trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anshu Prateek <anshp...@gmail.com>
Subject Re: Trafficserver and HTTPS (SSL Termination)
Date Thu, 21 Mar 2013 17:38:18 GMT
Had seen this issue a while back, the file permissions of the SSL cert
files/keys were the main culprit. The file permisssion for the certs/keys
should be the same as how they are under http server. (the read permission
to all for key was one of the problems).

regards
Anshu Prateek


On Thu, Mar 21, 2013 at 8:46 PM, Ketan Mehta <
Ketan.Mehta@rankinteractive.com> wrote:

>  Hi All,****
>
> ** **
>
> I'm trying to build the cache solution using Apache Traffic Server (ATS).
> I'm trying to build a test environment with 2 servers. I have installed
> ATS-3.2 on one of the server (Cacheserver) and Apache web on the other
> (Webserver).   ****
>
> ** **
>
> On *Webserver*, I have configure two website www.web1.com and www.web2.com.
> It is configured to listen on port 4000, 40001 for HTTP requests and 5000,
> 5001 for HTTPS requests. I'm using self-signed certificate for those
> website.****
>
> ** **
>
> On *Cacheserver*, I have configured Traffic Server to listen on port 80
> and 443 for HTTP and HTTPS requests.  ****
>
> ** **
>
> Both the websites are working fine when I point web browser to
>  webserver(HTTP & HTPPS requests), but when I point it to Cacheserver HTTP
> request works, but HTTPS requests end up with error.****
>
> ** **
>
> *[root@cacheserver ~]# **curl -k -v https://www.web1.com*
>
> ** About to connect() to www.web1.com port 443*
>
> **   Trying 172.16.89.32... connected*
>
> ** Connected to www.web1.com (172.16.89.32) port 443*
>
> ** successfully set certificate verify locations:*
>
> **   CAfile: /etc/pki/tls/certs/ca-bundle.crt*
>
> *  CApath: none             *
>
> ** SSLv2, Client hello (1):*
>
> *error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol*
>
> ** Closing connection #0*
>
> *curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol***
>
> ** **
>
> All the certificates and keys are located under etc/trafficserver/ssl  on
> Cacheserver. I’ve copied webserver-cert.crt and webserver-key.key from the
> Webserver. ****
>
> ** **
>
> [root@cacheserver ls -l /opt/ats/etc/trafficserver/ssl****
>
> -rw-r--r-- 1 root root 6334 Mar 21 14:48 cachesvr-bundle.crt****
>
> -rw-r--r-- 1 root root 6146 Mar 21 14:43 originsvr-bundle.crt****
>
> -rw-r--r-- 1 root root  887 Mar 21 14:46 www.web1.com.key****
>
> -rw-r--r-- 1 root root  887 Mar 21 14:46 www.web2.com.key****
>
> ** **
>
> Below are the configuration of remap.config and records.config files.****
>
> ** **
>
> #### Record.config ##########****
>
> CONFIG proxy.config.ssl.number.threads INT 0****
>
> CONFIG proxy.config.ssl.SSLv2 INT 0****
>
> CONFIG proxy.config.ssl.SSLv3 INT 1****
>
> CONFIG proxy.config.ssl.TLSv1 INT 1****
>
> CONFIG proxy.config.ssl.server.cipher_suite STRING
> RC4+RSA:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:!eNULL:!aNULL:!EXP:!LOW:!ADH:!EDH
> ****
>
> CONFIG proxy.config.ssl.server.honor_cipher_order INT 0****
>
> CONFIG proxy.config.ssl.compression INT 0****
>
> CONFIG proxy.config.ssl.client.certification_level INT 1****
>
> CONFIG proxy.config.ssl.server.cert_chain.filename STRING  *cachesvr-bundle.crt
> *****
>
> CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver/ssl****
>
> CONFIG proxy.config.ssl.server.private_key.path STRING
> etc/trafficserver/ssl****
>
> CONFIG proxy.config.ssl.CA.cert.filename STRING NULL****
>
> CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver****
>
>    ################################****
>
>    # client related configuration #****
>
>    ################################****
>
> CONFIG proxy.config.ssl.client.verify.server INT 0****
>
> CONFIG proxy.config.ssl.client.cert.filename STRING *originsvr-bundle.crt*
> ****
>
> CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver/ssl****
>
> CONFIG proxy.config.ssl.client.private_key.filename STRING NULL****
>
> CONFIG proxy.config.ssl.client.private_key.path STRING etc/trafficserver**
> **
>
> CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL****
>
> CONFIG proxy.config.ssl.client.CA.cert.path STRING etc/trafficserver****
>
> ** **
>
> #### remap.config #####****
>
> map http://www.web1.com                      http://webserver:4000****
>
> reverse_map http://webserver:4000     http://www.web1.com****
>
> map http://www.web2.com                      http://webserver:4001****
>
> reverse_map http://webserver:4001     http://www.web2.com****
>
> map https://www.web1.com                    https://webserver:5000****
>
> reverse_map http://webserver:5000     https://www.web1.com****
>
> map https://www.web2.com                    https://webserver:5001****
>
> reverse_map https://webserver:5001   https://www.web2.com****
>
> ** **
>
> What I'm trying to achieve is****
>
> ** **
>
> Client --Http--> Cache server --Http-->Origin server (http://www.web1.comand
> http://www.web2.com)****
>
> Client --Https--> Cache server --Https-->Origin server (
> http://www.web1.com and http://www.web2.com)****
>
> ** **
>
> But it doesn't work with https. What I’m doing wrong here.****
>
> ** **
>
> Let me know if anything is not clear.****
>
> ** **
>
> Thanks,****
>
> Ketan****
>
>
>  Save Paper - do you really need to print this email?
>
> Confidentiality
> The contents of this e-mail is intended for the named addressee only.
> It contains information which may be confidential and which may also be
> legally privileged.
> Unless you are the named addressee (or authorised to receive for the
> addressee) you may not copy or use it, or disclose it to anyone else. If
> you received it in error please notify us immediately and then destroy it.
>
> Viruses
> Although we have taken steps to ensure that this email and attachments are
> free from any virus, we advise that in keeping with good computing practice
> the recipient should ensure they are actually virus free.
>
> Opinions
> Unless expressly stated, opinions in this message are those of the
> individual sender and not of The Rank Group Plc. The Rank Group Plc accepts
> no liability or responsibility for any onward transmission or use of
> e-mails and attachment having left The Rank Group Plc domain.
>
> The Rank Group Plc - Company Registration No. 03140769; Rank Leisure
> Holdings Limited - Company Registration No. 01841255; Rank Group Gaming
> Division Limited - Company Registration No. 03213743; Grosvenor Casinos
> Limited - Company Registration No. 00877080; Mecca Bingo Limited - Company
> Registration No. 01854120; Rank Leisure Limited - Company Registration No.
> 03417930; Rank Limited - Company Registration No. 03211794, all of which
> are registered in England and Wales and have their registered office at:
> Statesman House, Stafferton Way, Maidenhead, SL6 1AY, England.
> ------------------------------
> This email message has been delivered safely by Mimecast.
> For more information please visit http://www.mimecast.com
> ------------------------------
>

Mime
View raw message