You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Esmq <es...@163.com> on 2013/03/11 12:00:15 UTC
ssl reverse proxy and ssl sni ?
hi, all
we know that an extension to TLS called Server Name Indication (SNI) ,enable web server to select a correct virtual domain
and shows the borwser the cerficate containing the correct name...
apache/nginx just do the right thing...
and i know when configure ats as ssl reverse proxy, the cerficated shows to the browser is the cerficate that on ats, not the cerficated on the original server...
so. when ats act as reverse proxy, does sni work?
Re:RE: ssl reverse proxy and ssl sni ?
Posted by Esmq <es...@163.com>.
ohh, i got it now~
i misunderstood the way that ats implement sni;
now i have successfully test the ssl sni.
with those config line in ssl_multicert.config:
dest_ip=zyq.test.com ssl_cert_name=zyq.crt ssl_key_name=zyq.key
dest_ip=zy2.test.com ssl_cert_name=zy2.crt ssl_key_name=zy2.key
dest_ip=zy3.test.com ssl_cert_name=zy3.crt ssl_key_name=zy3.key
ats able to select the correct certificate to present to the client~
thanks all ^_^
At 2013-03-12 16:07:01,"Uri Shachar" <us...@hotmail.com> wrote:
>Hi,
>
> I'm not sure I understand what you are trying to achieve.
>If the ATS is acting as a terminating reverse proxy (which is what I guess you are trying to achieve):
>Receiving an HTTPS request on port 443 (Straight TLS -- Not an HTTP CONNECT request), terminating the SSL connection and creating a new SSL connection upstream.
>
>It needs to present some certificate to the client. The certificate it selects can be configured via the ssl_multicert config file -- the one that you have attached tells the ATS to use a single cert for all origin servers. If you want it to be able to display the cert for site X then you need to copy the certificate to the proxy and configure it in the ssl_multicert.config....
>(You also need to ensure that your browser sends SNI information -- All modern ones do except for IE over Windows XP)
>
>If this isn't clear, could you send a cURL request/response?
>
> Cheers,
> Uri
>
>________________________________
>> Date: Tue, 12 Mar 2013 11:22:15 +0800
>> From: esmq@163.com
>> To: users@trafficserver.apache.org
>> Subject: Re:Re: ssl reverse proxy and ssl sni ?
>>
>> hi, Leif
>>
>> it seems does'nt work... following is my test config:
>>
>> ssl_multicert.config:
>> dest_ip=* ssl_cert_name=cert.pem ssl_key_name=key.pem
>>
>> records.config:
>> CONFIG proxy.config.http.server_ports STRING 80 443:ssl
>>
>> remap.config:
>> map https://.*.test.com/ https://$1.test.com/
>>
>> with SNI and SSL Termination, i want when browser access
>> https://a.test.com, shows the certificate of a.test.com;
>>
>> but the above configuration , show all the https sites the same
>> certificate...
>>
>> i don't know wheather i misunderstand the sni and ssl termination, or
>> the config is not correct~
>>
>>
>>
>> At 2013-03-11 22:19:24, "Leif Hedstrom" <zw...@apache.org> wrote:
>> If you run a version of ATS that supports SNI, yes. Pretty sure v3.2.4
>> does, for example.
>>
>> -- Leif
>>
>> On Mar 11, 2013, at 4:00 AM, Esmq <es...@163.com>> wrote:
>>
>> hi, all
>>
>> we know that an extension to TLS called Server Name Indication (SNI)
>> ,enable web server to select a correct virtual domain
>> and shows the borwser the cerficate containing the correct name...
>>
>> apache/nginx just do the right thing...
>>
>> and i know when configure ats as ssl reverse proxy, the cerficated
>> shows to the browser is the cerficate that on ats, not the cerficated
>> on the original server...
>>
>> so. when ats act as reverse proxy, does sni work?
>>
>>
>>
>>
RE: ssl reverse proxy and ssl sni ?
Posted by Uri Shachar <us...@hotmail.com>.
Hi,
I'm not sure I understand what you are trying to achieve.
If the ATS is acting as a terminating reverse proxy (which is what I guess you are trying to achieve):
Receiving an HTTPS request on port 443 (Straight TLS -- Not an HTTP CONNECT request), terminating the SSL connection and creating a new SSL connection upstream.
It needs to present some certificate to the client. The certificate it selects can be configured via the ssl_multicert config file -- the one that you have attached tells the ATS to use a single cert for all origin servers. If you want it to be able to display the cert for site X then you need to copy the certificate to the proxy and configure it in the ssl_multicert.config....
(You also need to ensure that your browser sends SNI information -- All modern ones do except for IE over Windows XP)
If this isn't clear, could you send a cURL request/response?
Cheers,
Uri
________________________________
> Date: Tue, 12 Mar 2013 11:22:15 +0800
> From: esmq@163.com
> To: users@trafficserver.apache.org
> Subject: Re:Re: ssl reverse proxy and ssl sni ?
>
> hi, Leif
>
> it seems does'nt work... following is my test config:
>
> ssl_multicert.config:
> dest_ip=* ssl_cert_name=cert.pem ssl_key_name=key.pem
>
> records.config:
> CONFIG proxy.config.http.server_ports STRING 80 443:ssl
>
> remap.config:
> map https://.*.test.com/ https://$1.test.com/
>
> with SNI and SSL Termination, i want when browser access
> https://a.test.com, shows the certificate of a.test.com;
>
> but the above configuration , show all the https sites the same
> certificate...
>
> i don't know wheather i misunderstand the sni and ssl termination, or
> the config is not correct~
>
>
>
> At 2013-03-11 22:19:24, "Leif Hedstrom" <zw...@apache.org> wrote:
> If you run a version of ATS that supports SNI, yes. Pretty sure v3.2.4
> does, for example.
>
> -- Leif
>
> On Mar 11, 2013, at 4:00 AM, Esmq <es...@163.com>> wrote:
>
> hi, all
>
> we know that an extension to TLS called Server Name Indication (SNI)
> ,enable web server to select a correct virtual domain
> and shows the borwser the cerficate containing the correct name...
>
> apache/nginx just do the right thing...
>
> and i know when configure ats as ssl reverse proxy, the cerficated
> shows to the browser is the cerficate that on ats, not the cerficated
> on the original server...
>
> so. when ats act as reverse proxy, does sni work?
>
>
>
>
Re:Re: ssl reverse proxy and ssl sni ?
Posted by Esmq <es...@163.com>.
hi, Leif
it seems does'nt work... following is my test config:
ssl_multicert.config:
dest_ip=* ssl_cert_name=cert.pem ssl_key_name=key.pem
records.config:
CONFIG proxy.config.http.server_ports STRING 80 443:ssl
remap.config:
map https://.*.test.com/ https://$1.test.com/
with SNI and SSL Termination, i want when browser access https://a.test.com, shows the certificate of a.test.com;
but the above configuration , show all the https sites the same certificate...
i don't know wheather i misunderstand the sni and ssl termination, or the config is not correct~
At 2013-03-11 22:19:24,"Leif Hedstrom" <zw...@apache.org> wrote:
If you run a version of ATS that supports SNI, yes. Pretty sure v3.2.4 does, for example.
-- Leif
On Mar 11, 2013, at 4:00 AM, Esmq <es...@163.com> wrote:
hi, all
we know that an extension to TLS called Server Name Indication (SNI) ,enable web server to select a correct virtual domain
and shows the borwser the cerficate containing the correct name...
apache/nginx just do the right thing...
and i know when configure ats as ssl reverse proxy, the cerficated shows to the browser is the cerficate that on ats, not the cerficated on the original server...
so. when ats act as reverse proxy, does sni work?
Re: ssl reverse proxy and ssl sni ?
Posted by Leif Hedstrom <zw...@apache.org>.
If you run a version of ATS that supports SNI, yes. Pretty sure v3.2.4 does, for example.
-- Leif
On Mar 11, 2013, at 4:00 AM, Esmq <es...@163.com> wrote:
> hi, all
>
> we know that an extension to TLS called Server Name Indication (SNI) ,enable web server to select a correct virtual domain
> and shows the borwser the cerficate containing the correct name...
>
> apache/nginx just do the right thing...
>
> and i know when configure ats as ssl reverse proxy, the cerficated shows to the browser is the cerficate that on ats, not the cerficated on the original server...
>
> so. when ats act as reverse proxy, does sni work?
>
>