trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From supraja sridhar <suprajasridha...@gmail.com>
Subject Re: Query regarding proxy.config.ssl.client.certification_level
Date Tue, 03 Dec 2019 14:23:19 GMT
Also, does sni.yaml exist in ATS 7.1.1?

Thanks
Supraja

On Tue, Dec 3, 2019 at 9:32 AM supraja sridhar <suprajasridhar95@gmail.com>
wrote:

> Thanks. Will ip_allow take IPs as input. Is the following a valid example
> ?
> sni
>     ip_allow: x.y.z.a
>     verify_client: MODERATE
>
>
> On Mon, Nov 25, 2019 at 11:59 PM Susan Hinrichs <shinrich@verizonmedia.com>
> wrote:
>
>> You can specialize the client certificate requirements using sni.yaml.
>> So only request it for specific domain names.  There is also an ip_allow
>> action in sni.yaml (which I see is not documented) which would allow to
>> control requiring client certificate based on the peer's IP.
>>
>>
>> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html?highlight=sni%20yaml#std:configfile-sni.yaml
>>
>> I'll work on putting up a PR with some documentation on the ip_allow
>> action.
>>
>> Susan
>>
>> On Sun, Nov 24, 2019 at 11:09 PM supraja sridhar <
>> suprajasridhar95@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I understand that -
>>> proxy.config.ssl.client.certification_level provides the option to
>>> enable/disable client certificate verification across all connections. Is
>>> it possible to skip client certificate verification based on source IP?
>>>
>>>
>>> Thanks,
>>> Supraja
>>>
>>
>
> --
> Regards,
> S.SUPRAJA
> MIT
>


-- 
Regards,
S.SUPRAJA
MIT

Mime
View raw message