Questions on forwarding proxy in hierarchical mode

[Dm...@tieto.com]

Hello,

I have this design i'm trying to implement with Apache Traffic Server.

Two separate parent forwarding proxies in different network segments for accessing internet and internal services.
One child forwarding proxy, which receives all the requests and forwards those to the corresponding parent proxy based on URL or some other parameter.

Feels straightforward, and worked with the 5.x version coming from EPEL, but i cannot get it working with the 8.0.1.
HTTP requests work fine when curling from a random server using the child proxy, but any HTTP>HTTPS redirect or HTTPS page doesn't.

If i enable remapping on child and parents, i get "HTTP/1.1 403 Tunnel Forbidden traffic server"
If i disable it, i get "Received HTTP code 502 from proxy after CONNECT"

Am i missing something crucial in the ATS logic? Is such a use case possible with ATS?

Best regards,
Dmitri

RE: Questions on forwarding proxy in hierarchical mode

[Dm...@tieto.com]

Hello,

I feel like i’m missing some important details related to troubleshooting. I am compiling the 8.0.1 from sources, and logging is set to 3 (default value).
There are three log files (manager, error, diags) with very little helpful information.

With the setup i have and connect_ports set to wildcard on all the proxies, this is what happens when i try accessing a HTTPs page from the client.

[root@tecfi1pr1tool1-master0 ~]# curl -vLI https://youtube.com
* About to connect() to proxy 11.4.0.68 port 3128 (#0)
*   Trying 11.4.0.68...
* Connected to 11.4.0.68 (11.4.0.68) port 3128 (#0)
* Establish HTTP proxy tunnel to youtube.com:443
> CONNECT youtube.com:443 HTTP/1.1
> Host: youtube.com:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 502 Tunnel Connection Failed
HTTP/1.1 502 Tunnel Connection Failed
< Date: Thu, 27 Dec 2018 13:03:08 GMT
Date: Thu, 27 Dec 2018 13:03:08 GMT
< Proxy-Connection: keep-alive
Proxy-Connection: keep-alive
< Server: ATS/8.0.1
Server: ATS/8.0.1
< Cache-Control: no-store
Cache-Control: no-store
< Content-Type: text/html
Content-Type: text/html
< Content-Language: en
Content-Language: en
< Content-Length: 247
Content-Length: 247

Trying to access the same page from the child proxy through the parent proxy works as expected.

Any hints?

Best regards,
Dmitri

From: Alan Carroll <so...@oath.com>
Sent: Monday, December 17, 2018 10:47 PM
To: users@trafficserver.apache.org
Subject: Re: Questions on forwarding proxy in hierarchical mode

Sorry, was out at a conference last week.

If you're getting "Tunnel Forbidden" it means a `CONNECT` request is going through ATS and getting blocked because `proxy.config.http.connect_ports` [1] doesn't allow the remote port. This may have changed between 5 and 8.  I suspect that the HTTPS change is related, because that may be causing the `CONNECT` request. I suspect the 502 is due to confusion about whether the connection is HTTP or HTTPs, where an HTTP request is treated as an TLS Client Hello or vice versa. The first step I would take is finding where the `CONNECT` is happening.

[1] https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-http-connect-port

Re: Questions on forwarding proxy in hierarchical mode

[Alan Carroll <so...@oath.com>]

Sorry, was out at a conference last week.

If you're getting "Tunnel Forbidden" it means a `CONNECT` request is going
through ATS and getting blocked because `proxy.config.http.connect_ports`
[1] doesn't allow the remote port. This may have changed between 5 and 8.
I suspect that the HTTPS change is related, because that may be causing the
`CONNECT` request. I suspect the 502 is due to confusion about whether the
connection is HTTP or HTTPs, where an HTTP request is treated as an TLS
Client Hello or vice versa. The first step I would take is finding where
the `CONNECT` is happening.

[1]
https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-http-connect-port

Re: Questions on forwarding proxy in hierarchical mode

[Miles Libbey <ml...@apache.org>]

We effectively do that... we have our child remaps like:
map https://alias.example.com https://alias.example.com

with a parent.config line of
dest_domain=alias.example.com scheme=http
parent="parent1.example.com:80,..." round_robin=consistent_hash
go_direct=false
dest_domain=alias.example.com scheme=https
parent="parent1.example.com:443,..." round_robin=consistent_hash
go_direct=false

then the parent remap as
map https://alias.example.com https://origin.example.com

and of course ssl_multicert listing the alias.example.com cert for both.

To troubleshoot, I'd hop onto the child machine, and run cURLs to your
parent --
curl -IXGET --resolve alias.example.com:443:12.3.4
https://alias.example.com ...
to make sure that's working (then the same swapping out the parent IP
for the child). Then watch logs on the parent to make sure the child
requests are making it there.

miles

On Fri, Dec 14, 2018 at 1:02 AM <Dm...@tieto.com> wrote:
>
> Hello,
>
>
>
> I have this design i’m trying to implement with Apache Traffic Server.
>
>
>
> Two separate parent forwarding proxies in different network segments for accessing internet and internal services.
>
> One child forwarding proxy, which receives all the requests and forwards those to the corresponding parent proxy based on URL or some other parameter.
>
>
>
> Feels straightforward, and worked with the 5.x version coming from EPEL, but i cannot get it working with the 8.0.1.
>
> HTTP requests work fine when curling from a random server using the child proxy, but any HTTP>HTTPS redirect or HTTPS page doesn’t.
>
>
>
> If i enable remapping on child and parents, i get „HTTP/1.1 403 Tunnel Forbidden traffic server“
>
> If i disable it, i get „Received HTTP code 502 from proxy after CONNECT“
>
>
>
> Am i missing something crucial in the ATS logic? Is such a use case possible with ATS?
>
>
>
> Best regards,
>
> Dmitri
>
>