trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Carroll <solidwallofc...@verizonmedia.com>
Subject Re: [E] https issue
Date Thu, 03 Dec 2020 18:13:32 GMT
The first thing to note is "curl --proxy" behaves very differently if the
target URL is "http" vs. "https". In the former case, curl will do a TCP
network connection to the proxy and then sends a GET request. In the latter
case, as you can see from the output, it does a TCP network connection to
the proxy and then sends a CONNECT (not a GET) to the proxy. After this,
curl will do TLS negotiation with the upstream, NOT with ATS. It is unclear
from your description if this is what you want.

So, first question - should ATS do TLS negotiation with the user agent and
decrypt the request? Or should it just do a blind tunnel pass the raw bytes
to the upstream so the upstream does the TLS with the user agent?

On Wed, Dec 2, 2020 at 5:41 PM Lei Sun <lei.sun@gmail.com> wrote:

> Hi Kit,
>
> I'm trying to set up the trafficserver as an intermediary forward proxy.
>
> For example,
> 1) http client send request to trafficserver.
> 2) trafficserver then pass this request to the downstream proxy
> 3) downstream proxy then route this request to the origin site
> 4) origin site send data back to the downstream proxy
> 5) downstream proxy send data back to trafficserver
> 6) trafficserver send data back to the http client.
>
> I was able to make the entire request chain work if the origin site serves
> content directly through HTTP.
>
>> curl --proxy *http*://127.0.0.1:8080
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8080&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=5nE_8e-Jc1t5vF6GVeub9BCN4FzSc_6kU7_mjSiUrDs&m=j_aUSUG3Sl8woHSXT1UiCQWjpkvw7qS5UAl79s5x2TQ&s=so4reBHk8fjNcUgFl5Rl6jW1O795FlyMKH-HBzls_yE&e=>
>> *http*://httpbin.org/get?answer=4a
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__httpbin.org_get-3Fanswer-3D4a&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=5nE_8e-Jc1t5vF6GVeub9BCN4FzSc_6kU7_mjSiUrDs&m=j_aUSUG3Sl8woHSXT1UiCQWjpkvw7qS5UAl79s5x2TQ&s=Ytt8BUmEjADeQ8BgYA33Srb-fKblsmhS0lnnYYA-7H4&e=>
>> -v
>
>
> However, I ran into issues when I was trying to request for content served
> from HTTPS.
>
> $ curl --proxy *http*://127.0.0.1:8080
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A8080&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=5nE_8e-Jc1t5vF6GVeub9BCN4FzSc_6kU7_mjSiUrDs&m=j_aUSUG3Sl8woHSXT1UiCQWjpkvw7qS5UAl79s5x2TQ&s=so4reBHk8fjNcUgFl5Rl6jW1O795FlyMKH-HBzls_yE&e=>
>> *https*://httpbin.org/get?answer=4a
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__httpbin.org_get-3Fanswer-3D4a&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=5nE_8e-Jc1t5vF6GVeub9BCN4FzSc_6kU7_mjSiUrDs&m=j_aUSUG3Sl8woHSXT1UiCQWjpkvw7qS5UAl79s5x2TQ&s=Ytt8BUmEjADeQ8BgYA33Srb-fKblsmhS0lnnYYA-7H4&e=>
>> -v
>> *   Trying 127.0.0.1...
>> * TCP_NODELAY set
>> * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
>> * Establish HTTP proxy tunnel to httpbin.org:443
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__httpbin.org-3A443&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=5nE_8e-Jc1t5vF6GVeub9BCN4FzSc_6kU7_mjSiUrDs&m=j_aUSUG3Sl8woHSXT1UiCQWjpkvw7qS5UAl79s5x2TQ&s=QVzyvEwxJgKDXVbGsQTcSau-LJcP5X22mrrpyKfksAY&e=>
>> > CONNECT httpbin.org:443
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__httpbin.org-3A443&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=5nE_8e-Jc1t5vF6GVeub9BCN4FzSc_6kU7_mjSiUrDs&m=j_aUSUG3Sl8woHSXT1UiCQWjpkvw7qS5UAl79s5x2TQ&s=QVzyvEwxJgKDXVbGsQTcSau-LJcP5X22mrrpyKfksAY&e=>
>> HTTP/1.1
>> > Host: httpbin.org:443
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__httpbin.org-3A443&d=DwMFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=5nE_8e-Jc1t5vF6GVeub9BCN4FzSc_6kU7_mjSiUrDs&m=j_aUSUG3Sl8woHSXT1UiCQWjpkvw7qS5UAl79s5x2TQ&s=QVzyvEwxJgKDXVbGsQTcSau-LJcP5X22mrrpyKfksAY&e=>
>> > User-Agent: curl/7.54.0
>> > Proxy-Connection: Keep-Alive
>> >
>> < HTTP/1.1 200 OK
>> < Date: Wed, 02 Dec 2020 20:53:31 GMT
>> < Proxy-Connection: keep-alive
>> < Server: ATS/10.0.0
>> <
>> * Proxy replied OK to CONNECT request
>> * ALPN, offering h2
>> * ALPN, offering http/1.1
>> * Cipher selection:
>> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
>> * successfully set certificate verify locations:
>> *   CAfile: /etc/ssl/cert.pem
>>   CApath: none
>> * *TLSv1.2 (OUT), TLS handshake, Client hello (1):*
>> * error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number
>> * stopped the pause stream!
>> * Closing connection 0
>> curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong
>> version number
>>
>
> From the error message, it seems that curl was able to connect to the
> origin server, and even attempted to send the initial TLS handshake, but
> somehow the handshake wasn't completed.
>
> Here are my questions.
> 1) What's likely the cause?
> 2) How can I fix it.
>
> Thank you!
> Lei
>
>

Mime
View raw message