trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Uri Shachar <ushac...@hotmail.com>
Subject RE: ssl reverse proxy and ssl sni ?
Date Tue, 12 Mar 2013 08:07:01 GMT
Hi,

    I'm not sure I understand what you are trying to achieve.
If the ATS is acting as a terminating reverse proxy (which is what I guess you are trying
to achieve):
Receiving an HTTPS request on port 443 (Straight TLS -- Not an HTTP CONNECT request), terminating
the SSL connection and creating a new SSL connection upstream.

It needs to present some certificate to the client. The certificate it selects can be configured
via the ssl_multicert config file -- the one that you have attached tells the ATS to use a
single cert for all origin servers. If you want it to be able to display the cert for site
X then you need to copy the certificate to the proxy and configure it in the ssl_multicert.config....
(You also need to ensure that your browser sends SNI information -- All modern ones do except
for IE over Windows XP)

If this isn't clear, could you send a cURL request/response?

            Cheers,
                     Uri

________________________________
> Date: Tue, 12 Mar 2013 11:22:15 +0800 
> From: esmq@163.com 
> To: users@trafficserver.apache.org 
> Subject: Re:Re: ssl reverse proxy and ssl sni ? 
>  
> hi, Leif 
>  
> it seems does'nt work... following is my test config: 
>  
> ssl_multicert.config: 
> dest_ip=*       ssl_cert_name=cert.pem ssl_key_name=key.pem 
>  
> records.config: 
> CONFIG proxy.config.http.server_ports STRING 80 443:ssl 
>  
> remap.config: 
> map https://.*.test.com/ https://$1.test.com/ 
>  
> with SNI and SSL Termination, i want when browser access  
> https://a.test.com, shows the certificate of a.test.com; 
>  
> but the above configuration , show all the https sites the same  
> certificate... 
>  
> i don't know wheather i misunderstand the sni and ssl termination, or  
> the config is not correct~ 
>  
>  
>  
> At 2013-03-11 22:19:24, "Leif Hedstrom" <zwoop@apache.org> wrote: 
> If you run a version of ATS that supports SNI, yes. Pretty sure v3.2.4  
> does, for example. 
>  
> -- Leif 
>  
> On Mar 11, 2013, at 4:00 AM, Esmq <esmq@163.com<mailto:esmq@163.com>> wrote:

>  
> hi, all 
>  
> we know that an extension to TLS called Server Name Indication (SNI)  
> ,enable web server to select a correct virtual domain 
> and shows the borwser the cerficate containing the correct name... 
>  
> apache/nginx just do the right thing... 
>  
> and i know when configure ats as ssl reverse proxy, the cerficated  
> shows to the browser is the cerficate that on ats, not the cerficated  
> on the original server... 
>  
> so. when ats act as reverse proxy, does sni work? 
>  
>  
>  
> 		 	   		  
Mime
View raw message