trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Carroll <solidwallofc...@verizonmedia.com>
Subject [CONFIG] proxy.config.ssl.client.sni_policy
Date Sun, 13 Sep 2020 15:24:50 GMT
I have put up a PR, 7188, which changes proxy.config.ssl.client.sni_policy
to allow setting the outbound SNI literally.  This is of marginal at best
utility in "records.config" but is very useful for plugins such as
Transaction Box or conf_remap - these would now be able to explicitly set
the outbound SNI, rather than only indirectly influencing it via the
request URL or Host field.

Internally this comes up because of a layer of upstream ATS instances that
are used for routing.  To route correctly the Host field must be set, but
currently doing so causes the SNI to also be set to that value which breaks
certificate verification. The host can't be set in the request URL because
ATS *agressively* strips the host, which is something else I would like to
fix in the future. Setting the SNI to the pre-remap host via this mechanism
makes it easy to fix.

Mime
View raw message