Re: SSL Termination in Forward proxy mode.

[Vikram <mv...@yahoo.com>]

Hi Alan,

Thanks for the info. Yeah, configuring ATS to remap URLs from HTTP to HTTPS could work. Is it possible to do this only on a particular port? So I would then have a port which does not remap, and a port which does, in essence simulating my use case.

So it possible to write a remap rule from

http://* to https://* for requests received at a port XXXX?

Thanks,
Vikram



On Tuesday, December 10, 2013 3:46 PM, Alan M. Carroll <am...@network-geographics.com> wrote:
 
I don't think you can do this in ATS currently. Do you need SSL between the curl host and ATS? If not, you could configure ATS to remap URLs from HTTP to HTTPS to get an SSL connection from ATS to the origin server.

Also, if you are using curl, you could set ATS up to use forward proxy on an SSL port and then use --proxy on the curl command. That would give you SSL on both connections.


Tuesday, December 10, 2013, 3:05:52 PM, you wrote:

> Hi,

> I want to set up the apache traffic server in forward proxy mode where it caches all data fetched through it. In the default set up, caching SSL is pointless as ATS does not see the data flowing through it.  

> I am trying to figure out if it is possible to configure SSL termination for the forward proxy mode so that ATS can see the data flowing through it for https  requests too so that cahcing is possible. Note that urls are fetched though curl with the "-k/--insecure" option turned on so certificate validation is not an issue, and any self signed certificate will do. No spoofing of the end server is necessary.

> Has anyone got ATS running in this setup? Or would it need code modification/special  plugins to do this?

Re: SSL Termination in Forward proxy mode.

["Alan M. Carroll" <am...@network-geographics.com>]

Wednesday, December 11, 2013, 10:43:21 PM, you wrote:

> Certificate selection (mostly) happens in ssl_servername_callback(), see <https://github.com/apache/trafficserver/blob/master/iocore/net/SSLUtils.cc#L162>. Ideally, this would be plumbed through to the plugin API, but the synchronous API model is not a great fit for that.

There is also selection based on IP address which happens earlier. I looked at that callback and did not make it available through my prospective API precisely for that reason. I personally think it's a fault in the openSSL API, as it should be very possible to make that asynchronous by having the callback return an "I'm not done yet" value and openSSL calling it again on the next SSL_read call. But fixing would involve tweaking openSSL.

Re: SSL Termination in Forward proxy mode.

[James Peach <jp...@apache.org>]

On Dec 11, 2013, at 9:49 AM, Vikram <mv...@yahoo.com> wrote:

> Thanks Alan. It does look like I have to jump through a few hoops to get this working.
> 
> I might actually go have a look at the code to see why this is not possible out of the box with ATS. Seems like a useful feature to have. Squid does this through SslBump I believe. I am new to the ATS code, so any pointers as to where I can start looking will be appreciated.

Certificate selection (mostly) happens in ssl_servername_callback(), see <https://github.com/apache/trafficserver/blob/master/iocore/net/SSLUtils.cc#L162>. Ideally, this would be plumbed through to the plugin API, but the synchronous API model is not a great fit for that.

> 
> If anyone else has any insights as to whether there is an easier way, thats appreciated too :)
> 
> Thanks,
> Vikram

Re: SSL Termination in Forward proxy mode.

[Vikram <mv...@yahoo.com>]

>
>On Wednesday, December 11, 2013 10:32 AM, Alan M. Carroll <am...@network-geographics.com> wrote:
>
>
>Because that requires dynamically generating certificates which is a non-trivial task. I have done some work to extend the SSL support to make this easier in ATS but I haven't had time recently to write it up for the dev list.
I agree.

Although if we take the constraint that the client knows beforehand about this behavior, the client can chose not to validate the certificate against a CA, therefore simplifying the problem greatly. This would be especially applicable when the client is on the local network.  I'm not very sure about this, but I would assume that we could either use a self-signed wildcard ssl certificate or one specific to the trafficserver host as long as the certificate validation does not happen.

Not spoofing certificates should also protect the local client against malicious usage of the forward proxy mode to inspect HTTPS traffic.

This behavior should be ok as ATS would do the required certificate validation for the upstream server. 

Thanks,
Vikram

Re: SSL Termination in Forward proxy mode.

[Vikram <mv...@yahoo.com>]

>
>On Wednesday, December 11, 2013 10:32 AM, Alan M. Carroll <am...@network-geographics.com> wrote:
>
>
>Because that requires dynamically generating certificates which is a non-trivial task. I have done some work to extend the SSL support to make this easier in ATS but I haven't had time recently to write it up for the dev list.
I agree.

Although if we take the constraint that the client knows beforehand about this behavior, the client can chose not to validate the certificate against a CA, therefore simplifying the problem greatly. This would be especially applicable when the client is on the local network.  I'm not very sure about this, but I would assume that we could either use a self-signed wildcard ssl certificate or one specific to the trafficserver host as long as the certificate validation does not happen.

Not spoofing certificates should also protect the local client against malicious usage of the forward proxy mode to inspect HTTPS traffic.

This behavior should be ok as ATS would do the required certificate validation for the upstream server. 

Thanks,
Vikram

Re: SSL Termination in Forward proxy mode.

["Alan M. Carroll" <am...@network-geographics.com>]

Wednesday, December 11, 2013, 11:49:19 AM, you wrote:

> I might actually go have a look at the code to see why this is not possible out of the box with ATS. Seems like a useful feature to have. Squid does this through SslBump I believe. I am new to the ATS code, so any pointers as to where I can start looking will be appreciated.

Because that requires dynamically generating certificates which is a non-trivial task. I have done some work to extend the SSL support to make this easier in ATS but I haven't had time recently to write it up for the dev list.

Re: SSL Termination in Forward proxy mode.

[James Peach <jp...@apache.org>]

On Dec 11, 2013, at 9:49 AM, Vikram <mv...@yahoo.com> wrote:

> Thanks Alan. It does look like I have to jump through a few hoops to get this working.
> 
> I might actually go have a look at the code to see why this is not possible out of the box with ATS. Seems like a useful feature to have. Squid does this through SslBump I believe. I am new to the ATS code, so any pointers as to where I can start looking will be appreciated.

Certificate selection (mostly) happens in ssl_servername_callback(), see <https://github.com/apache/trafficserver/blob/master/iocore/net/SSLUtils.cc#L162>. Ideally, this would be plumbed through to the plugin API, but the synchronous API model is not a great fit for that.

> 
> If anyone else has any insights as to whether there is an easier way, thats appreciated too :)
> 
> Thanks,
> Vikram

Re: SSL Termination in Forward proxy mode.

[Vikram <mv...@yahoo.com>]

Thanks Alan. It does look like I have to jump through a few hoops to get this working.

I might actually go have a look at the code to see why this is not possible out of the box with ATS. Seems like a useful feature to have. Squid does this through SslBump I believe. I am new to the ATS code, so any pointers as to where I can start looking will be appreciated.

If anyone else has any insights as to whether there is an easier way, thats appreciated too :)

Thanks,
Vikram

Re: SSL Termination in Forward proxy mode.

[Vikram <mv...@yahoo.com>]

Thanks Alan. It does look like I have to jump through a few hoops to get this working.

I might actually go have a look at the code to see why this is not possible out of the box with ATS. Seems like a useful feature to have. Squid does this through SslBump I believe. I am new to the ATS code, so any pointers as to where I can start looking will be appreciated.

If anyone else has any insights as to whether there is an easier way, thats appreciated too :)

Thanks,
Vikram

Re: SSL Termination in Forward proxy mode.

["Alan M. Carroll" <am...@network-geographics.com>]

Unfortunately I'm not very familiar with remapping, hopefully someone else can provide pointers to that. I think the ATS documentation has good information on that. If you can't set a rule per port, there are a couple of other options -

1) Add something to the URL you can match with a regex_map rule or use an explicit port which can be matched and then remove it via the rule as you change it to HTTPS.

2) Use a remap plugin which can easily remap (or not) based on the local UA port.

Tuesday, December 10, 2013, 6:00:45 PM, you wrote:

> Hi Alan,




> Thanks for the info. Yeah, configuring ATS to remap URLs from HTTP to HTTPS could work. Is it possible to do this only on a particular port? So I would then have a port which does not remap, and a port which does, in essence simulating my use case.