Brian,
Yes, Kishore is part of our dev team. He should be reaching out to you here
soon.
Thanks for offering your expert guidance.
On Fri, Jan 20, 2017 at 12:20 AM, Brian Geffon <briangeffon@gmail.com>
wrote:
> Hey Jeremy, is the guy who requested the bug on your team? I'm happy to
> advise on how to fix it if you guys need.
>
> Brian
>
> On Thu, Jan 19, 2017, 05:30 Jeremy Payne <jp557198@gmail.com> wrote:
>
>> "bug" filed.
>>
>> https://github.com/apache/trafficserver/issues/1344
>>
>> On Thu, Jan 19, 2017 at 6:37 AM, Jeremy Payne <jp557198@gmail.com> wrote:
>>
>> Thus far it appears right before the origin request is built the SNI
>> value is derived from the original client(end user) defined HOST header
>> Since we have pristine enabled, we dont want the original client HOST
>> header to be used as the origin SNI. So right after the cache look up we
>> change the client HOST header to the desired SNI value. This seems to work
>> without impacts to the cache key, etc.
>>
>> ++++++++
>> function cache_lookup()
>> ts.client_request.header['Host'] = 'origin.tld'
>> return 0
>> end
>>
>> function do_remap()
>>
>> ts.hook(TS_LUA_HOOK_CACHE_LOOKUP_COMPLETE, cache_lookup)
>>
>> return 0
>> end
>> ++++++++
>>
>> On Wed, Jan 18, 2017 at 8:09 PM, Leif Hedstrom <zwoop@apache.org> wrote:
>>
>> I think we ran into just this same problem. Gancho, what was the solution?
>>
>> -- Leif
>>
>> On Jan 17, 2017, at 3:06 PM, Brian Geffon <briangeffon@gmail.com> wrote:
>>
>> That sounds like a bug and after looking through the code it does appear
>> to be:
>>
>> https://github.com/apache/trafficserver/blob/master/
>> proxy/http/HttpSM.cc#L5046
>>
>> That's the wrong value to use since it never gets overwritten here:
>>
>> https://github.com/apache/trafficserver/blob/master/proxy/http/remap/
>> RemapProcessor.cc#L242
>>
>> Can you please file a bug?
>>
>> Brian
>>
>> On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <jp557198@gmail.com> wrote:
>>
>> Hello,
>>
>>
>>
>> I currently have ATS configured to support a pristine host header.
>>
>> proxy.config.url_remap.pristine_host_hdr 1
>>
>> I also have ATS configured to verify the origin server certificate.
>>
>> proxy.config.ssl.client.verify.server 1
>>
>> My remap looks like this.
>>
>> map https://edge.abc.com/ https://origin.xyz.com/
>>
>>
>> Because pristine is enabled, when ATS sends a request back to the origin,
>> it uses a SNI value of:
>>
>> edge.abc.com
>>
>> However, the origin returns a certificate that does not match the SNI.
>>
>> Because the requested SNI and the returned CN/SAN do not match, coupled
>> with verify.server enabled, ATS terminates the origin session and sends a
>> 502 back to the client.
>>
>> Is there another control or configuration that allows me to define which
>> SNI value to
>> send back to the origin ?
>> I need to keep pristine enabled and I need verify.server enabled.
>>
>> Thanks in advance.
>>
>>
>>
>>
|