trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lei Sun <lei....@gmail.com>
Subject Re: [E] https issue
Date Sat, 05 Dec 2020 20:31:28 GMT
It seems whenever https was the end URL, *do_global_send_request* is never
called.

Is it possible to force the above execution path for https?

Essentially, I'm looking for a way for the ATS (dynamically through lua) to
hand over the request to a parent proxy.

Thanks,
Lei

On Sat, Dec 5, 2020 at 2:20 PM Lei Sun <lei.sun@gmail.com> wrote:

> Hi Alan,
>
> Yes, great point!
>
> Here are the output for the latest recommandations
>
> *$ curl -H "Host: httbin.org:443 <http://httbin.org:443>"
>> https://127.0.0.1:8443 <https://127.0.0.1:8443> -vv*
>> * Rebuilt URL to: https://127.0.0.1:8443/
>> *   Trying 127.0.0.1...
>> * TCP_NODELAY set
>> * Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0)
>> * ALPN, offering h2
>> * ALPN, offering http/1.1
>> * Cipher selection:
>> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
>> * successfully set certificate verify locations:
>> *   CAfile: /etc/ssl/cert.pem
>>   CApath: none
>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>> * TLSv1.2 (IN), TLS handshake, Server hello (2):
>> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>> * TLSv1.2 (OUT), TLS alert, Server hello (2):
>> * SSL certificate problem: self signed certificate
>> * stopped the pause stream!
>> * Closing connection 0
>> curl: (60) SSL certificate problem: self signed certificate
>> More details here: https://curl.haxx.se/docs/sslcerts.html
>> curl performs SSL certificate verification by default, using a "bundle"
>>  of Certificate Authority (CA) public keys (CA certs). If the default
>>  bundle file isn't adequate, you can specify an alternate file
>>  using the --cacert option.
>> If this HTTPS server uses a certificate signed by a CA represented in
>>  the bundle, the certificate verification probably failed due to a
>>  problem with the certificate (it might be expired, or the name might
>>  not match the domain name in the URL).
>> If you'd like to turn off curl's verification of the certificate, use
>>  the -k (or --insecure) option.
>> HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
>
>
> Then I tried
>
>> $ *curl -k -H "Host: httbin.org:443 <http://httbin.org:443>"
>> https://127.0.0.1:8443 <https://127.0.0.1:8443> -vv*
>> * Rebuilt URL to: https://127.0.0.1:8443/
>> *   Trying 127.0.0.1...
>> * TCP_NODELAY set
>> * Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0)
>> * ALPN, offering h2
>> * ALPN, offering http/1.1
>> * Cipher selection:
>> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
>> * successfully set certificate verify locations:
>> *   CAfile: /etc/ssl/cert.pem
>>   CApath: none
>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>> * TLSv1.2 (IN), TLS handshake, Server hello (2):
>> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>> * TLSv1.2 (IN), TLS handshake, Server finished (14):
>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
>> * TLSv1.2 (OUT), TLS handshake, Finished (20):
>> * TLSv1.2 (IN), TLS change cipher, Client hello (1):
>> * TLSv1.2 (IN), TLS handshake, Finished (20):
>> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
>> * ALPN, server accepted to use h2
>> * Server certificate:
>> *  subject: C=US
>> *  start date: Dec  5 04:41:08 2020 GMT
>> *  expire date: Dec  3 04:41:08 2030 GMT
>> *  issuer: C=US
>> *  SSL certificate verify result: self signed certificate (18),
>> continuing anyway.
>> * Using HTTP2, server supports multi-use
>> * Connection state changed (HTTP/2 confirmed)
>> * Copying HTTP/2 data in stream buffer to connection buffer after
>> upgrade: len=0
>> * Using Stream ID: 1 (easy handle 0x7f9cf9006600)
>> > GET / HTTP/2
>> > Host: httbin.org:443
>> > User-Agent: curl/7.54.0
>> > Accept: */*
>> >
>> * Connection state changed (MAX_CONCURRENT_STREAMS updated)!
>> < HTTP/2 502
>> < date: Sat, 05 Dec 2020 20:16:39 GMT
>> < server: ATS/10.0.0
>> < cache-control: no-store
>> < content-type: text/html
>> < content-language: en
>> < content-length: 247
>> <
>> <HTML>
>> <HEAD>
>> <TITLE>Could Not Connect</TITLE>
>> </HEAD>
>> <BODY BGCOLOR="white" FGCOLOR="black">
>> <H1>Could Not Connect</H1>
>> <HR>
>> <FONT FACE="Helvetica,Arial"><B>
>> Description: Could not connect to the requested server host.
>> </B></FONT>
>> <HR>
>> </BODY>
>> * Connection #0 to host 127.0.0.1 left intact
>
>
> $ *curl -k --proxy-insecure --proxy https://127.0.0.1:8443
>> <https://127.0.0.1:8443> https://httpbin.org:8443/get?answer=42
>> <https://httpbin.org:8443/get?answer=42> -v*
>> *   Trying 127.0.0.1...
>> * TCP_NODELAY set
>> * Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0)
>> * ALPN, offering h2
>> * ALPN, offering http/1.1
>> * Cipher selection:
>> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
>> * successfully set certificate verify locations:
>> *   CAfile: /etc/ssl/cert.pem
>>   CApath: none
>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>> * TLSv1.2 (IN), TLS handshake, Server hello (2):
>> * TLSv1.2 (IN), TLS handshake, Certificate (11):
>> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
>> * TLSv1.2 (IN), TLS handshake, Server finished (14):
>> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
>> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
>> * TLSv1.2 (OUT), TLS handshake, Finished (20):
>> * TLSv1.2 (IN), TLS change cipher, Client hello (1):
>> * TLSv1.2 (IN), TLS handshake, Finished (20):
>> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
>> * ALPN, server accepted to use h2
>> * Proxy certificate:
>> *  subject: C=US
>> *  start date: Dec  5 04:41:08 2020 GMT
>> *  expire date: Dec  3 04:41:08 2030 GMT
>> *  issuer: C=US
>> *  SSL certificate verify result: self signed certificate (18),
>> continuing anyway.
>> * Establish HTTP proxy tunnel to httpbin.org:8443
>> > CONNECT httpbin.org:8443 HTTP/1.1
>> > Host: httpbin.org:8443
>> > User-Agent: curl/7.54.0
>> > Proxy-Connection: Keep-Alive
>> >
>> * TLSv1.2 (IN), TLS alert, Client hello (1):
>> * Proxy CONNECT aborted
>> * Connection #0 to host 127.0.0.1 left intact
>> curl: (56) Proxy CONNECT aborted
>
>
> Hi Guys, if anyone has a few minutes, happy to hop on a zoom, and share my
> screen, where we can quickly try out different options?
>
> Thanks,
> Lei
>
>
>

-- 
Stay Hungry, Stay Foolish.
Lei Sun
Cell: 408-306-9199

Mime
View raw message