trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Payne <jp557...@gmail.com>
Subject Re: Origin SNI Value
Date Thu, 19 Jan 2017 12:37:33 GMT
Thus far it appears right before the origin request is built the SNI value
is derived from the original client(end user) defined HOST header  Since we
have pristine enabled, we dont want the original client HOST header to  be
used as the origin SNI. So right after the cache look up we change the
client HOST header to the desired SNI value. This seems to work without
impacts to the cache key, etc.

++++++++
function cache_lookup()
   ts.client_request.header['Host'] = 'origin.tld'
    return 0
end

function do_remap()

   ts.hook(TS_LUA_HOOK_CACHE_LOOKUP_COMPLETE, cache_lookup)

    return 0
end
++++++++

On Wed, Jan 18, 2017 at 8:09 PM, Leif Hedstrom <zwoop@apache.org> wrote:

> I think we ran into just this same problem. Gancho, what was the solution?
>
> -- Leif
>
> On Jan 17, 2017, at 3:06 PM, Brian Geffon <briangeffon@gmail.com> wrote:
>
> That sounds like a bug and after looking through the code it does appear
> to be:
>
> https://github.com/apache/trafficserver/blob/master/
> proxy/http/HttpSM.cc#L5046
>
> That's the wrong value to use since it never gets overwritten here:
>
> https://github.com/apache/trafficserver/blob/master/proxy/http/remap/
> RemapProcessor.cc#L242
>
> Can you please file a bug?
>
> Brian
>
> On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <jp557198@gmail.com> wrote:
>
> Hello,
>
>
>
> I currently have ATS configured to support a pristine host header.
>
>    proxy.config.url_remap.pristine_host_hdr 1
>
> I also have ATS configured to verify the origin server certificate.
>
>    proxy.config.ssl.client.verify.server 1
>
> My remap looks like this.
>
>    map https://edge.abc.com/ https://origin.xyz.com/
>
>
> Because pristine is enabled, when ATS sends a request back to the origin,
> it uses a SNI value of:
>
>      edge.abc.com
>
> However, the origin returns a certificate that does not match the SNI.
>
> Because the requested SNI and the returned CN/SAN do not match, coupled
> with verify.server enabled, ATS terminates the origin session and sends a
> 502 back to the client.
>
> Is there another control or configuration that allows me to define which
> SNI value to
> send back to the origin ?
> I need to keep pristine enabled and I need verify.server enabled.
>
> Thanks in advance.
>
>

Mime
View raw message