trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Geffon <briangef...@gmail.com>
Subject Re: Origin SNI Value
Date Fri, 20 Jan 2017 06:20:45 GMT
Hey Jeremy, is the guy who requested the bug on your team? I'm happy to
advise on how to fix it if you guys need.

Brian

On Thu, Jan 19, 2017, 05:30 Jeremy Payne <jp557198@gmail.com> wrote:

> "bug" filed.
>
> https://github.com/apache/trafficserver/issues/1344
>
> On Thu, Jan 19, 2017 at 6:37 AM, Jeremy Payne <jp557198@gmail.com> wrote:
>
> Thus far it appears right before the origin request is built the SNI value
> is derived from the original client(end user) defined HOST header  Since we
> have pristine enabled, we dont want the original client HOST header to  be
> used as the origin SNI. So right after the cache look up we change the
> client HOST header to the desired SNI value. This seems to work without
> impacts to the cache key, etc.
>
> ++++++++
> function cache_lookup()
>    ts.client_request.header['Host'] = 'origin.tld'
>     return 0
> end
>
> function do_remap()
>
>    ts.hook(TS_LUA_HOOK_CACHE_LOOKUP_COMPLETE, cache_lookup)
>
>     return 0
> end
> ++++++++
>
> On Wed, Jan 18, 2017 at 8:09 PM, Leif Hedstrom <zwoop@apache.org> wrote:
>
> I think we ran into just this same problem. Gancho, what was the solution?
>
> -- Leif
>
> On Jan 17, 2017, at 3:06 PM, Brian Geffon <briangeffon@gmail.com> wrote:
>
> That sounds like a bug and after looking through the code it does appear
> to be:
>
>
> https://github.com/apache/trafficserver/blob/master/proxy/http/HttpSM.cc#L5046
>
> That's the wrong value to use since it never gets overwritten here:
>
>
> https://github.com/apache/trafficserver/blob/master/proxy/http/remap/RemapProcessor.cc#L242
>
> Can you please file a bug?
>
> Brian
>
> On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <jp557198@gmail.com> wrote:
>
> Hello,
>
>
>
> I currently have ATS configured to support a pristine host header.
>
>    proxy.config.url_remap.pristine_host_hdr 1
>
> I also have ATS configured to verify the origin server certificate.
>
>    proxy.config.ssl.client.verify.server 1
>
> My remap looks like this.
>
>    map https://edge.abc.com/ https://origin.xyz.com/
>
>
> Because pristine is enabled, when ATS sends a request back to the origin,
> it uses a SNI value of:
>
>      edge.abc.com
>
> However, the origin returns a certificate that does not match the SNI.
>
> Because the requested SNI and the returned CN/SAN do not match, coupled
> with verify.server enabled, ATS terminates the origin session and sends a
> 502 back to the client.
>
> Is there another control or configuration that allows me to define which
> SNI value to
> send back to the origin ?
> I need to keep pristine enabled and I need verify.server enabled.
>
> Thanks in advance.
>
>
>
>

Mime
View raw message