trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shu Kit Chan <chanshu...@gmail.com>
Subject Re: [E] https issue
Date Sun, 06 Dec 2020 05:21:26 GMT
I am still not quite sure if i understand what you are trying to do.
But let me take a guess.

The error "error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong
version number" probably means that you are talking to a invalid https
endpoint through ATS. "https://httpbin.org/" is a pretty normal
destination. So are you already using lua plugin/script to change the
destination? That destination is probably not a valid https endpoint.
So the CONNECT may still work and return status 200 and follow the lua
script program to route request to new destination. That destination
is not valid https and so curl does not like it.

If I am right so far, then I think disable the lua plugin will make
ATS to work just like squid. If you really want to use lua to change
the destination, I think you need to make sure to set the scheme to
https as well in your lua script.

Thanks .

Kit





On Sat, Dec 5, 2020 at 6:25 PM Lei Sun <lei.sun@gmail.com> wrote:
>
> Hi Kit,
>
> I set up the ATS to be a forward proxy, so I turned remap off.
>>
>> CONFIG proxy.config.url_remap.remap_required INT 0
>> CONFIG proxy.config.reverse_proxy.enabled INT 0
>
>
> I was trying to use lua scripts to intercept the incoming request, and passing the request
to upstream/parent cache proxy dynamically based on some custom logic.
> I was able to make the http work by intercepting and modifying request, url, server_request.server_addr,
etc. in do_global_post_remap and do_global_send_request hooks. However, it threw the following
error when I tried https
>>
>> $ curl --proxy http://127.0.0.1:8080 https://httpbin.org/get?answer=42 -v
>> *   Trying 127.0.0.1...
>> * TCP_NODELAY set
>> * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
>> * Establish HTTP proxy tunnel to httpbin.org:443
>> > CONNECT httpbin.org:443 HTTP/1.1
>> > Host: httpbin.org:443
>> > User-Agent: curl/7.54.0
>> > Proxy-Connection: Keep-Alive
>> >
>> < HTTP/1.1 200 OK
>> < Date: Sun, 06 Dec 2020 02:22:49 GMT
>> < Proxy-Connection: keep-alive
>> < Server: ATS/10.0.0
>> <
>> * Proxy replied OK to CONNECT request
>> * ALPN, offering h2
>> * ALPN, offering http/1.1
>> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
>> * successfully set certificate verify locations:
>> *   CAfile: /etc/ssl/cert.pem
>>   CApath: none
>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>> * error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number
>> * stopped the pause stream!
>> * Closing connection 0
>> curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number
>
>
> I was able to get the desired request forwarding functionality working using squid's
cache_peer feature, see below
> curl --proxy http://127.0.0.1:3128 http://httpbin.org/get?answer=42 -v
> curl --proxy http://127.0.0.1:3128 https://httpbin.org/get?answer=42 -v
>
> However, squid only supports hard coded configuration of cache_peer directive.
>>
>> cache_peer 23.105.0.211 parent 29842 0 no-query no-digest login=USERNAME:PASSWORD
>
>
> Could you please give me some advice on what to modify in lua so that we can get the
same functionality as squid, except that we can do it dynamically with custom rules, which
is a lot more powerful.
>
> Cheers,
> Lei
>
> On Sat, Dec 5, 2020 at 4:42 PM Shu Kit Chan <chanshukit@gmail.com> wrote:
>>
>> do_global_send_request in lua is the function called for the
>> TS_HTTP_SEND_REQUEST_HDR_HOOK -
>> https://docs.trafficserver.apache.org/en/latest/developer-guide/plugins/hooks-and-transactions/adding-hooks.en.html
>>
>> You are getting a 502 from ATS for this -
>> curl -k -H "Host: httbin.org:443" https://127.0.0.1:8443 -vv" .
>>
>> So what does your remap.config looks like?
>> For the above to work, you will need a remap rule to map httbin.org
>> (not httpbin.org?) to somewhere. It looks like ATS is not able to
>> connect to that "somewhere" and thus if you have a
>> "do_global_send_request" function in your lua script, it won't get
>> executed.
>>
>> Kit
>>

Mime
View raw message