trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chee, Anthony [COMP]" <anthony.c...@polyu.edu.hk>
Subject SSL and Reverse Proxy
Date Mon, 18 Jul 2016 07:37:39 GMT
I am using the CentOS 7 as the OS. The version of trafficserver is v5.3.0 which come from EPEL
7. CentOS 7 is updated with all patches.

I would like to set a reverse proxy which listen on 80 and 443. It accepts SSL connection
host, with mapping the connection to internal host also with SSL.

The below is the portion of records.conf I modified.

CONFIG proxy.config.ssl.client.cert.filename STRING mycert.crt
CONFIG proxy.config.ssl.client.private_key.filename STRING mykey.key
#CONFIG proxy.config.ssl.allow_client_renegotiation INT 1
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 0
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.verify.server INT 0
CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
CONFIG proxy.config.ssl.server.cipher_suite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
CONFIG proxy.config.diags.debug.enabled INT 1
CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*|ssl.*


Below is the remap.conf I modified.

map https://publichost https://internalhost/path

I used Chrome to connect to https://publichost and give me the following

ERR_SSL_VERSION_OR_CIPHER_MISMATCH
The client and server don't support a common SSL protocol version or cipher suite. This is
likely to be caused when the server needs RC4, which is no longer considered secure.

>From my understanding, RC4 should already disabled in above cipher_suite setting. I would
like to ask if there is anything I missed. I tested with non-SSL reverse proxy and seems OK.

Regards,
Anthony


[http://mlm.polyu.edu.hk/intimate/templates/images/PolyU/PolyU_Email_Signature.jpg]

Disclaimer:

This message (including any attachments) contains confidential information intended for a
specific individual and purpose. If you are not the intended recipient, you should delete
this message and notify the sender and The Hong Kong Polytechnic University (the University)
immediately. Any disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited and may be unlawful.

The University specifically denies any responsibility for the accuracy or quality of information
obtained through University E-mail Facilities. Any views and opinions expressed are only those
of the author(s) and do not necessarily represent those of the University and the University
accepts no liability whatsoever for any losses or damages incurred or caused to any party
as a result of the use of such information.

Mime
View raw message