trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <>
Subject Re: SSL termination for forward proxy?
Date Thu, 07 Jul 2016 15:34:34 GMT

> On Jul 7, 2016, at 4:57 AM, Rob Maidment <> wrote:
> Hello
> I notice TS supports SSL termination in reverse proxy mode only.
> I would like to write a plug-in to achieve SSL termination (for HTTPS)
> in forward proxy mode.  The plug-in would need to generate
> certificates on-the-fly for sites being requested, and the clients
> would need to trust these certificates (or the signing CA).
> My questions are:
> 1.  Does the plug-in have access to the CONNECT request and the TLS
> exchange that follows it?

Yes. CONNECT flows through to remap, so at remap time (or earlier if you want) you can intercept
the virtual circuit with TSHttpTxnServerIntercept. Take a look at the example/intercept/
You can also use network transparency and the SSL connection hook to terminate directly.

> 2.  Does the plug-in have access to the encrypted data from the client?


> 3.  How should the plug-in create its own SSL connection with the server?

There are a few approaches. You can use an API like TSHttpConnect() to route a HTTP(S) request
through the Traffic Server cache. You can use something like TSNetConnect() or TSVConnFdCreate()
to set up virtual circuit and handle the TLS yourself.

> 4.  Is anyone else working on this already?

I'm sure it has been done in Traffic Server before, but I'm not aware of any open projects.

View raw message