trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Payne <jp557...@gmail.com>
Subject Re: Origin SNI Value
Date Thu, 19 Jan 2017 13:30:21 GMT
"bug" filed.

https://github.com/apache/trafficserver/issues/1344

On Thu, Jan 19, 2017 at 6:37 AM, Jeremy Payne <jp557198@gmail.com> wrote:

> Thus far it appears right before the origin request is built the SNI value
> is derived from the original client(end user) defined HOST header  Since we
> have pristine enabled, we dont want the original client HOST header to  be
> used as the origin SNI. So right after the cache look up we change the
> client HOST header to the desired SNI value. This seems to work without
> impacts to the cache key, etc.
>
> ++++++++
> function cache_lookup()
>    ts.client_request.header['Host'] = 'origin.tld'
>     return 0
> end
>
> function do_remap()
>
>    ts.hook(TS_LUA_HOOK_CACHE_LOOKUP_COMPLETE, cache_lookup)
>
>     return 0
> end
> ++++++++
>
> On Wed, Jan 18, 2017 at 8:09 PM, Leif Hedstrom <zwoop@apache.org> wrote:
>
>> I think we ran into just this same problem. Gancho, what was the solution?
>>
>> -- Leif
>>
>> On Jan 17, 2017, at 3:06 PM, Brian Geffon <briangeffon@gmail.com> wrote:
>>
>> That sounds like a bug and after looking through the code it does appear
>> to be:
>>
>> https://github.com/apache/trafficserver/blob/master/proxy/
>> http/HttpSM.cc#L5046
>>
>> That's the wrong value to use since it never gets overwritten here:
>>
>> https://github.com/apache/trafficserver/blob/master/proxy/
>> http/remap/RemapProcessor.cc#L242
>>
>> Can you please file a bug?
>>
>> Brian
>>
>> On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <jp557198@gmail.com> wrote:
>>
>> Hello,
>>
>>
>>
>> I currently have ATS configured to support a pristine host header.
>>
>>    proxy.config.url_remap.pristine_host_hdr 1
>>
>> I also have ATS configured to verify the origin server certificate.
>>
>>    proxy.config.ssl.client.verify.server 1
>>
>> My remap looks like this.
>>
>>    map https://edge.abc.com/ https://origin.xyz.com/
>>
>>
>> Because pristine is enabled, when ATS sends a request back to the origin,
>> it uses a SNI value of:
>>
>>      edge.abc.com
>>
>> However, the origin returns a certificate that does not match the SNI.
>>
>> Because the requested SNI and the returned CN/SAN do not match, coupled
>> with verify.server enabled, ATS terminates the origin session and sends a
>> 502 back to the client.
>>
>> Is there another control or configuration that allows me to define which
>> SNI value to
>> send back to the origin ?
>> I need to keep pristine enabled and I need verify.server enabled.
>>
>> Thanks in advance.
>>
>>
>

Mime
View raw message