trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lei Sun <lei....@gmail.com>
Subject Re: [E] https issue
Date Sun, 06 Dec 2020 02:25:33 GMT
Hi Kit,

I set up the ATS to be a forward proxy, so I turned remap off.

> CONFIG proxy.config.url_remap.remap_required INT 0
> CONFIG proxy.config.reverse_proxy.enabled INT 0


I was trying to use lua scripts to intercept the incoming request, and
passing the request to upstream/parent cache proxy dynamically based on
some custom logic.
I was able to make the http work by intercepting and modifying request,
url, server_request.server_addr, etc. in *do_global_post_remap* and
*do_global_send_request
*hooks. However, it threw the following error when I tried https

> $ curl --proxy http://127.0.0.1:8080 https://httpbin.org/get?answer=42 -v
> *   Trying 127.0.0.1...
> * TCP_NODELAY set
> * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> * Establish HTTP proxy tunnel to httpbin.org:443
> > CONNECT httpbin.org:443 HTTP/1.1
> > Host: httpbin.org:443
> > User-Agent: curl/7.54.0
> > Proxy-Connection: Keep-Alive
> >
> < HTTP/1.1 200 OK
> < Date: Sun, 06 Dec 2020 02:22:49 GMT
> < Proxy-Connection: keep-alive
> < Server: ATS/10.0.0
> <
> * Proxy replied OK to CONNECT request
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> *   CAfile: /etc/ssl/cert.pem
>   CApath: none
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number
> * stopped the pause stream!
> * Closing connection 0
> curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version
> number


I was able to get the desired request forwarding functionality working
using squid's cache_peer feature, see below
curl --proxy http://127.0.0.1:3128 http://httpbin.org/get?answer=42 -v
curl --proxy http://127.0.0.1:3128 https://httpbin.org/get?answer=42 -v

However, squid only supports hard coded configuration of cache_peer
directive.

> cache_peer 23.105.0.211 parent 29842 0 no-query no-digest
> login=USERNAME:PASSWORD


Could you please give me some advice on what to modify in lua so that we
can get the same functionality as squid, except that we can do it
dynamically with custom rules, which is a lot more powerful.

Cheers,
Lei

On Sat, Dec 5, 2020 at 4:42 PM Shu Kit Chan <chanshukit@gmail.com> wrote:

> do_global_send_request in lua is the function called for the
> TS_HTTP_SEND_REQUEST_HDR_HOOK -
>
> https://docs.trafficserver.apache.org/en/latest/developer-guide/plugins/hooks-and-transactions/adding-hooks.en.html
>
> You are getting a 502 from ATS for this -
> curl -k -H "Host: httbin.org:443" https://127.0.0.1:8443 -vv" .
>
> So what does your remap.config looks like?
> For the above to work, you will need a remap rule to map httbin.org
> (not httpbin.org?) to somewhere. It looks like ATS is not able to
> connect to that "somewhere" and thus if you have a
> "do_global_send_request" function in your lua script, it won't get
> executed.
>
> Kit
>
>

Mime
View raw message