trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Uri Shachar <>
Subject RE: ssl reverse proxy and ssl sni ?
Date Tue, 12 Mar 2013 08:07:01 GMT

    I'm not sure I understand what you are trying to achieve.
If the ATS is acting as a terminating reverse proxy (which is what I guess you are trying
to achieve):
Receiving an HTTPS request on port 443 (Straight TLS -- Not an HTTP CONNECT request), terminating
the SSL connection and creating a new SSL connection upstream.

It needs to present some certificate to the client. The certificate it selects can be configured
via the ssl_multicert config file -- the one that you have attached tells the ATS to use a
single cert for all origin servers. If you want it to be able to display the cert for site
X then you need to copy the certificate to the proxy and configure it in the ssl_multicert.config....
(You also need to ensure that your browser sends SNI information -- All modern ones do except
for IE over Windows XP)

If this isn't clear, could you send a cURL request/response?


> Date: Tue, 12 Mar 2013 11:22:15 +0800 
> From: 
> To: 
> Subject: Re:Re: ssl reverse proxy and ssl sni ? 
> hi, Leif 
> it seems does'nt work... following is my test config: 
> ssl_multicert.config: 
> dest_ip=*       ssl_cert_name=cert.pem ssl_key_name=key.pem 
> records.config: 
> CONFIG proxy.config.http.server_ports STRING 80 443:ssl 
> remap.config: 
> map https://.* https://$ 
> with SNI and SSL Termination, i want when browser access  
>, shows the certificate of; 
> but the above configuration , show all the https sites the same  
> certificate... 
> i don't know wheather i misunderstand the sni and ssl termination, or  
> the config is not correct~ 
> At 2013-03-11 22:19:24, "Leif Hedstrom" <> wrote: 
> If you run a version of ATS that supports SNI, yes. Pretty sure v3.2.4  
> does, for example. 
> -- Leif 
> On Mar 11, 2013, at 4:00 AM, Esmq <<>> wrote:

> hi, all 
> we know that an extension to TLS called Server Name Indication (SNI)  
> ,enable web server to select a correct virtual domain 
> and shows the borwser the cerficate containing the correct name... 
> apache/nginx just do the right thing... 
> and i know when configure ats as ssl reverse proxy, the cerficated  
> shows to the browser is the cerficate that on ats, not the cerficated  
> on the original server... 
> so. when ats act as reverse proxy, does sni work? 
View raw message