You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/07/30 03:19:07 UTC

[GitHub] [apisix] TkClark opened a new pull request #4718: Add apsix.ssl.loose_sni configuration in config-default.yaml

TkClark opened a new pull request #4718:
URL: https://github.com/apache/apisix/pull/4718


   Due to Alicloud WAF does not support SNI.
   When ApiSix is the backend of Aliyun WAF and WAF is set to HTTPS, each HTTPS request returns status 502.
   If set loose_sni with true, when the HTTPS request doesn't hava servername, will falling back to fake certificate. It can solve the problem that the AliCloud WAF HTTPS back source cannot be accessed correctly.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] TkClark commented on pull request #4718: Add apsix.ssl.loose_sni configuration in config-default.yaml

Posted by GitBox <gi...@apache.org>.

TkClark commented on pull request #4718:
URL: https://github.com/apache/apisix/pull/4718#issuecomment-889755363


   > Before merge PR, there are some issues that need to be discussed.
   > 
   > 1. if `loose_sni` is set to true, it means that all SNI-related features of APISIX are not available？How to solve this problem?
   > 
   > I think the core problem here is: to use the SNI features in APISIX but without the SNI(by use Alicloud WAF).
   > 
   > 1. I am concerned that it will cause some security issues, for example, the client can bypass the TLS handshake, etc. I'm not sure this will ever happen. Just worried.
   > 
   > Please correct me if I am wrong.
   
   1. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] TkClark closed pull request #4718: Add apsix.ssl.loose_sni configuration in config-default.yaml

Posted by GitBox <gi...@apache.org>.

TkClark closed pull request #4718:
URL: https://github.com/apache/apisix/pull/4718


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tzssangglass commented on pull request #4718: Add apsix.ssl.loose_sni configuration in config-default.yaml

Posted by GitBox <gi...@apache.org>.

tzssangglass commented on pull request #4718:
URL: https://github.com/apache/apisix/pull/4718#issuecomment-889638963


   We can use `fallback_certificate` and `fallback_certificate_key` for this case: if the `certificate` and `certificate_key` are not found because there is no SNI, we can use `fallback_certificate` and `fallback_certificate_key`.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tzssangglass commented on pull request #4718: Add apsix.ssl.loose_sni configuration in config-default.yaml

Posted by GitBox <gi...@apache.org>.

tzssangglass commented on pull request #4718:
URL: https://github.com/apache/apisix/pull/4718#issuecomment-889622497


   Before merge PR, there are some issues that need to be discussed.
   
   1. if `loose_sni` is set to true, it means that all SNI-related features of APISIX are not available？How to solve this problem?
   
   I think the core problem here is: to use the SNI features in APISIX but without the SNI(by use Alicloud WAF).
   
   2. I am concerned that it will cause some security issues, for example, the client can bypass the TLS handshake, etc. I'm not sure this will ever happen. Just worried.
   
   Please correct me if I am wrong.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org