You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Zack Bartel <zb...@proofpoint.com> on 2021/11/04 19:12:15 UTC

Parent TLS

Hello everyone,
I am trying to configure ATS 9.0.0 to upstream to another secure proxy over https. I can't get it to work and all connections 502 Connection Refused. Is it possible to use https for the parent proxy?


url_regex=.+ scheme=https parent="my-upstream.proxy.com:443" round_robin=true ignore_self_detect=true


Thank you,

Zack Bartel

Re: Parent TLS

Posted by Zack Bartel <zb...@proofpoint.com>.
Thank you Jeremy and Miles for the help with this. I've confirmed the requests are getting sent to the upstream proxy in plaintext rather that TLS. So the plaintext CONNECT is going to the upstream rather than doing the TLS handshake first.

[cid:67451761-59A3-4918-B117-7658FD210F6A]

I've gone through all the config and can't identify anything that stands out that would do this. Do you guys or anyone else know how the connection to the upstream could not be encrypted?


Relevant config:

records.config


CONFIG proxy.config.http.no_dns_just_forward_to_parent INT 1
CONFIG proxy.config.http.forward.proxy_auth_to_parent INT 1
CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1
CONFIG proxy.config.http.forward_connect_method INT 1

CONFIG proxy.config.http.parent_proxies STRING my-upstream.proxy.com:443<http://my-upstream.proxy.com:443>

CONFIG proxy.config.diags.debug.enabled INT 1
CONFIG proxy.config.diags.debug.tags STRING 'dns|http|ssl|http.*|parent.*|ssl.*'


parent.config:

dest_domain=. parent="my-upstream.proxy.com:443<http://my-upstream.proxy.com:443>" round_robin=true ignore_self_detect=true go_direct=false


I also tried adding an entry in sni.yaml for the upstream.

Thanks again for your help with this.

Zack Bartel



On Nov 10, 2021, at 11:48 AM, Jeremy Payne <jp...@gmail.com>> wrote:

as miles suggested you can play with the verify server settings to see
if youre sending an sni that doesnt match on the upstream server.

you can also place ATS in debug mode while running your tests.
something like the below.

CONFIG proxy.config.diags.debug.enabled INT 1
CONFIG proxy.config.diags.debug.tags STRING 'http.*|parent.*|ssl.*'

for more data points, i'm a packet trace guy, so i always like to see
whats being sent on the wire.


On Wed, Nov 10, 2021 at 12:12 PM Zack Bartel <zb...@proofpoint.com>> wrote:

Thanks for the help with this. We don't have a remap in this situation as we want all traffic to go to this single upstream, which is another intermediary proxy. So ATS sits in the middle, but should forward all requests to a single upstream proxy that is itself https.

In squid it's like this:

cache_peer my-upstream.proxy.com<http://my-upstream.proxy.com> parent 443 0 no-query tls

But I don't want to use squid.

Thanks again,
Zack


On Nov 9, 2021, at 11:55 AM, Jeremy Payne <jp...@gmail.com>> wrote:

also.. please provide the remap entry in question.
you can sanitize the hostnames.. but keep the scheme references.
i do believe the parent selection must match the origin scheme defined
in the remap.

'502 connection refused' sounds like the parent selection is not
matching and the request is going directly to origin.
unless things have changed, ATS to upstream certificate verify failure
usually results in a
'502 service unavailable'




On Thu, Nov 4, 2021 at 2:12 PM Zack Bartel <zb...@proofpoint.com>> wrote:

Hello everyone,
I am trying to configure ATS 9.0.0 to upstream to another secure proxy over https. I can't get it to work and all connections 502 Connection Refused. Is it possible to use https for the parent proxy?


url_regex=.+ scheme=https parent="my-upstream.proxy.com:443<http://my-upstream.proxy.com:443>" round_robin=true ignore_self_detect=true


Thank you,

Zack Bartel

Re: Parent TLS

Posted by Jeremy Payne <jp...@gmail.com>.
as miles suggested you can play with the verify server settings to see
if youre sending an sni that doesnt match on the upstream server.

you can also place ATS in debug mode while running your tests.
something like the below.

CONFIG proxy.config.diags.debug.enabled INT 1
CONFIG proxy.config.diags.debug.tags STRING 'http.*|parent.*|ssl.*'

for more data points, i'm a packet trace guy, so i always like to see
whats being sent on the wire.


On Wed, Nov 10, 2021 at 12:12 PM Zack Bartel <zb...@proofpoint.com> wrote:
>
> Thanks for the help with this. We don't have a remap in this situation as we want all traffic to go to this single upstream, which is another intermediary proxy. So ATS sits in the middle, but should forward all requests to a single upstream proxy that is itself https.
>
> In squid it's like this:
>
> cache_peer my-upstream.proxy.com parent 443 0 no-query tls
>
> But I don't want to use squid.
>
> Thanks again,
> Zack
>
>
> > On Nov 9, 2021, at 11:55 AM, Jeremy Payne <jp...@gmail.com> wrote:
> >
> > also.. please provide the remap entry in question.
> > you can sanitize the hostnames.. but keep the scheme references.
> > i do believe the parent selection must match the origin scheme defined
> > in the remap.
> >
> > '502 connection refused' sounds like the parent selection is not
> > matching and the request is going directly to origin.
> > unless things have changed, ATS to upstream certificate verify failure
> > usually results in a
> > '502 service unavailable'
> >
> >
> >
> >
> > On Thu, Nov 4, 2021 at 2:12 PM Zack Bartel <zb...@proofpoint.com> wrote:
> >>
> >> Hello everyone,
> >> I am trying to configure ATS 9.0.0 to upstream to another secure proxy over https. I can't get it to work and all connections 502 Connection Refused. Is it possible to use https for the parent proxy?
> >>
> >>
> >> url_regex=.+ scheme=https parent="my-upstream.proxy.com:443" round_robin=true ignore_self_detect=true
> >>
> >>
> >> Thank you,
> >>
> >> Zack Bartel
>

Re: Parent TLS

Posted by Zack Bartel <zb...@proofpoint.com>.
Thanks for the help with this. We don't have a remap in this situation as we want all traffic to go to this single upstream, which is another intermediary proxy. So ATS sits in the middle, but should forward all requests to a single upstream proxy that is itself https.

In squid it's like this:

cache_peer my-upstream.proxy.com parent 443 0 no-query tls

But I don't want to use squid.

Thanks again,
Zack


> On Nov 9, 2021, at 11:55 AM, Jeremy Payne <jp...@gmail.com> wrote:
> 
> also.. please provide the remap entry in question.
> you can sanitize the hostnames.. but keep the scheme references.
> i do believe the parent selection must match the origin scheme defined
> in the remap.
> 
> '502 connection refused' sounds like the parent selection is not
> matching and the request is going directly to origin.
> unless things have changed, ATS to upstream certificate verify failure
> usually results in a
> '502 service unavailable'
> 
> 
> 
> 
> On Thu, Nov 4, 2021 at 2:12 PM Zack Bartel <zb...@proofpoint.com> wrote:
>> 
>> Hello everyone,
>> I am trying to configure ATS 9.0.0 to upstream to another secure proxy over https. I can't get it to work and all connections 502 Connection Refused. Is it possible to use https for the parent proxy?
>> 
>> 
>> url_regex=.+ scheme=https parent="my-upstream.proxy.com:443" round_robin=true ignore_self_detect=true
>> 
>> 
>> Thank you,
>> 
>> Zack Bartel

Re: Parent TLS

Posted by Jeremy Payne <jp...@gmail.com>.
also.. please provide the remap entry in question.
you can sanitize the hostnames.. but keep the scheme references.
i do believe the parent selection must match the origin scheme defined
in the remap.

'502 connection refused' sounds like the parent selection is not
matching and the request is going directly to origin.
unless things have changed, ATS to upstream certificate verify failure
usually results in a
'502 service unavailable'




On Thu, Nov 4, 2021 at 2:12 PM Zack Bartel <zb...@proofpoint.com> wrote:
>
> Hello everyone,
> I am trying to configure ATS 9.0.0 to upstream to another secure proxy over https. I can't get it to work and all connections 502 Connection Refused. Is it possible to use https for the parent proxy?
>
>
> url_regex=.+ scheme=https parent="my-upstream.proxy.com:443" round_robin=true ignore_self_detect=true
>
>
> Thank you,
>
> Zack Bartel

Re: Parent TLS

Posted by Miles Libbey <ml...@apache.org>.
here's how we do it:
For the child:
remap.config:
map https://inbound.example.com https://inbound.example.com
parent.config
dest_domain=inbound.example.com scheme=https parent="
my-upstream1.proxy.com:443:,my-upstream2.proxy.com:443"
 round_robin=consistent_hash go_direct=false

For the parent/upstream:
remap.config
map https://inbound.example.com https://origin.example.com

By mapping the inbound to the inbound on the child the parent uses the same
certificate as the child -- which we know we can get (whereas we don't know
we can get a certificate for the origin domain). Alternatively, its likely
the 502 is because of certificate issues on the parent -- might just try
playing with the
https://docs.trafficserver.apache.org/admin-guide/files/records.config.en.html#proxy-config-ssl-client-verify-server-policy
as a quick debugging step.


On Thu, Nov 4, 2021 at 12:12 PM Zack Bartel <zb...@proofpoint.com> wrote:

> Hello everyone,
> I am trying to configure ATS 9.0.0 to upstream to another secure proxy
> over https. I can't get it to work and all connections 502 Connection
> Refused. Is it possible to use https for the parent proxy?
>
>
> url_regex=.+ scheme=https parent="my-upstream.proxy.com:443"
> round_robin=true ignore_self_detect=true
>
>
> Thank you,
>
> Zack Bartel