trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: SSL and Reverse Proxy
Date Mon, 18 Jul 2016 11:18:55 GMT

> On Jul 18, 2016, at 5:37 PM, Chee, Anthony [COMP] <anthony.chee@polyu.edu.hk> wrote:
> 
> I am using the CentOS 7 as the OS. The version of trafficserver is v5.3.0 which come
from EPEL 7. CentOS 7 is updated with all patches.
> 
> I would like to set a reverse proxy which listen on 80 and 443. It accepts SSL connection
host, with mapping the connection to internal host also with SSL.
> 
> The below is the portion of records.conf I modified.
> 
> CONFIG proxy.config.ssl.client.cert.filename STRING mycert.crt
> CONFIG proxy.config.ssl.client.private_key.filename STRING mykey.key

This is specifying the certificate Traffic Server will present to “internalhost”. Did
you add a ssl_multicert.config entry with the certificate and key for “publichost”?

> #CONFIG proxy.config.ssl.allow_client_renegotiation INT 1
> CONFIG proxy.config.ssl.SSLv2 INT 0
> CONFIG proxy.config.ssl.SSLv3 INT 0
> CONFIG proxy.config.ssl.TLSv1 INT 1
> CONFIG proxy.config.ssl.TLSv1_1 INT 1
> CONFIG proxy.config.ssl.TLSv1_2 INT 1
> CONFIG proxy.config.ssl.client.verify.server INT 0
> CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
> CONFIG proxy.config.ssl.server.cipher_suite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
> CONFIG proxy.config.diags.debug.enabled INT 1
> CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*|ssl.*
> 
> 
> Below is the remap.conf I modified.
> 
> map https://publichost https://internalhost/path
> 
> I used Chrome to connect to https://publichost and give me the following
> 
> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> The client and server don't support a common SSL protocol version or cipher suite. This
is likely to be caused when the server needs RC4, which is no longer considered secure.
> 
> From my understanding, RC4 should already disabled in above cipher_suite setting. I would
like to ask if there is anything I missed. I tested with non-SSL reverse proxy and seems OK.
> 
> Regards,
> Anthony
> 
> 
> [http://mlm.polyu.edu.hk/intimate/templates/images/PolyU/PolyU_Email_Signature.jpg]
> 
> Disclaimer:
> 
> This message (including any attachments) contains confidential information intended for
a specific individual and purpose. If you are not the intended recipient, you should delete
this message and notify the sender and The Hong Kong Polytechnic University (the University)
immediately. Any disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited and may be unlawful.
> 
> The University specifically denies any responsibility for the accuracy or quality of
information obtained through University E-mail Facilities. Any views and opinions expressed
are only those of the author(s) and do not necessarily represent those of the University and
the University accepts no liability whatsoever for any losses or damages incurred or caused
to any party as a result of the use of such information.


Mime
View raw message