     >     loop  but why?
>     >
>     >     redirect http://webspace.local https://webspace.local
>     >     map https://webspace.local http://webspace.local
>     >
>     >     * DNS-View external:    webspace.local -> 192.168.196.2 (192.168.196.2
= ATS)
>     >     * DNS-View ATS machine: webspace.local -> 192.168.196.3 (192.168.196.3
= Origin)
>     >
>     >     the reason for that views is that this way automatic configuration of
>     >     ATS and dnsmasq based on webservices can be done and the decision using
>     >     the proxy or directly point to the origin is done with the public DNS
>     >     _____________________________________________________
>     >
>     >     these two mappings are working fine with http and https
>     >     so i assume the problem is that the non-http-origin URL
>     >     triggers also teh redirect above
>     >
>     >     map http://webspace.local http://webspace.local
>     >     map https://webspace.local http://webspace.local
>     >     _____________________________________________________
>     >
>     >     these mappings also working because the origin itself
>     >     is also accessed with https, but the idea of the config
>     >     above is that ATS doing SSL termination, forcing the
>     >     client to use https but the origin has no SSL
>     >
>     >     redirect http://webspace.local https://webspace.local
>     >     map https://webspace.local https://webspace.local
> 


Mime
View raw message