You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Reindl Harald <h....@thelounge.net> on 2015/05/26 20:33:29 UTC
5.3.0: TLS completly broken (reverse-proxy)
i recently did a dist-upgrade to Fedora 21 and at that time decided to
upgrade ATS to 5.3.0 since load-tests without encryption where fine
well, https://www.ssllabs.com/ssltest/ says no connection, after that
Firefox previously displayed the page said "no shared ciphers" at
reload, local "sslcsan" is more than strange - in other words: as soon
as you start to scan the server for ssl ciphers something goes terrible
wrong
it happens that another SNI host still works, until you try to scan it too
downgrade to 5.2.1 and all is fine again
P.S.: the download page should not only list a .0 release
______________________________________________
without changing the environment these different results for "sslscan
host:443" should be impossible
Preferred Server Cipher(s):
SSLv2 0 bits (NONE)
SSLv3 0 bits (NONE)
TLSv1 0 bits (NONE)
TLS11 0 bits (NONE)
TLS12 0 bits (NONE)
Preferred Server Cipher(s):
SSLv2 0 bits (NONE)
SSLv3 0 bits (NONE)
TLSv1 0 bits (NONE)
TLS11 0 bits (NONE)
TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
______________________________________________
5.2.1:
Preferred Server Cipher(s):
SSLv2 0 bits (NONE)
SSLv3 0 bits (NONE)
TLSv1 128 bits ECDHE-RSA-AES128-SHA
TLS11 128 bits ECDHE-RSA-AES128-SHA
TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
______________________________________________
records.config
##############################################################################
# System Variables
#
##############################################################################
CONFIG proxy.config.proxy_name STRING proxy.thelounge.net
CONFIG proxy.config.config_dir STRING /etc/trafficserver
CONFIG proxy.config.proxy_binary_opts STRING -M
CONFIG proxy.config.temp_dir STRING /tmp
CONFIG proxy.config.alarm_email STRING ats
CONFIG proxy.config.syslog_facility STRING LOG_DAEMON
CONFIG proxy.config.output.logfile STRING traffic.out
CONFIG proxy.config.snapshot_dir STRING snapshots
CONFIG proxy.config.system.mmap_max INT 2097152
##############################################################################
# Main threads configuration (worker threads). Also see configurations
for #
# SSL threads, disk I/O threads and task threads in their respective
areas #
##############################################################################
CONFIG proxy.config.exec_thread.autoconfig INT 0
CONFIG proxy.config.exec_thread.limit INT 4
CONFIG proxy.config.exec_thread.affinity INT 1
CONFIG proxy.config.accept_threads INT 0
##############################################################################
# Local Manager
#
##############################################################################
CONFIG proxy.config.admin.admin_user STRING admin
CONFIG proxy.config.admin.number_config_bak INT 0
CONFIG proxy.config.admin.user_id STRING ats
##############################################################################
# Process Manager
#
##############################################################################
CONFIG proxy.config.admin.autoconf_port INT 8083
CONFIG proxy.config.process_manager.mgmt_port INT 8084
##############################################################################
# HTTP Engine
#
##############################################################################
CONFIG proxy.config.http.server_ports STRING 80 443:ssl
CONFIG proxy.config.http.connect_ports STRING 80
CONFIG proxy.config.http.insert_request_via_str INT 0
CONFIG proxy.config.http.insert_response_via_str INT 0
CONFIG proxy.config.http.response_server_enabled INT 0
CONFIG proxy.config.http.insert_age_in_response INT 1
CONFIG proxy.config.http.enable_url_expandomatic INT 0
CONFIG proxy.config.http.no_dns_just_forward_to_parent INT 0
CONFIG proxy.config.http.uncacheable_requests_bypass_parent INT 0
CONFIG proxy.config.http.keep_alive_enabled_in INT 1
CONFIG proxy.config.http.keep_alive_enabled_out INT 1
CONFIG proxy.config.http.chunking_enabled INT 1
CONFIG proxy.config.http.chunking.size 64k
CONFIG proxy.config.http.send_http11_requests INT 1
CONFIG proxy.config.http.share_server_sessions INT 1
CONFIG proxy.config.http.origin_server_pipeline INT 1
CONFIG proxy.config.http.user_agent_pipeline INT 8
CONFIG proxy.config.http.referer_filter INT 0
CONFIG proxy.config.http.accept_unknown_methods INT 0
##############################################################################
# parent proxy configuration
#
##############################################################################
CONFIG proxy.config.http.parent_proxy_routing_enable INT 0
##############################################################################
# HTTP connection timeouts (secs)
#
# out: proxy -> origin server connection
#
# in : ua -> proxy connection
#
##############################################################################
CONFIG proxy.config.http.keep_alive_no_activity_timeout_in INT 1
CONFIG proxy.config.http.keep_alive_no_activity_timeout_out INT 1
CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 60
CONFIG proxy.config.http.transaction_no_activity_timeout_out INT 60
CONFIG proxy.config.http.transaction_active_timeout_in INT 3600
CONFIG proxy.config.http.transaction_active_timeout_out INT 0
CONFIG proxy.config.http.accept_no_activity_timeout INT 1
CONFIG proxy.config.http.background_fill_active_timeout INT 0
CONFIG proxy.config.http.background_fill_completed_threshold FLOAT 0.0
##############################################################################
# origin server connect attempts
#
##############################################################################
CONFIG proxy.config.http.connect_attempts_max_retries INT 10
CONFIG proxy.config.http.connect_attempts_max_retries_dead_server INT 10
CONFIG proxy.config.http.connect_attempts_rr_retries INT 10
CONFIG proxy.config.http.connect_attempts_timeout INT 30
CONFIG proxy.config.http.post_connect_attempts_timeout INT 1800
CONFIG proxy.config.http.down_server.cache_time INT 5
CONFIG proxy.config.http.down_server.abort_threshold INT 30
##############################################################################
# congestion control
#
##############################################################################
CONFIG proxy.config.http.congestion_control.enabled INT 0
##############################################################################
# negative response caching
#
##############################################################################
CONFIG proxy.config.http.negative_caching_enabled INT 1
CONFIG proxy.config.http.negative_caching_lifetime INT 1
##############################################################################
# proxy users variables
#
##############################################################################
CONFIG proxy.config.http.anonymize_remove_from INT 0
CONFIG proxy.config.http.anonymize_remove_referer INT 0
CONFIG proxy.config.http.anonymize_remove_user_agent INT 0
CONFIG proxy.config.http.anonymize_remove_cookie INT 0
CONFIG proxy.config.http.anonymize_remove_client_ip INT 0
CONFIG proxy.config.http.anonymize_insert_client_ip INT 0
CONFIG proxy.config.http.anonymize_other_header_list STRING NULL
CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1
##############################################################################
# security
#
##############################################################################
CONFIG proxy.config.http.push_method_enabled INT 0
##############################################################################
# cache control
#
##############################################################################
CONFIG proxy.config.http.normalize_ae_gzip INT 1
CONFIG proxy.config.http.cache.http INT 1
CONFIG proxy.config.http.cache.cache_responses_to_cookies INT 3
CONFIG proxy.config.http.cache.cache_urls_that_look_dynamic INT 1
CONFIG proxy.config.http.cache.ims_on_client_no_cache INT 1
CONFIG proxy.config.http.cache.ignore_client_cc_max_age INT 0
CONFIG proxy.config.http.cache.ignore_client_no_cache INT 0
CONFIG proxy.config.http.cache.ignore_accept_mismatch INT 2
CONFIG proxy.config.http.cache.ignore_accept_language_mismatch INT 2
CONFIG proxy.config.http.cache.ignore_accept_encoding_mismatch INT 2
CONFIG proxy.config.http.cache.ignore_accept_charset_mismatch INT 2
CONFIG proxy.config.http.cache.ignore_server_no_cache INT 0
CONFIG proxy.config.http.cache.ignore_authentication INT 0
CONFIG proxy.config.http.cache.enable_default_vary_headers INT 0
CONFIG proxy.config.http.cache.when_to_revalidate INT 0
CONFIG proxy.config.http.cache.when_to_add_no_cache_to_msie_requests INT 0
CONFIG proxy.config.http.cache.required_headers INT 0
CONFIG proxy.config.http.cache.max_stale_age INT 1800
CONFIG proxy.config.http.cache.range.lookup INT 0
CONFIG proxy.config.cache.vary_on_user_agent INT 0
##############################################################################
# heuristic expiration
#
##############################################################################
CONFIG proxy.config.http.cache.heuristic_min_lifetime INT 60
CONFIG proxy.config.http.cache.heuristic_max_lifetime INT 60
CONFIG proxy.config.http.cache.heuristic_lm_factor FLOAT 0.100000
CONFIG proxy.config.http.cache.fuzz.time INT 60
CONFIG proxy.config.http.cache.fuzz.probability FLOAT 0.005000
##############################################################################
# dynamic content & content negotiation
#
##############################################################################
CONFIG proxy.config.http.cache.vary_default_text STRING Accept-Encoding
CONFIG proxy.config.http.cache.vary_default_images STRING NULL
CONFIG proxy.config.http.cache.vary_default_other STRING NULL
##############################################################################
# The HTTP stats are expensive, turn off you dont need them
#
##############################################################################
CONFIG proxy.config.http.enable_http_stats INT 0
##############################################################################
# Customizable User Response Pages
#
##############################################################################
CONFIG proxy.config.body_factory.enable_customizations INT 1
CONFIG proxy.config.body_factory.enable_logging INT 0
CONFIG proxy.config.body_factory.response_suppression_mode INT 0
##############################################################################
# Net Subsystem
#
##############################################################################
CONFIG proxy.config.net.connections_throttle INT 30000
CONFIG proxy.config.net.defer_accept INT 1
##############################################################################
# Cluster Subsystem
#
##############################################################################
LOCAL proxy.local.cluster.type INT 3
##############################################################################
# Cache
#
##############################################################################
CONFIG proxy.config.cache.permit.pinning INT 0
CONFIG proxy.config.cache.ram_cache.size INT 2560M
CONFIG proxy.config.cache.ram_cache_cutoff INT 512K
CONFIG proxy.config.cache.ram_cache.algorithm INT 1
CONFIG proxy.config.cache.ram_cache.use_seen_filter INT 0
CONFIG proxy.config.cache.ram_cache.compress INT 0
CONFIG proxy.config.cache.limits.http.max_alts INT 10
CONFIG proxy.config.cache.target_fragment_size INT 262144
CONFIG proxy.config.cache.max_doc_size INT 0
CONFIG proxy.config.cache.enable_read_while_writer INT 1
CONFIG proxy.config.connection_collapsing.hashtable_enabled INT 1
CONFIG proxy.config.cache.min_average_object_size INT 32K
CONFIG proxy.config.cache.threads_per_disk INT 8
CONFIG proxy.config.cache.mutex_retry_delay INT 10
##############################################################################
# DNS
#
##############################################################################
CONFIG proxy.config.dns.search_default_domains INT 1
CONFIG proxy.config.dns.splitDNS.enabled INT 0
CONFIG proxy.config.dns.max_dns_in_flight INT 2048
CONFIG proxy.config.dns.url_expansions STRING NULL
CONFIG proxy.config.dns.round_robin_nameservers INT 0
CONFIG proxy.config.dns.nameservers STRING 127.0.0.1
CONFIG proxy.config.dns.resolv_conf STRING NULL
CONFIG proxy.config.dns.validate_query_name INT 0
##############################################################################
# HostDB
#
##############################################################################
CONFIG proxy.config.hostdb.size INT 50000
CONFIG proxy.config.hostdb.storage_size INT 14680064
CONFIG proxy.config.hostdb.ttl_mode INT 1
CONFIG proxy.config.hostdb.timeout INT 60
CONFIG proxy.config.hostdb.strict_round_robin INT 0
CONFIG proxy.config.hostdb.host_file.path STRING /etc/hosts.dnsmasq
CONFIG proxy.config.hostdb.host_file.interval INT 3600
CONFIG proxy.config.hostdb.ip_resolve STRING ipv4;none
##############################################################################
# Logging Config
#
#
#
# 0: no logging at all
#
# 1: log errors only
#
# 2: log transactions only
#
# 3: full logging (errors + transactions)
#
##############################################################################
LOCAL proxy.local.log.collation_mode INT 0
CONFIG proxy.config.log.logging_enabled INT 1
CONFIG proxy.config.log.max_secs_per_buffer INT 5
CONFIG proxy.config.log.max_space_mb_for_logs INT 25000
CONFIG proxy.config.log.max_space_mb_for_orphan_logs INT 25
CONFIG proxy.config.log.max_space_mb_headroom INT 1000
CONFIG proxy.config.log.hostname STRING localhost
CONFIG proxy.config.log.logfile_dir STRING /var/log/trafficserver
CONFIG proxy.config.log.logfile_perm STRING rw-rw----
CONFIG proxy.config.log.custom_logs_enabled INT 0
CONFIG proxy.config.log.squid_log_enabled INT 0
CONFIG proxy.config.log.squid_log_is_ascii INT 0
CONFIG proxy.config.log.squid_log_name STRING squid
CONFIG proxy.config.log.squid_log_header STRING NULL
CONFIG proxy.config.log.common_log_enabled INT 0
CONFIG proxy.config.log.common_log_is_ascii INT 1
CONFIG proxy.config.log.common_log_name STRING common
CONFIG proxy.config.log.common_log_header STRING NULL
CONFIG proxy.config.log.extended_log_enabled INT 0
CONFIG proxy.config.log.extended_log_is_ascii INT 0
CONFIG proxy.config.log.extended_log_name STRING extended
CONFIG proxy.config.log.extended_log_header STRING NULL
CONFIG proxy.config.log.extended2_log_enabled INT 0
CONFIG proxy.config.log.extended2_log_is_ascii INT 1
CONFIG proxy.config.log.extended2_log_name STRING extended2
CONFIG proxy.config.log.extended2_log_header STRING NULL
CONFIG proxy.config.log.separate_icp_logs INT 0
CONFIG proxy.config.log.separate_host_logs INT 0
CONFIG proxy.config.log.collation_host STRING NULL
CONFIG proxy.config.log.collation_port INT 8085
CONFIG proxy.config.log.collation_secret STRING foobar
CONFIG proxy.config.log.collation_host_tagged INT 0
CONFIG proxy.config.log.collation_retry_sec INT 5
CONFIG proxy.config.log.rolling_enabled INT 1
CONFIG proxy.config.log.rolling_interval_sec INT 86400
CONFIG proxy.config.log.rolling_offset_hr INT 0
CONFIG proxy.config.log.rolling_size_mb INT 10
CONFIG proxy.config.log.auto_delete_rolled_files INT 1
CONFIG proxy.config.log.sampling_frequency INT 1
##############################################################################
# Reverse Proxy
#
##############################################################################
CONFIG proxy.config.reverse_proxy.enabled INT 1
CONFIG proxy.config.header.parse.no_host_url_redirect STRING NULL
##############################################################################
# URL Remap Rules
#
##############################################################################
CONFIG proxy.config.url_remap.default_to_server_pac INT 0
CONFIG proxy.config.url_remap.default_to_server_pac_port INT -1
CONFIG proxy.config.url_remap.remap_required INT 1
CONFIG proxy.config.url_remap.pristine_host_hdr INT 1
##############################################################################
# ICP Configuration
#
##############################################################################
CONFIG proxy.config.icp.enabled INT 0
##############################################################################
# Scheduled Update Configuration
#
##############################################################################
CONFIG proxy.config.update.enabled INT 0
CONFIG proxy.config.update.force INT 0
CONFIG proxy.config.update.retry_count INT 10
CONFIG proxy.config.update.retry_interval INT 2
CONFIG proxy.config.update.concurrent_updates INT 100
##############################################################################
# Socket send/recv buffer sizes 0 == dont call setsockopt()
#
# out: proxy -> os connection
#
# in : ua -> proxy connection
#
##############################################################################
CONFIG proxy.config.net.sock_send_buffer_size_in INT 65536
CONFIG proxy.config.net.sock_recv_buffer_size_in INT 65536
CONFIG proxy.config.net.sock_option_flag_in INT 1
CONFIG proxy.config.net.sock_send_buffer_size_out INT 65536
CONFIG proxy.config.net.sock_recv_buffer_size_out INT 65536
CONFIG proxy.config.net.sock_option_flag_out INT 1
##############################################################################
# User Overridden Configurations Below
#
##############################################################################
CONFIG proxy.config.core_limit INT -1
##############################################################################
# Debugging
#
##############################################################################
CONFIG proxy.config.diags.debug.enabled INT 0
CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
CONFIG proxy.config.dump_mem_info_frequency INT 0
CONFIG proxy.config.stack_dump_enabled 0
##############################################################################
# Log any request that takes more then x number of milliseconds, needs
#
# to be > 0 to be enabled
#
##############################################################################
CONFIG proxy.config.http.slow.log.threshold INT 0
##############################################################################
# Thread pool for "misc" tasks, plugins etc. 2 is a good minimum
#
##############################################################################
CONFIG proxy.config.task_threads INT 2
CONFIG proxy.config.cluster.cluster_configuration STRING cluster.config
CONFIG proxy.config.body_factory.template_sets_dir STRING
/etc/trafficserver/body_factory
##############################################################################
# SSL/TLS
#
##############################################################################
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 0
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.SSLv2 INT 1
CONFIG proxy.config.ssl.client.SSLv3 INT 1
CONFIG proxy.config.ssl.client.TLSv1 INT 1
CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.server.multicert.filename STRING
ssl_multicert.config
CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.server.private_key.path STRING
/etc/trafficserver/ssl/
CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.server.cipher_suite STRING
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.server.dhparams_file STRING
/etc/trafficserver/ssl/dhparams.pem
Re: 5.3.0: TLS completly broken (reverse-proxy)
Posted by Susan Hinrichs <sh...@network-geographics.com>.
No, I have not yet been able to reproduce. I tried running with
Reindl's record.config and sslscan from a centos client. When I get
some more time, I'll try setting up a network accessible server with ATS
so I can try using the ssllabs web site directly.
It just looks like the scan tool attempts a lot of SSL connections with
various parameters set. Most of them fail (because the week ciphers are
not present). Nothing obvious that should be wedging ATS.
On 5/28/2015 10:18 AM, Phil Sorber wrote:
> On Tue, May 26, 2015 at 1:53 PM Susan Hinrichs <
> shinrich@network-geographics.com> wrote:
>
>> Hmm. I just ran ssllabs against
>> https://docs.trafficserver.apache.org/en/latest/ which is running 5.3.x
>> (which I think is the same as 5.3.0). All was happy. Will need to look
>> more closely at your records.config. Good to know that running sslscan
>> locally also produces the problem. Should get this figured out before
>> you need to move up to 5.3.x.
>>
> Susan, were you able to reproduce this?
>
>
>> On 5/26/2015 2:40 PM, Reindl Harald wrote:
>>>
>>> Am 26.05.2015 um 21:32 schrieb Susan Hinrichs:
>>>> Hi Riendl,
>>>>
>>>> I'll have to try to reproduce from outside the office.
>>>>
>>>> If I understand you correctly, you can access the server behind ATS ok.
>>>> Then you do the ssllabs scan (which fails badly). Then your browser can
>>>> no longer access the server.
>>>>
>>>> Definitely sounds like badness.
>>> forget the server behind ATS, there are multiple and they are innocent
>>>
>>> * ATS 5.3.0 seems to work fine in the browser
>>> * ssllabs says no connection
>>> * the same host no longer responds in the browser
>>> * other reverse proxy hosts appears to work still fine
>>> * ssllabs them, they are also gone
>>> * it's not only ssllabs, local sslscan to ATS kills it also
>>> * the problem is "no shared ciphers"
>>>
>>> something seems to go terrible wrong with multiple TLS hosts, some of
>>> them configured for just TLS-offloading, some of them also use TLS to
>>> the origin (caused by a backend CMS not handle external offloading
>>> properly) and a mix of our wildcard certificate and host-specific ones
>>>
>>> happily i recognized that very soon and built 5.2.1 for Fedora 21
>>> (x86_64) wich was also running with F20 on that machine
>>>
>>> no time to dig that deeper because i am at dist-upgrades for around 30
>>> servers and ATS was the only problem until now, happily 5.2.1 still
>>> works fine
>>>
>>>> On 5/26/2015 2:22 PM, Reindl Harald wrote:
>>>>>
>>>>> Am 26.05.2015 um 21:04 schrieb Dave Thompson:
>>>>>> Hi Riendl,
>>>>>>
>>>>>> More details regarding host might help, though if the issue is related
>>>>>> to having an external scanner contact an internal ATS, you can test
>>>>>> TCP
>>>>>> connectivity with just a 'telnet hostname port'.
>>>>> TLS is fucked up, nobody talks about a internal host
>>>>>
>>>>>> To test SSL handshake, you might alternatively try:
>>>>>> openssl s_client -connect login.yahoo.com:443 < /dev/null
>>>>>>
>>>>>> If you're trying an internal scan to something that ssllabs.com can't
>>>>>> access, you might be interested in checking out:
>>>>>> yo/checkmyssl
>>>>> uhm that is and was a production server runnigng as reverse proxy and
>>>>> reachable from ssllabs - the point is that *after* ssllabs try to scan
>>>>> the host the page is dead and firefox complaints in no shared ciphers
>>>>>
>>>>> please read again my post!
>>>>>
>>>>> for me that's now done by downgrade to 5.2.1 and all is fine as before
>>>>> with nothing else changed
>>>>>
>>>>>> On Tuesday, May 26, 2015 1:34 PM, Reindl Harald
>>>>>> <h....@thelounge.net>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>> i recently did a dist-upgrade to Fedora 21 and at that time decided to
>>>>>> upgrade ATS to 5.3.0 since load-tests without encryption where fine
>>>>>>
>>>>>> well, https://www.ssllabs.com/ssltest/
>>>>>> <https://www.ssllabs.com/ssltest/>says no connection, after that
>>>>>> Firefox previously displayed the page said "no shared ciphers" at
>>>>>> reload, local "sslcsan" is more than strange - in other words: as soon
>>>>>> as you start to scan the server for ssl ciphers something goes
>>>>>> terrible
>>>>>> wrong
>>>>>>
>>>>>> it happens that another SNI host still works, until you try to scan
>>>>>> it too
>>>>>>
>>>>>> downgrade to 5.2.1 and all is fine again
>>>>>> P.S.: the download page should not only list a .0 release
>>>>>> ______________________________________________
>>>>>>
>>>>>> without changing the environment these different results for "sslscan
>>>>>> host:443" should be impossible
>>>>>>
>>>>>> Preferred Server Cipher(s):
>>>>>> SSLv2 0 bits (NONE)
>>>>>> SSLv3 0 bits (NONE)
>>>>>> TLSv1 0 bits (NONE)
>>>>>> TLS11 0 bits (NONE)
>>>>>> TLS12 0 bits (NONE)
>>>>>>
>>>>>> Preferred Server Cipher(s):
>>>>>> SSLv2 0 bits (NONE)
>>>>>> SSLv3 0 bits (NONE)
>>>>>> TLSv1 0 bits (NONE)
>>>>>> TLS11 0 bits (NONE)
>>>>>> TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
>>>>>> ______________________________________________
>>>>>>
>>>>>> 5.2.1:
>>>>>>
>>>>>> Preferred Server Cipher(s):
>>>>>> SSLv2 0 bits (NONE)
>>>>>> SSLv3 0 bits (NONE)
>>>>>> TLSv1 128 bits ECDHE-RSA-AES128-SHA
>>>>>> TLS11 128 bits ECDHE-RSA-AES128-SHA
>>>>>> TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
>>>>>> ______________________________________________
>>>>>>
>>>>>> records.config
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # System Variables
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.proxy_name STRING proxy.thelounge.net
>>>>>> CONFIG proxy.config.config_dir STRING /etc/trafficserver
>>>>>> CONFIG proxy.config.proxy_binary_opts STRING -M
>>>>>> CONFIG proxy.config.temp_dir STRING /tmp
>>>>>> CONFIG proxy.config.alarm_email STRING ats
>>>>>> CONFIG proxy.config.syslog_facility STRING LOG_DAEMON
>>>>>> CONFIG proxy.config.output.logfile STRING traffic.out
>>>>>> CONFIG proxy.config.snapshot_dir STRING snapshots
>>>>>> CONFIG proxy.config.system.mmap_max INT 2097152
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # Main threads configuration (worker threads). Also see configurations
>>>>>> for #
>>>>>> # SSL threads, disk I/O threads and task threads in their respective
>>>>>> areas #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.exec_thread.autoconfig INT 0
>>>>>> CONFIG proxy.config.exec_thread.limit INT 4
>>>>>> CONFIG proxy.config.exec_thread.affinity INT 1
>>>>>> CONFIG proxy.config.accept_threads INT 0
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # Local Manager
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.admin.admin_user STRING admin
>>>>>> CONFIG proxy.config.admin.number_config_bak INT 0
>>>>>> CONFIG proxy.config.admin.user_id STRING ats
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # Process Manager
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.admin.autoconf_port INT 8083
>>>>>> CONFIG proxy.config.process_manager.mgmt_port INT 8084
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # HTTP Engine
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.http.server_ports STRING 80 443:ssl
>>>>>> CONFIG proxy.config.http.connect_ports STRING 80
>>>>>> CONFIG proxy.config.http.insert_request_via_str INT 0
>>>>>> CONFIG proxy.config.http.insert_response_via_str INT 0
>>>>>> CONFIG proxy.config.http.response_server_enabled INT 0
>>>>>> CONFIG proxy.config.http.insert_age_in_response INT 1
>>>>>> CONFIG proxy.config.http.enable_url_expandomatic INT 0
>>>>>> CONFIG proxy.config.http.no_dns_just_forward_to_parent INT 0
>>>>>> CONFIG proxy.config.http.uncacheable_requests_bypass_parent INT 0
>>>>>> CONFIG proxy.config.http.keep_alive_enabled_in INT 1
>>>>>> CONFIG proxy.config.http.keep_alive_enabled_out INT 1
>>>>>> CONFIG proxy.config.http.chunking_enabled INT 1
>>>>>> CONFIG proxy.config.http.chunking.size 64k
>>>>>> CONFIG proxy.config.http.send_http11_requests INT 1
>>>>>> CONFIG proxy.config.http.share_server_sessions INT 1
>>>>>> CONFIG proxy.config.http.origin_server_pipeline INT 1
>>>>>> CONFIG proxy.config.http.user_agent_pipeline INT 8
>>>>>> CONFIG proxy.config.http.referer_filter INT 0
>>>>>> CONFIG proxy.config.http.accept_unknown_methods INT 0
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # parent proxy configuration
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.http.parent_proxy_routing_enable INT 0
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # HTTP connection timeouts (secs)
>>>>>> #
>>>>>> # out: proxy -> origin server connection
>>>>>> #
>>>>>> # in : ua -> proxy connection
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.http.keep_alive_no_activity_timeout_in INT 1
>>>>>> CONFIG proxy.config.http.keep_alive_no_activity_timeout_out INT 1
>>>>>> CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 60
>>>>>> CONFIG proxy.config.http.transaction_no_activity_timeout_out INT 60
>>>>>> CONFIG proxy.config.http.transaction_active_timeout_in INT 3600
>>>>>> CONFIG proxy.config.http.transaction_active_timeout_out INT 0
>>>>>> CONFIG proxy.config.http.accept_no_activity_timeout INT 1
>>>>>> CONFIG proxy.config.http.background_fill_active_timeout INT 0
>>>>>> CONFIG proxy.config.http.background_fill_completed_threshold FLOAT 0.0
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # origin server connect attempts
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.http.connect_attempts_max_retries INT 10
>>>>>> CONFIG proxy.config.http.connect_attempts_max_retries_dead_server
>>>>>> INT 10
>>>>>> CONFIG proxy.config.http.connect_attempts_rr_retries INT 10
>>>>>> CONFIG proxy.config.http.connect_attempts_timeout INT 30
>>>>>> CONFIG proxy.config.http.post_connect_attempts_timeout INT 1800
>>>>>> CONFIG proxy.config.http.down_server.cache_time INT 5
>>>>>> CONFIG proxy.config.http.down_server.abort_threshold INT 30
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # congestion control
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.http.congestion_control.enabled INT 0
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # negative response caching
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.http.negative_caching_enabled INT 1
>>>>>> CONFIG proxy.config.http.negative_caching_lifetime INT 1
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # proxy users variables
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.http.anonymize_remove_from INT 0
>>>>>> CONFIG proxy.config.http.anonymize_remove_referer INT 0
>>>>>> CONFIG proxy.config.http.anonymize_remove_user_agent INT 0
>>>>>> CONFIG proxy.config.http.anonymize_remove_cookie INT 0
>>>>>> CONFIG proxy.config.http.anonymize_remove_client_ip INT 0
>>>>>> CONFIG proxy.config.http.anonymize_insert_client_ip INT 0
>>>>>> CONFIG proxy.config.http.anonymize_other_header_list STRING NULL
>>>>>> CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # security
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.http.push_method_enabled INT 0
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # cache control
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.http.normalize_ae_gzip INT 1
>>>>>> CONFIG proxy.config.http.cache.http INT 1
>>>>>> CONFIG proxy.config.http.cache.cache_responses_to_cookies INT 3
>>>>>> CONFIG proxy.config.http.cache.cache_urls_that_look_dynamic INT 1
>>>>>> CONFIG proxy.config.http.cache.ims_on_client_no_cache INT 1
>>>>>> CONFIG proxy.config.http.cache.ignore_client_cc_max_age INT 0
>>>>>> CONFIG proxy.config.http.cache.ignore_client_no_cache INT 0
>>>>>> CONFIG proxy.config.http.cache.ignore_accept_mismatch INT 2
>>>>>> CONFIG proxy.config.http.cache.ignore_accept_language_mismatch INT 2
>>>>>> CONFIG proxy.config.http.cache.ignore_accept_encoding_mismatch INT 2
>>>>>> CONFIG proxy.config.http.cache.ignore_accept_charset_mismatch INT 2
>>>>>> CONFIG proxy.config.http.cache.ignore_server_no_cache INT 0
>>>>>> CONFIG proxy.config.http.cache.ignore_authentication INT 0
>>>>>> CONFIG proxy.config.http.cache.enable_default_vary_headers INT 0
>>>>>> CONFIG proxy.config.http.cache.when_to_revalidate INT 0
>>>>>> CONFIG proxy.config.http.cache.when_to_add_no_cache_to_msie_requests
>>>>>> INT 0
>>>>>> CONFIG proxy.config.http.cache.required_headers INT 0
>>>>>> CONFIG proxy.config.http.cache.max_stale_age INT 1800
>>>>>> CONFIG proxy.config.http.cache.range.lookup INT 0
>>>>>> CONFIG proxy.config.cache.vary_on_user_agent INT 0
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # heuristic expiration
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.http.cache.heuristic_min_lifetime INT 60
>>>>>> CONFIG proxy.config.http.cache.heuristic_max_lifetime INT 60
>>>>>> CONFIG proxy.config.http.cache.heuristic_lm_factor FLOAT 0.100000
>>>>>> CONFIG proxy.config.http.cache.fuzz.time INT 60
>>>>>> CONFIG proxy.config.http.cache.fuzz.probability FLOAT 0.005000
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # dynamic content & content negotiation
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.http.cache.vary_default_text STRING
>>>>>> Accept-Encoding
>>>>>> CONFIG proxy.config.http.cache.vary_default_images STRING NULL
>>>>>> CONFIG proxy.config.http.cache.vary_default_other STRING NULL
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # The HTTP stats are expensive, turn off you dont need them
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.http.enable_http_stats INT 0
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # Customizable User Response Pages
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.body_factory.enable_customizations INT 1
>>>>>> CONFIG proxy.config.body_factory.enable_logging INT 0
>>>>>> CONFIG proxy.config.body_factory.response_suppression_mode INT 0
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # Net Subsystem
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.net.connections_throttle INT 30000
>>>>>> CONFIG proxy.config.net.defer_accept INT 1
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # Cluster Subsystem
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> LOCAL proxy.local.cluster.type INT 3
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # Cache
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.cache.permit.pinning INT 0
>>>>>> CONFIG proxy.config.cache.ram_cache.size INT 2560M
>>>>>> CONFIG proxy.config.cache.ram_cache_cutoff INT 512K
>>>>>> CONFIG proxy.config.cache.ram_cache.algorithm INT 1
>>>>>> CONFIG proxy.config.cache.ram_cache.use_seen_filter INT 0
>>>>>> CONFIG proxy.config.cache.ram_cache.compress INT 0
>>>>>> CONFIG proxy.config.cache.limits.http.max_alts INT 10
>>>>>> CONFIG proxy.config.cache.target_fragment_size INT 262144
>>>>>> CONFIG proxy.config.cache.max_doc_size INT 0
>>>>>> CONFIG proxy.config.cache.enable_read_while_writer INT 1
>>>>>> CONFIG proxy.config.connection_collapsing.hashtable_enabled INT 1
>>>>>> CONFIG proxy.config.cache.min_average_object_size INT 32K
>>>>>> CONFIG proxy.config.cache.threads_per_disk INT 8
>>>>>> CONFIG proxy.config.cache.mutex_retry_delay INT 10
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # DNS
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.dns.search_default_domains INT 1
>>>>>> CONFIG proxy.config.dns.splitDNS.enabled INT 0
>>>>>> CONFIG proxy.config.dns.max_dns_in_flight INT 2048
>>>>>> CONFIG proxy.config.dns.url_expansions STRING NULL
>>>>>> CONFIG proxy.config.dns.round_robin_nameservers INT 0
>>>>>> CONFIG proxy.config.dns.nameservers STRING 127.0.0.1
>>>>>> CONFIG proxy.config.dns.resolv_conf STRING NULL
>>>>>> CONFIG proxy.config.dns.validate_query_name INT 0
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # HostDB
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.hostdb.size INT 50000
>>>>>> CONFIG proxy.config.hostdb.storage_size INT 14680064
>>>>>> CONFIG proxy.config.hostdb.ttl_mode INT 1
>>>>>> CONFIG proxy.config.hostdb.timeout INT 60
>>>>>> CONFIG proxy.config.hostdb.strict_round_robin INT 0
>>>>>> CONFIG proxy.config.hostdb.host_file.path STRING /etc/hosts.dnsmasq
>>>>>> CONFIG proxy.config.hostdb.host_file.interval INT 3600
>>>>>> CONFIG proxy.config.hostdb.ip_resolve STRING ipv4;none
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # Logging Config
>>>>>> #
>>>>>> #
>>>>>> #
>>>>>> # 0: no logging at all
>>>>>> #
>>>>>> # 1: log errors only
>>>>>> #
>>>>>> # 2: log transactions only
>>>>>> #
>>>>>> # 3: full logging (errors + transactions)
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> LOCAL proxy.local.log.collation_mode INT 0
>>>>>> CONFIG proxy.config.log.logging_enabled INT 1
>>>>>> CONFIG proxy.config.log.max_secs_per_buffer INT 5
>>>>>> CONFIG proxy.config.log.max_space_mb_for_logs INT 25000
>>>>>> CONFIG proxy.config.log.max_space_mb_for_orphan_logs INT 25
>>>>>> CONFIG proxy.config.log.max_space_mb_headroom INT 1000
>>>>>> CONFIG proxy.config.log.hostname STRING localhost
>>>>>> CONFIG proxy.config.log.logfile_dir STRING /var/log/trafficserver
>>>>>> CONFIG proxy.config.log.logfile_perm STRING rw-rw----
>>>>>> CONFIG proxy.config.log.custom_logs_enabled INT 0
>>>>>> CONFIG proxy.config.log.squid_log_enabled INT 0
>>>>>> CONFIG proxy.config.log.squid_log_is_ascii INT 0
>>>>>> CONFIG proxy.config.log.squid_log_name STRING squid
>>>>>> CONFIG proxy.config.log.squid_log_header STRING NULL
>>>>>> CONFIG proxy.config.log.common_log_enabled INT 0
>>>>>> CONFIG proxy.config.log.common_log_is_ascii INT 1
>>>>>> CONFIG proxy.config.log.common_log_name STRING common
>>>>>> CONFIG proxy.config.log.common_log_header STRING NULL
>>>>>> CONFIG proxy.config.log.extended_log_enabled INT 0
>>>>>> CONFIG proxy.config.log.extended_log_is_ascii INT 0
>>>>>> CONFIG proxy.config.log.extended_log_name STRING extended
>>>>>> CONFIG proxy.config.log.extended_log_header STRING NULL
>>>>>> CONFIG proxy.config.log.extended2_log_enabled INT 0
>>>>>> CONFIG proxy.config.log.extended2_log_is_ascii INT 1
>>>>>> CONFIG proxy.config.log.extended2_log_name STRING extended2
>>>>>> CONFIG proxy.config.log.extended2_log_header STRING NULL
>>>>>> CONFIG proxy.config.log.separate_icp_logs INT 0
>>>>>> CONFIG proxy.config.log.separate_host_logs INT 0
>>>>>> CONFIG proxy.config.log.collation_host STRING NULL
>>>>>> CONFIG proxy.config.log.collation_port INT 8085
>>>>>> CONFIG proxy.config.log.collation_secret STRING foobar
>>>>>> CONFIG proxy.config.log.collation_host_tagged INT 0
>>>>>> CONFIG proxy.config.log.collation_retry_sec INT 5
>>>>>> CONFIG proxy.config.log.rolling_enabled INT 1
>>>>>> CONFIG proxy.config.log.rolling_interval_sec INT 86400
>>>>>> CONFIG proxy.config.log.rolling_offset_hr INT 0
>>>>>> CONFIG proxy.config.log.rolling_size_mb INT 10
>>>>>> CONFIG proxy.config.log.auto_delete_rolled_files INT 1
>>>>>> CONFIG proxy.config.log.sampling_frequency INT 1
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # Reverse Proxy
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.reverse_proxy.enabled INT 1
>>>>>> CONFIG proxy.config.header.parse.no_host_url_redirect STRING NULL
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # URL Remap Rules
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.url_remap.default_to_server_pac INT 0
>>>>>> CONFIG proxy.config.url_remap.default_to_server_pac_port INT -1
>>>>>> CONFIG proxy.config.url_remap.remap_required INT 1
>>>>>> CONFIG proxy.config.url_remap.pristine_host_hdr INT 1
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # ICP Configuration
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.icp.enabled INT 0
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # Scheduled Update Configuration
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.update.enabled INT 0
>>>>>> CONFIG proxy.config.update.force INT 0
>>>>>> CONFIG proxy.config.update.retry_count INT 10
>>>>>> CONFIG proxy.config.update.retry_interval INT 2
>>>>>> CONFIG proxy.config.update.concurrent_updates INT 100
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # Socket send/recv buffer sizes 0 == dont call setsockopt()
>>>>>> #
>>>>>> # out: proxy -> os connection
>>>>>> #
>>>>>> # in : ua -> proxy connection
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.net.sock_send_buffer_size_in INT 65536
>>>>>> CONFIG proxy.config.net.sock_recv_buffer_size_in INT 65536
>>>>>> CONFIG proxy.config.net.sock_option_flag_in INT 1
>>>>>> CONFIG proxy.config.net.sock_send_buffer_size_out INT 65536
>>>>>> CONFIG proxy.config.net.sock_recv_buffer_size_out INT 65536
>>>>>> CONFIG proxy.config.net.sock_option_flag_out INT 1
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # User Overridden Configurations Below
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.core_limit INT -1
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # Debugging
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.diags.debug.enabled INT 0
>>>>>> CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
>>>>>> CONFIG proxy.config.dump_mem_info_frequency INT 0
>>>>>> CONFIG proxy.config.stack_dump_enabled 0
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # Log any request that takes more then x number of milliseconds, needs
>>>>>> #
>>>>>> # to be > 0 to be enabled
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.http.slow.log.threshold INT 0
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # Thread pool for "misc" tasks, plugins etc. 2 is a good minimum
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.task_threads INT 2
>>>>>> CONFIG proxy.config.cluster.cluster_configuration STRING
>>>>>> cluster.config
>>>>>> CONFIG proxy.config.body_factory.template_sets_dir STRING
>>>>>> /etc/trafficserver/body_factory
>>>>>>
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> # SSL/TLS
>>>>>> #
>>>>>>
>> ##############################################################################
>>>>>>
>>>>>> CONFIG proxy.config.ssl.SSLv2 INT 0
>>>>>> CONFIG proxy.config.ssl.SSLv3 INT 0
>>>>>> CONFIG proxy.config.ssl.TLSv1 INT 1
>>>>>> CONFIG proxy.config.ssl.TLSv1_1 INT 1
>>>>>> CONFIG proxy.config.ssl.TLSv1_2 INT 1
>>>>>> CONFIG proxy.config.ssl.client.SSLv2 INT 1
>>>>>> CONFIG proxy.config.ssl.client.SSLv3 INT 1
>>>>>> CONFIG proxy.config.ssl.client.TLSv1 INT 1
>>>>>> CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
>>>>>> CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
>>>>>> CONFIG proxy.config.ssl.client.certification_level INT 0
>>>>>> CONFIG proxy.config.ssl.server.multicert.filename STRING
>>>>>> ssl_multicert.config
>>>>>> CONFIG proxy.config.ssl.server.cert.path STRING
>>>>>> /etc/trafficserver/ssl/
>>>>>> CONFIG proxy.config.ssl.server.private_key.path STRING
>>>>>> /etc/trafficserver/ssl/
>>>>>> CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
>>>>>> CONFIG proxy.config.ssl.server.cipher_suite STRING
>>>>>>
>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
>>>>>>
>>>>>> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
>>>>>> CONFIG proxy.config.ssl.server.dhparams_file STRING
>>>>>> /etc/trafficserver/ssl/dhparams.pem
>>
Re: 5.3.0: TLS completly broken (reverse-proxy)
Posted by Phil Sorber <ph...@sorber.net>.
On Tue, May 26, 2015 at 1:53 PM Susan Hinrichs <
shinrich@network-geographics.com> wrote:
> Hmm. I just ran ssllabs against
> https://docs.trafficserver.apache.org/en/latest/ which is running 5.3.x
> (which I think is the same as 5.3.0). All was happy. Will need to look
> more closely at your records.config. Good to know that running sslscan
> locally also produces the problem. Should get this figured out before
> you need to move up to 5.3.x.
>
Susan, were you able to reproduce this?
>
> On 5/26/2015 2:40 PM, Reindl Harald wrote:
> >
> >
> > Am 26.05.2015 um 21:32 schrieb Susan Hinrichs:
> >> Hi Riendl,
> >>
> >> I'll have to try to reproduce from outside the office.
> >>
> >> If I understand you correctly, you can access the server behind ATS ok.
> >> Then you do the ssllabs scan (which fails badly). Then your browser can
> >> no longer access the server.
> >>
> >> Definitely sounds like badness.
> >
> > forget the server behind ATS, there are multiple and they are innocent
> >
> > * ATS 5.3.0 seems to work fine in the browser
> > * ssllabs says no connection
> > * the same host no longer responds in the browser
> > * other reverse proxy hosts appears to work still fine
> > * ssllabs them, they are also gone
> > * it's not only ssllabs, local sslscan to ATS kills it also
> > * the problem is "no shared ciphers"
> >
> > something seems to go terrible wrong with multiple TLS hosts, some of
> > them configured for just TLS-offloading, some of them also use TLS to
> > the origin (caused by a backend CMS not handle external offloading
> > properly) and a mix of our wildcard certificate and host-specific ones
> >
> > happily i recognized that very soon and built 5.2.1 for Fedora 21
> > (x86_64) wich was also running with F20 on that machine
> >
> > no time to dig that deeper because i am at dist-upgrades for around 30
> > servers and ATS was the only problem until now, happily 5.2.1 still
> > works fine
> >
> >> On 5/26/2015 2:22 PM, Reindl Harald wrote:
> >>>
> >>>
> >>> Am 26.05.2015 um 21:04 schrieb Dave Thompson:
> >>>> Hi Riendl,
> >>>>
> >>>> More details regarding host might help, though if the issue is related
> >>>> to having an external scanner contact an internal ATS, you can test
> >>>> TCP
> >>>> connectivity with just a 'telnet hostname port'.
> >>>
> >>> TLS is fucked up, nobody talks about a internal host
> >>>
> >>>> To test SSL handshake, you might alternatively try:
> >>>> openssl s_client -connect login.yahoo.com:443 < /dev/null
> >>>>
> >>>> If you're trying an internal scan to something that ssllabs.com can't
> >>>> access, you might be interested in checking out:
> >>>> yo/checkmyssl
> >>>
> >>> uhm that is and was a production server runnigng as reverse proxy and
> >>> reachable from ssllabs - the point is that *after* ssllabs try to scan
> >>> the host the page is dead and firefox complaints in no shared ciphers
> >>>
> >>> please read again my post!
> >>>
> >>> for me that's now done by downgrade to 5.2.1 and all is fine as before
> >>> with nothing else changed
> >>>
> >>>> On Tuesday, May 26, 2015 1:34 PM, Reindl Harald
> >>>> <h....@thelounge.net>
> >>>> wrote:
> >>>>
> >>>>
> >>>> i recently did a dist-upgrade to Fedora 21 and at that time decided to
> >>>> upgrade ATS to 5.3.0 since load-tests without encryption where fine
> >>>>
> >>>> well, https://www.ssllabs.com/ssltest/
> >>>> <https://www.ssllabs.com/ssltest/>says no connection, after that
> >>>> Firefox previously displayed the page said "no shared ciphers" at
> >>>> reload, local "sslcsan" is more than strange - in other words: as soon
> >>>> as you start to scan the server for ssl ciphers something goes
> >>>> terrible
> >>>> wrong
> >>>>
> >>>> it happens that another SNI host still works, until you try to scan
> >>>> it too
> >>>>
> >>>> downgrade to 5.2.1 and all is fine again
> >>>> P.S.: the download page should not only list a .0 release
> >>>> ______________________________________________
> >>>>
> >>>> without changing the environment these different results for "sslscan
> >>>> host:443" should be impossible
> >>>>
> >>>> Preferred Server Cipher(s):
> >>>> SSLv2 0 bits (NONE)
> >>>> SSLv3 0 bits (NONE)
> >>>> TLSv1 0 bits (NONE)
> >>>> TLS11 0 bits (NONE)
> >>>> TLS12 0 bits (NONE)
> >>>>
> >>>> Preferred Server Cipher(s):
> >>>> SSLv2 0 bits (NONE)
> >>>> SSLv3 0 bits (NONE)
> >>>> TLSv1 0 bits (NONE)
> >>>> TLS11 0 bits (NONE)
> >>>> TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
> >>>> ______________________________________________
> >>>>
> >>>> 5.2.1:
> >>>>
> >>>> Preferred Server Cipher(s):
> >>>> SSLv2 0 bits (NONE)
> >>>> SSLv3 0 bits (NONE)
> >>>> TLSv1 128 bits ECDHE-RSA-AES128-SHA
> >>>> TLS11 128 bits ECDHE-RSA-AES128-SHA
> >>>> TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
> >>>> ______________________________________________
> >>>>
> >>>> records.config
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # System Variables
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.proxy_name STRING proxy.thelounge.net
> >>>> CONFIG proxy.config.config_dir STRING /etc/trafficserver
> >>>> CONFIG proxy.config.proxy_binary_opts STRING -M
> >>>> CONFIG proxy.config.temp_dir STRING /tmp
> >>>> CONFIG proxy.config.alarm_email STRING ats
> >>>> CONFIG proxy.config.syslog_facility STRING LOG_DAEMON
> >>>> CONFIG proxy.config.output.logfile STRING traffic.out
> >>>> CONFIG proxy.config.snapshot_dir STRING snapshots
> >>>> CONFIG proxy.config.system.mmap_max INT 2097152
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # Main threads configuration (worker threads). Also see configurations
> >>>> for #
> >>>> # SSL threads, disk I/O threads and task threads in their respective
> >>>> areas #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.exec_thread.autoconfig INT 0
> >>>> CONFIG proxy.config.exec_thread.limit INT 4
> >>>> CONFIG proxy.config.exec_thread.affinity INT 1
> >>>> CONFIG proxy.config.accept_threads INT 0
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # Local Manager
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.admin.admin_user STRING admin
> >>>> CONFIG proxy.config.admin.number_config_bak INT 0
> >>>> CONFIG proxy.config.admin.user_id STRING ats
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # Process Manager
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.admin.autoconf_port INT 8083
> >>>> CONFIG proxy.config.process_manager.mgmt_port INT 8084
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # HTTP Engine
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.http.server_ports STRING 80 443:ssl
> >>>> CONFIG proxy.config.http.connect_ports STRING 80
> >>>> CONFIG proxy.config.http.insert_request_via_str INT 0
> >>>> CONFIG proxy.config.http.insert_response_via_str INT 0
> >>>> CONFIG proxy.config.http.response_server_enabled INT 0
> >>>> CONFIG proxy.config.http.insert_age_in_response INT 1
> >>>> CONFIG proxy.config.http.enable_url_expandomatic INT 0
> >>>> CONFIG proxy.config.http.no_dns_just_forward_to_parent INT 0
> >>>> CONFIG proxy.config.http.uncacheable_requests_bypass_parent INT 0
> >>>> CONFIG proxy.config.http.keep_alive_enabled_in INT 1
> >>>> CONFIG proxy.config.http.keep_alive_enabled_out INT 1
> >>>> CONFIG proxy.config.http.chunking_enabled INT 1
> >>>> CONFIG proxy.config.http.chunking.size 64k
> >>>> CONFIG proxy.config.http.send_http11_requests INT 1
> >>>> CONFIG proxy.config.http.share_server_sessions INT 1
> >>>> CONFIG proxy.config.http.origin_server_pipeline INT 1
> >>>> CONFIG proxy.config.http.user_agent_pipeline INT 8
> >>>> CONFIG proxy.config.http.referer_filter INT 0
> >>>> CONFIG proxy.config.http.accept_unknown_methods INT 0
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # parent proxy configuration
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.http.parent_proxy_routing_enable INT 0
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # HTTP connection timeouts (secs)
> >>>> #
> >>>> # out: proxy -> origin server connection
> >>>> #
> >>>> # in : ua -> proxy connection
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.http.keep_alive_no_activity_timeout_in INT 1
> >>>> CONFIG proxy.config.http.keep_alive_no_activity_timeout_out INT 1
> >>>> CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 60
> >>>> CONFIG proxy.config.http.transaction_no_activity_timeout_out INT 60
> >>>> CONFIG proxy.config.http.transaction_active_timeout_in INT 3600
> >>>> CONFIG proxy.config.http.transaction_active_timeout_out INT 0
> >>>> CONFIG proxy.config.http.accept_no_activity_timeout INT 1
> >>>> CONFIG proxy.config.http.background_fill_active_timeout INT 0
> >>>> CONFIG proxy.config.http.background_fill_completed_threshold FLOAT 0.0
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # origin server connect attempts
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.http.connect_attempts_max_retries INT 10
> >>>> CONFIG proxy.config.http.connect_attempts_max_retries_dead_server
> >>>> INT 10
> >>>> CONFIG proxy.config.http.connect_attempts_rr_retries INT 10
> >>>> CONFIG proxy.config.http.connect_attempts_timeout INT 30
> >>>> CONFIG proxy.config.http.post_connect_attempts_timeout INT 1800
> >>>> CONFIG proxy.config.http.down_server.cache_time INT 5
> >>>> CONFIG proxy.config.http.down_server.abort_threshold INT 30
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # congestion control
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.http.congestion_control.enabled INT 0
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # negative response caching
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.http.negative_caching_enabled INT 1
> >>>> CONFIG proxy.config.http.negative_caching_lifetime INT 1
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # proxy users variables
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.http.anonymize_remove_from INT 0
> >>>> CONFIG proxy.config.http.anonymize_remove_referer INT 0
> >>>> CONFIG proxy.config.http.anonymize_remove_user_agent INT 0
> >>>> CONFIG proxy.config.http.anonymize_remove_cookie INT 0
> >>>> CONFIG proxy.config.http.anonymize_remove_client_ip INT 0
> >>>> CONFIG proxy.config.http.anonymize_insert_client_ip INT 0
> >>>> CONFIG proxy.config.http.anonymize_other_header_list STRING NULL
> >>>> CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # security
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.http.push_method_enabled INT 0
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # cache control
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.http.normalize_ae_gzip INT 1
> >>>> CONFIG proxy.config.http.cache.http INT 1
> >>>> CONFIG proxy.config.http.cache.cache_responses_to_cookies INT 3
> >>>> CONFIG proxy.config.http.cache.cache_urls_that_look_dynamic INT 1
> >>>> CONFIG proxy.config.http.cache.ims_on_client_no_cache INT 1
> >>>> CONFIG proxy.config.http.cache.ignore_client_cc_max_age INT 0
> >>>> CONFIG proxy.config.http.cache.ignore_client_no_cache INT 0
> >>>> CONFIG proxy.config.http.cache.ignore_accept_mismatch INT 2
> >>>> CONFIG proxy.config.http.cache.ignore_accept_language_mismatch INT 2
> >>>> CONFIG proxy.config.http.cache.ignore_accept_encoding_mismatch INT 2
> >>>> CONFIG proxy.config.http.cache.ignore_accept_charset_mismatch INT 2
> >>>> CONFIG proxy.config.http.cache.ignore_server_no_cache INT 0
> >>>> CONFIG proxy.config.http.cache.ignore_authentication INT 0
> >>>> CONFIG proxy.config.http.cache.enable_default_vary_headers INT 0
> >>>> CONFIG proxy.config.http.cache.when_to_revalidate INT 0
> >>>> CONFIG proxy.config.http.cache.when_to_add_no_cache_to_msie_requests
> >>>> INT 0
> >>>> CONFIG proxy.config.http.cache.required_headers INT 0
> >>>> CONFIG proxy.config.http.cache.max_stale_age INT 1800
> >>>> CONFIG proxy.config.http.cache.range.lookup INT 0
> >>>> CONFIG proxy.config.cache.vary_on_user_agent INT 0
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # heuristic expiration
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.http.cache.heuristic_min_lifetime INT 60
> >>>> CONFIG proxy.config.http.cache.heuristic_max_lifetime INT 60
> >>>> CONFIG proxy.config.http.cache.heuristic_lm_factor FLOAT 0.100000
> >>>> CONFIG proxy.config.http.cache.fuzz.time INT 60
> >>>> CONFIG proxy.config.http.cache.fuzz.probability FLOAT 0.005000
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # dynamic content & content negotiation
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.http.cache.vary_default_text STRING
> >>>> Accept-Encoding
> >>>> CONFIG proxy.config.http.cache.vary_default_images STRING NULL
> >>>> CONFIG proxy.config.http.cache.vary_default_other STRING NULL
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # The HTTP stats are expensive, turn off you dont need them
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.http.enable_http_stats INT 0
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # Customizable User Response Pages
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.body_factory.enable_customizations INT 1
> >>>> CONFIG proxy.config.body_factory.enable_logging INT 0
> >>>> CONFIG proxy.config.body_factory.response_suppression_mode INT 0
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # Net Subsystem
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.net.connections_throttle INT 30000
> >>>> CONFIG proxy.config.net.defer_accept INT 1
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # Cluster Subsystem
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> LOCAL proxy.local.cluster.type INT 3
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # Cache
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.cache.permit.pinning INT 0
> >>>> CONFIG proxy.config.cache.ram_cache.size INT 2560M
> >>>> CONFIG proxy.config.cache.ram_cache_cutoff INT 512K
> >>>> CONFIG proxy.config.cache.ram_cache.algorithm INT 1
> >>>> CONFIG proxy.config.cache.ram_cache.use_seen_filter INT 0
> >>>> CONFIG proxy.config.cache.ram_cache.compress INT 0
> >>>> CONFIG proxy.config.cache.limits.http.max_alts INT 10
> >>>> CONFIG proxy.config.cache.target_fragment_size INT 262144
> >>>> CONFIG proxy.config.cache.max_doc_size INT 0
> >>>> CONFIG proxy.config.cache.enable_read_while_writer INT 1
> >>>> CONFIG proxy.config.connection_collapsing.hashtable_enabled INT 1
> >>>> CONFIG proxy.config.cache.min_average_object_size INT 32K
> >>>> CONFIG proxy.config.cache.threads_per_disk INT 8
> >>>> CONFIG proxy.config.cache.mutex_retry_delay INT 10
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # DNS
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.dns.search_default_domains INT 1
> >>>> CONFIG proxy.config.dns.splitDNS.enabled INT 0
> >>>> CONFIG proxy.config.dns.max_dns_in_flight INT 2048
> >>>> CONFIG proxy.config.dns.url_expansions STRING NULL
> >>>> CONFIG proxy.config.dns.round_robin_nameservers INT 0
> >>>> CONFIG proxy.config.dns.nameservers STRING 127.0.0.1
> >>>> CONFIG proxy.config.dns.resolv_conf STRING NULL
> >>>> CONFIG proxy.config.dns.validate_query_name INT 0
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # HostDB
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.hostdb.size INT 50000
> >>>> CONFIG proxy.config.hostdb.storage_size INT 14680064
> >>>> CONFIG proxy.config.hostdb.ttl_mode INT 1
> >>>> CONFIG proxy.config.hostdb.timeout INT 60
> >>>> CONFIG proxy.config.hostdb.strict_round_robin INT 0
> >>>> CONFIG proxy.config.hostdb.host_file.path STRING /etc/hosts.dnsmasq
> >>>> CONFIG proxy.config.hostdb.host_file.interval INT 3600
> >>>> CONFIG proxy.config.hostdb.ip_resolve STRING ipv4;none
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # Logging Config
> >>>> #
> >>>> #
> >>>> #
> >>>> # 0: no logging at all
> >>>> #
> >>>> # 1: log errors only
> >>>> #
> >>>> # 2: log transactions only
> >>>> #
> >>>> # 3: full logging (errors + transactions)
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> LOCAL proxy.local.log.collation_mode INT 0
> >>>> CONFIG proxy.config.log.logging_enabled INT 1
> >>>> CONFIG proxy.config.log.max_secs_per_buffer INT 5
> >>>> CONFIG proxy.config.log.max_space_mb_for_logs INT 25000
> >>>> CONFIG proxy.config.log.max_space_mb_for_orphan_logs INT 25
> >>>> CONFIG proxy.config.log.max_space_mb_headroom INT 1000
> >>>> CONFIG proxy.config.log.hostname STRING localhost
> >>>> CONFIG proxy.config.log.logfile_dir STRING /var/log/trafficserver
> >>>> CONFIG proxy.config.log.logfile_perm STRING rw-rw----
> >>>> CONFIG proxy.config.log.custom_logs_enabled INT 0
> >>>> CONFIG proxy.config.log.squid_log_enabled INT 0
> >>>> CONFIG proxy.config.log.squid_log_is_ascii INT 0
> >>>> CONFIG proxy.config.log.squid_log_name STRING squid
> >>>> CONFIG proxy.config.log.squid_log_header STRING NULL
> >>>> CONFIG proxy.config.log.common_log_enabled INT 0
> >>>> CONFIG proxy.config.log.common_log_is_ascii INT 1
> >>>> CONFIG proxy.config.log.common_log_name STRING common
> >>>> CONFIG proxy.config.log.common_log_header STRING NULL
> >>>> CONFIG proxy.config.log.extended_log_enabled INT 0
> >>>> CONFIG proxy.config.log.extended_log_is_ascii INT 0
> >>>> CONFIG proxy.config.log.extended_log_name STRING extended
> >>>> CONFIG proxy.config.log.extended_log_header STRING NULL
> >>>> CONFIG proxy.config.log.extended2_log_enabled INT 0
> >>>> CONFIG proxy.config.log.extended2_log_is_ascii INT 1
> >>>> CONFIG proxy.config.log.extended2_log_name STRING extended2
> >>>> CONFIG proxy.config.log.extended2_log_header STRING NULL
> >>>> CONFIG proxy.config.log.separate_icp_logs INT 0
> >>>> CONFIG proxy.config.log.separate_host_logs INT 0
> >>>> CONFIG proxy.config.log.collation_host STRING NULL
> >>>> CONFIG proxy.config.log.collation_port INT 8085
> >>>> CONFIG proxy.config.log.collation_secret STRING foobar
> >>>> CONFIG proxy.config.log.collation_host_tagged INT 0
> >>>> CONFIG proxy.config.log.collation_retry_sec INT 5
> >>>> CONFIG proxy.config.log.rolling_enabled INT 1
> >>>> CONFIG proxy.config.log.rolling_interval_sec INT 86400
> >>>> CONFIG proxy.config.log.rolling_offset_hr INT 0
> >>>> CONFIG proxy.config.log.rolling_size_mb INT 10
> >>>> CONFIG proxy.config.log.auto_delete_rolled_files INT 1
> >>>> CONFIG proxy.config.log.sampling_frequency INT 1
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # Reverse Proxy
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.reverse_proxy.enabled INT 1
> >>>> CONFIG proxy.config.header.parse.no_host_url_redirect STRING NULL
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # URL Remap Rules
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.url_remap.default_to_server_pac INT 0
> >>>> CONFIG proxy.config.url_remap.default_to_server_pac_port INT -1
> >>>> CONFIG proxy.config.url_remap.remap_required INT 1
> >>>> CONFIG proxy.config.url_remap.pristine_host_hdr INT 1
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # ICP Configuration
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.icp.enabled INT 0
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # Scheduled Update Configuration
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.update.enabled INT 0
> >>>> CONFIG proxy.config.update.force INT 0
> >>>> CONFIG proxy.config.update.retry_count INT 10
> >>>> CONFIG proxy.config.update.retry_interval INT 2
> >>>> CONFIG proxy.config.update.concurrent_updates INT 100
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # Socket send/recv buffer sizes 0 == dont call setsockopt()
> >>>> #
> >>>> # out: proxy -> os connection
> >>>> #
> >>>> # in : ua -> proxy connection
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.net.sock_send_buffer_size_in INT 65536
> >>>> CONFIG proxy.config.net.sock_recv_buffer_size_in INT 65536
> >>>> CONFIG proxy.config.net.sock_option_flag_in INT 1
> >>>> CONFIG proxy.config.net.sock_send_buffer_size_out INT 65536
> >>>> CONFIG proxy.config.net.sock_recv_buffer_size_out INT 65536
> >>>> CONFIG proxy.config.net.sock_option_flag_out INT 1
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # User Overridden Configurations Below
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.core_limit INT -1
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # Debugging
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.diags.debug.enabled INT 0
> >>>> CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
> >>>> CONFIG proxy.config.dump_mem_info_frequency INT 0
> >>>> CONFIG proxy.config.stack_dump_enabled 0
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # Log any request that takes more then x number of milliseconds, needs
> >>>> #
> >>>> # to be > 0 to be enabled
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.http.slow.log.threshold INT 0
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # Thread pool for "misc" tasks, plugins etc. 2 is a good minimum
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.task_threads INT 2
> >>>> CONFIG proxy.config.cluster.cluster_configuration STRING
> >>>> cluster.config
> >>>> CONFIG proxy.config.body_factory.template_sets_dir STRING
> >>>> /etc/trafficserver/body_factory
> >>>>
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> # SSL/TLS
> >>>> #
> >>>>
> ##############################################################################
> >>>>
> >>>>
> >>>> CONFIG proxy.config.ssl.SSLv2 INT 0
> >>>> CONFIG proxy.config.ssl.SSLv3 INT 0
> >>>> CONFIG proxy.config.ssl.TLSv1 INT 1
> >>>> CONFIG proxy.config.ssl.TLSv1_1 INT 1
> >>>> CONFIG proxy.config.ssl.TLSv1_2 INT 1
> >>>> CONFIG proxy.config.ssl.client.SSLv2 INT 1
> >>>> CONFIG proxy.config.ssl.client.SSLv3 INT 1
> >>>> CONFIG proxy.config.ssl.client.TLSv1 INT 1
> >>>> CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
> >>>> CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
> >>>> CONFIG proxy.config.ssl.client.certification_level INT 0
> >>>> CONFIG proxy.config.ssl.server.multicert.filename STRING
> >>>> ssl_multicert.config
> >>>> CONFIG proxy.config.ssl.server.cert.path STRING
> >>>> /etc/trafficserver/ssl/
> >>>> CONFIG proxy.config.ssl.server.private_key.path STRING
> >>>> /etc/trafficserver/ssl/
> >>>> CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
> >>>> CONFIG proxy.config.ssl.server.cipher_suite STRING
> >>>>
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
> >>>>
> >>>>
> >>>> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> >>>> CONFIG proxy.config.ssl.server.dhparams_file STRING
> >>>> /etc/trafficserver/ssl/dhparams.pem
> >
>
>
Re: 5.3.0: TLS completly broken (reverse-proxy)
Posted by Susan Hinrichs <sh...@network-geographics.com>.
Hmm. I just ran ssllabs against
https://docs.trafficserver.apache.org/en/latest/ which is running 5.3.x
(which I think is the same as 5.3.0). All was happy. Will need to look
more closely at your records.config. Good to know that running sslscan
locally also produces the problem. Should get this figured out before
you need to move up to 5.3.x.
On 5/26/2015 2:40 PM, Reindl Harald wrote:
>
>
> Am 26.05.2015 um 21:32 schrieb Susan Hinrichs:
>> Hi Riendl,
>>
>> I'll have to try to reproduce from outside the office.
>>
>> If I understand you correctly, you can access the server behind ATS ok.
>> Then you do the ssllabs scan (which fails badly). Then your browser can
>> no longer access the server.
>>
>> Definitely sounds like badness.
>
> forget the server behind ATS, there are multiple and they are innocent
>
> * ATS 5.3.0 seems to work fine in the browser
> * ssllabs says no connection
> * the same host no longer responds in the browser
> * other reverse proxy hosts appears to work still fine
> * ssllabs them, they are also gone
> * it's not only ssllabs, local sslscan to ATS kills it also
> * the problem is "no shared ciphers"
>
> something seems to go terrible wrong with multiple TLS hosts, some of
> them configured for just TLS-offloading, some of them also use TLS to
> the origin (caused by a backend CMS not handle external offloading
> properly) and a mix of our wildcard certificate and host-specific ones
>
> happily i recognized that very soon and built 5.2.1 for Fedora 21
> (x86_64) wich was also running with F20 on that machine
>
> no time to dig that deeper because i am at dist-upgrades for around 30
> servers and ATS was the only problem until now, happily 5.2.1 still
> works fine
>
>> On 5/26/2015 2:22 PM, Reindl Harald wrote:
>>>
>>>
>>> Am 26.05.2015 um 21:04 schrieb Dave Thompson:
>>>> Hi Riendl,
>>>>
>>>> More details regarding host might help, though if the issue is related
>>>> to having an external scanner contact an internal ATS, you can test
>>>> TCP
>>>> connectivity with just a 'telnet hostname port'.
>>>
>>> TLS is fucked up, nobody talks about a internal host
>>>
>>>> To test SSL handshake, you might alternatively try:
>>>> openssl s_client -connect login.yahoo.com:443 < /dev/null
>>>>
>>>> If you're trying an internal scan to something that ssllabs.com can't
>>>> access, you might be interested in checking out:
>>>> yo/checkmyssl
>>>
>>> uhm that is and was a production server runnigng as reverse proxy and
>>> reachable from ssllabs - the point is that *after* ssllabs try to scan
>>> the host the page is dead and firefox complaints in no shared ciphers
>>>
>>> please read again my post!
>>>
>>> for me that's now done by downgrade to 5.2.1 and all is fine as before
>>> with nothing else changed
>>>
>>>> On Tuesday, May 26, 2015 1:34 PM, Reindl Harald
>>>> <h....@thelounge.net>
>>>> wrote:
>>>>
>>>>
>>>> i recently did a dist-upgrade to Fedora 21 and at that time decided to
>>>> upgrade ATS to 5.3.0 since load-tests without encryption where fine
>>>>
>>>> well, https://www.ssllabs.com/ssltest/
>>>> <https://www.ssllabs.com/ssltest/>says no connection, after that
>>>> Firefox previously displayed the page said "no shared ciphers" at
>>>> reload, local "sslcsan" is more than strange - in other words: as soon
>>>> as you start to scan the server for ssl ciphers something goes
>>>> terrible
>>>> wrong
>>>>
>>>> it happens that another SNI host still works, until you try to scan
>>>> it too
>>>>
>>>> downgrade to 5.2.1 and all is fine again
>>>> P.S.: the download page should not only list a .0 release
>>>> ______________________________________________
>>>>
>>>> without changing the environment these different results for "sslscan
>>>> host:443" should be impossible
>>>>
>>>> Preferred Server Cipher(s):
>>>> SSLv2 0 bits (NONE)
>>>> SSLv3 0 bits (NONE)
>>>> TLSv1 0 bits (NONE)
>>>> TLS11 0 bits (NONE)
>>>> TLS12 0 bits (NONE)
>>>>
>>>> Preferred Server Cipher(s):
>>>> SSLv2 0 bits (NONE)
>>>> SSLv3 0 bits (NONE)
>>>> TLSv1 0 bits (NONE)
>>>> TLS11 0 bits (NONE)
>>>> TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
>>>> ______________________________________________
>>>>
>>>> 5.2.1:
>>>>
>>>> Preferred Server Cipher(s):
>>>> SSLv2 0 bits (NONE)
>>>> SSLv3 0 bits (NONE)
>>>> TLSv1 128 bits ECDHE-RSA-AES128-SHA
>>>> TLS11 128 bits ECDHE-RSA-AES128-SHA
>>>> TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
>>>> ______________________________________________
>>>>
>>>> records.config
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # System Variables
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.proxy_name STRING proxy.thelounge.net
>>>> CONFIG proxy.config.config_dir STRING /etc/trafficserver
>>>> CONFIG proxy.config.proxy_binary_opts STRING -M
>>>> CONFIG proxy.config.temp_dir STRING /tmp
>>>> CONFIG proxy.config.alarm_email STRING ats
>>>> CONFIG proxy.config.syslog_facility STRING LOG_DAEMON
>>>> CONFIG proxy.config.output.logfile STRING traffic.out
>>>> CONFIG proxy.config.snapshot_dir STRING snapshots
>>>> CONFIG proxy.config.system.mmap_max INT 2097152
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # Main threads configuration (worker threads). Also see configurations
>>>> for #
>>>> # SSL threads, disk I/O threads and task threads in their respective
>>>> areas #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.exec_thread.autoconfig INT 0
>>>> CONFIG proxy.config.exec_thread.limit INT 4
>>>> CONFIG proxy.config.exec_thread.affinity INT 1
>>>> CONFIG proxy.config.accept_threads INT 0
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # Local Manager
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.admin.admin_user STRING admin
>>>> CONFIG proxy.config.admin.number_config_bak INT 0
>>>> CONFIG proxy.config.admin.user_id STRING ats
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # Process Manager
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.admin.autoconf_port INT 8083
>>>> CONFIG proxy.config.process_manager.mgmt_port INT 8084
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # HTTP Engine
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.http.server_ports STRING 80 443:ssl
>>>> CONFIG proxy.config.http.connect_ports STRING 80
>>>> CONFIG proxy.config.http.insert_request_via_str INT 0
>>>> CONFIG proxy.config.http.insert_response_via_str INT 0
>>>> CONFIG proxy.config.http.response_server_enabled INT 0
>>>> CONFIG proxy.config.http.insert_age_in_response INT 1
>>>> CONFIG proxy.config.http.enable_url_expandomatic INT 0
>>>> CONFIG proxy.config.http.no_dns_just_forward_to_parent INT 0
>>>> CONFIG proxy.config.http.uncacheable_requests_bypass_parent INT 0
>>>> CONFIG proxy.config.http.keep_alive_enabled_in INT 1
>>>> CONFIG proxy.config.http.keep_alive_enabled_out INT 1
>>>> CONFIG proxy.config.http.chunking_enabled INT 1
>>>> CONFIG proxy.config.http.chunking.size 64k
>>>> CONFIG proxy.config.http.send_http11_requests INT 1
>>>> CONFIG proxy.config.http.share_server_sessions INT 1
>>>> CONFIG proxy.config.http.origin_server_pipeline INT 1
>>>> CONFIG proxy.config.http.user_agent_pipeline INT 8
>>>> CONFIG proxy.config.http.referer_filter INT 0
>>>> CONFIG proxy.config.http.accept_unknown_methods INT 0
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # parent proxy configuration
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.http.parent_proxy_routing_enable INT 0
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # HTTP connection timeouts (secs)
>>>> #
>>>> # out: proxy -> origin server connection
>>>> #
>>>> # in : ua -> proxy connection
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.http.keep_alive_no_activity_timeout_in INT 1
>>>> CONFIG proxy.config.http.keep_alive_no_activity_timeout_out INT 1
>>>> CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 60
>>>> CONFIG proxy.config.http.transaction_no_activity_timeout_out INT 60
>>>> CONFIG proxy.config.http.transaction_active_timeout_in INT 3600
>>>> CONFIG proxy.config.http.transaction_active_timeout_out INT 0
>>>> CONFIG proxy.config.http.accept_no_activity_timeout INT 1
>>>> CONFIG proxy.config.http.background_fill_active_timeout INT 0
>>>> CONFIG proxy.config.http.background_fill_completed_threshold FLOAT 0.0
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # origin server connect attempts
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.http.connect_attempts_max_retries INT 10
>>>> CONFIG proxy.config.http.connect_attempts_max_retries_dead_server
>>>> INT 10
>>>> CONFIG proxy.config.http.connect_attempts_rr_retries INT 10
>>>> CONFIG proxy.config.http.connect_attempts_timeout INT 30
>>>> CONFIG proxy.config.http.post_connect_attempts_timeout INT 1800
>>>> CONFIG proxy.config.http.down_server.cache_time INT 5
>>>> CONFIG proxy.config.http.down_server.abort_threshold INT 30
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # congestion control
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.http.congestion_control.enabled INT 0
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # negative response caching
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.http.negative_caching_enabled INT 1
>>>> CONFIG proxy.config.http.negative_caching_lifetime INT 1
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # proxy users variables
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.http.anonymize_remove_from INT 0
>>>> CONFIG proxy.config.http.anonymize_remove_referer INT 0
>>>> CONFIG proxy.config.http.anonymize_remove_user_agent INT 0
>>>> CONFIG proxy.config.http.anonymize_remove_cookie INT 0
>>>> CONFIG proxy.config.http.anonymize_remove_client_ip INT 0
>>>> CONFIG proxy.config.http.anonymize_insert_client_ip INT 0
>>>> CONFIG proxy.config.http.anonymize_other_header_list STRING NULL
>>>> CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # security
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.http.push_method_enabled INT 0
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # cache control
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.http.normalize_ae_gzip INT 1
>>>> CONFIG proxy.config.http.cache.http INT 1
>>>> CONFIG proxy.config.http.cache.cache_responses_to_cookies INT 3
>>>> CONFIG proxy.config.http.cache.cache_urls_that_look_dynamic INT 1
>>>> CONFIG proxy.config.http.cache.ims_on_client_no_cache INT 1
>>>> CONFIG proxy.config.http.cache.ignore_client_cc_max_age INT 0
>>>> CONFIG proxy.config.http.cache.ignore_client_no_cache INT 0
>>>> CONFIG proxy.config.http.cache.ignore_accept_mismatch INT 2
>>>> CONFIG proxy.config.http.cache.ignore_accept_language_mismatch INT 2
>>>> CONFIG proxy.config.http.cache.ignore_accept_encoding_mismatch INT 2
>>>> CONFIG proxy.config.http.cache.ignore_accept_charset_mismatch INT 2
>>>> CONFIG proxy.config.http.cache.ignore_server_no_cache INT 0
>>>> CONFIG proxy.config.http.cache.ignore_authentication INT 0
>>>> CONFIG proxy.config.http.cache.enable_default_vary_headers INT 0
>>>> CONFIG proxy.config.http.cache.when_to_revalidate INT 0
>>>> CONFIG proxy.config.http.cache.when_to_add_no_cache_to_msie_requests
>>>> INT 0
>>>> CONFIG proxy.config.http.cache.required_headers INT 0
>>>> CONFIG proxy.config.http.cache.max_stale_age INT 1800
>>>> CONFIG proxy.config.http.cache.range.lookup INT 0
>>>> CONFIG proxy.config.cache.vary_on_user_agent INT 0
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # heuristic expiration
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.http.cache.heuristic_min_lifetime INT 60
>>>> CONFIG proxy.config.http.cache.heuristic_max_lifetime INT 60
>>>> CONFIG proxy.config.http.cache.heuristic_lm_factor FLOAT 0.100000
>>>> CONFIG proxy.config.http.cache.fuzz.time INT 60
>>>> CONFIG proxy.config.http.cache.fuzz.probability FLOAT 0.005000
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # dynamic content & content negotiation
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.http.cache.vary_default_text STRING
>>>> Accept-Encoding
>>>> CONFIG proxy.config.http.cache.vary_default_images STRING NULL
>>>> CONFIG proxy.config.http.cache.vary_default_other STRING NULL
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # The HTTP stats are expensive, turn off you dont need them
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.http.enable_http_stats INT 0
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # Customizable User Response Pages
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.body_factory.enable_customizations INT 1
>>>> CONFIG proxy.config.body_factory.enable_logging INT 0
>>>> CONFIG proxy.config.body_factory.response_suppression_mode INT 0
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # Net Subsystem
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.net.connections_throttle INT 30000
>>>> CONFIG proxy.config.net.defer_accept INT 1
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # Cluster Subsystem
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> LOCAL proxy.local.cluster.type INT 3
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # Cache
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.cache.permit.pinning INT 0
>>>> CONFIG proxy.config.cache.ram_cache.size INT 2560M
>>>> CONFIG proxy.config.cache.ram_cache_cutoff INT 512K
>>>> CONFIG proxy.config.cache.ram_cache.algorithm INT 1
>>>> CONFIG proxy.config.cache.ram_cache.use_seen_filter INT 0
>>>> CONFIG proxy.config.cache.ram_cache.compress INT 0
>>>> CONFIG proxy.config.cache.limits.http.max_alts INT 10
>>>> CONFIG proxy.config.cache.target_fragment_size INT 262144
>>>> CONFIG proxy.config.cache.max_doc_size INT 0
>>>> CONFIG proxy.config.cache.enable_read_while_writer INT 1
>>>> CONFIG proxy.config.connection_collapsing.hashtable_enabled INT 1
>>>> CONFIG proxy.config.cache.min_average_object_size INT 32K
>>>> CONFIG proxy.config.cache.threads_per_disk INT 8
>>>> CONFIG proxy.config.cache.mutex_retry_delay INT 10
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # DNS
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.dns.search_default_domains INT 1
>>>> CONFIG proxy.config.dns.splitDNS.enabled INT 0
>>>> CONFIG proxy.config.dns.max_dns_in_flight INT 2048
>>>> CONFIG proxy.config.dns.url_expansions STRING NULL
>>>> CONFIG proxy.config.dns.round_robin_nameservers INT 0
>>>> CONFIG proxy.config.dns.nameservers STRING 127.0.0.1
>>>> CONFIG proxy.config.dns.resolv_conf STRING NULL
>>>> CONFIG proxy.config.dns.validate_query_name INT 0
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # HostDB
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.hostdb.size INT 50000
>>>> CONFIG proxy.config.hostdb.storage_size INT 14680064
>>>> CONFIG proxy.config.hostdb.ttl_mode INT 1
>>>> CONFIG proxy.config.hostdb.timeout INT 60
>>>> CONFIG proxy.config.hostdb.strict_round_robin INT 0
>>>> CONFIG proxy.config.hostdb.host_file.path STRING /etc/hosts.dnsmasq
>>>> CONFIG proxy.config.hostdb.host_file.interval INT 3600
>>>> CONFIG proxy.config.hostdb.ip_resolve STRING ipv4;none
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # Logging Config
>>>> #
>>>> #
>>>> #
>>>> # 0: no logging at all
>>>> #
>>>> # 1: log errors only
>>>> #
>>>> # 2: log transactions only
>>>> #
>>>> # 3: full logging (errors + transactions)
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> LOCAL proxy.local.log.collation_mode INT 0
>>>> CONFIG proxy.config.log.logging_enabled INT 1
>>>> CONFIG proxy.config.log.max_secs_per_buffer INT 5
>>>> CONFIG proxy.config.log.max_space_mb_for_logs INT 25000
>>>> CONFIG proxy.config.log.max_space_mb_for_orphan_logs INT 25
>>>> CONFIG proxy.config.log.max_space_mb_headroom INT 1000
>>>> CONFIG proxy.config.log.hostname STRING localhost
>>>> CONFIG proxy.config.log.logfile_dir STRING /var/log/trafficserver
>>>> CONFIG proxy.config.log.logfile_perm STRING rw-rw----
>>>> CONFIG proxy.config.log.custom_logs_enabled INT 0
>>>> CONFIG proxy.config.log.squid_log_enabled INT 0
>>>> CONFIG proxy.config.log.squid_log_is_ascii INT 0
>>>> CONFIG proxy.config.log.squid_log_name STRING squid
>>>> CONFIG proxy.config.log.squid_log_header STRING NULL
>>>> CONFIG proxy.config.log.common_log_enabled INT 0
>>>> CONFIG proxy.config.log.common_log_is_ascii INT 1
>>>> CONFIG proxy.config.log.common_log_name STRING common
>>>> CONFIG proxy.config.log.common_log_header STRING NULL
>>>> CONFIG proxy.config.log.extended_log_enabled INT 0
>>>> CONFIG proxy.config.log.extended_log_is_ascii INT 0
>>>> CONFIG proxy.config.log.extended_log_name STRING extended
>>>> CONFIG proxy.config.log.extended_log_header STRING NULL
>>>> CONFIG proxy.config.log.extended2_log_enabled INT 0
>>>> CONFIG proxy.config.log.extended2_log_is_ascii INT 1
>>>> CONFIG proxy.config.log.extended2_log_name STRING extended2
>>>> CONFIG proxy.config.log.extended2_log_header STRING NULL
>>>> CONFIG proxy.config.log.separate_icp_logs INT 0
>>>> CONFIG proxy.config.log.separate_host_logs INT 0
>>>> CONFIG proxy.config.log.collation_host STRING NULL
>>>> CONFIG proxy.config.log.collation_port INT 8085
>>>> CONFIG proxy.config.log.collation_secret STRING foobar
>>>> CONFIG proxy.config.log.collation_host_tagged INT 0
>>>> CONFIG proxy.config.log.collation_retry_sec INT 5
>>>> CONFIG proxy.config.log.rolling_enabled INT 1
>>>> CONFIG proxy.config.log.rolling_interval_sec INT 86400
>>>> CONFIG proxy.config.log.rolling_offset_hr INT 0
>>>> CONFIG proxy.config.log.rolling_size_mb INT 10
>>>> CONFIG proxy.config.log.auto_delete_rolled_files INT 1
>>>> CONFIG proxy.config.log.sampling_frequency INT 1
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # Reverse Proxy
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.reverse_proxy.enabled INT 1
>>>> CONFIG proxy.config.header.parse.no_host_url_redirect STRING NULL
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # URL Remap Rules
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.url_remap.default_to_server_pac INT 0
>>>> CONFIG proxy.config.url_remap.default_to_server_pac_port INT -1
>>>> CONFIG proxy.config.url_remap.remap_required INT 1
>>>> CONFIG proxy.config.url_remap.pristine_host_hdr INT 1
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # ICP Configuration
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.icp.enabled INT 0
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # Scheduled Update Configuration
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.update.enabled INT 0
>>>> CONFIG proxy.config.update.force INT 0
>>>> CONFIG proxy.config.update.retry_count INT 10
>>>> CONFIG proxy.config.update.retry_interval INT 2
>>>> CONFIG proxy.config.update.concurrent_updates INT 100
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # Socket send/recv buffer sizes 0 == dont call setsockopt()
>>>> #
>>>> # out: proxy -> os connection
>>>> #
>>>> # in : ua -> proxy connection
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.net.sock_send_buffer_size_in INT 65536
>>>> CONFIG proxy.config.net.sock_recv_buffer_size_in INT 65536
>>>> CONFIG proxy.config.net.sock_option_flag_in INT 1
>>>> CONFIG proxy.config.net.sock_send_buffer_size_out INT 65536
>>>> CONFIG proxy.config.net.sock_recv_buffer_size_out INT 65536
>>>> CONFIG proxy.config.net.sock_option_flag_out INT 1
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # User Overridden Configurations Below
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.core_limit INT -1
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # Debugging
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.diags.debug.enabled INT 0
>>>> CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
>>>> CONFIG proxy.config.dump_mem_info_frequency INT 0
>>>> CONFIG proxy.config.stack_dump_enabled 0
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # Log any request that takes more then x number of milliseconds, needs
>>>> #
>>>> # to be > 0 to be enabled
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.http.slow.log.threshold INT 0
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # Thread pool for "misc" tasks, plugins etc. 2 is a good minimum
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.task_threads INT 2
>>>> CONFIG proxy.config.cluster.cluster_configuration STRING
>>>> cluster.config
>>>> CONFIG proxy.config.body_factory.template_sets_dir STRING
>>>> /etc/trafficserver/body_factory
>>>>
>>>> ##############################################################################
>>>>
>>>>
>>>> # SSL/TLS
>>>> #
>>>> ##############################################################################
>>>>
>>>>
>>>> CONFIG proxy.config.ssl.SSLv2 INT 0
>>>> CONFIG proxy.config.ssl.SSLv3 INT 0
>>>> CONFIG proxy.config.ssl.TLSv1 INT 1
>>>> CONFIG proxy.config.ssl.TLSv1_1 INT 1
>>>> CONFIG proxy.config.ssl.TLSv1_2 INT 1
>>>> CONFIG proxy.config.ssl.client.SSLv2 INT 1
>>>> CONFIG proxy.config.ssl.client.SSLv3 INT 1
>>>> CONFIG proxy.config.ssl.client.TLSv1 INT 1
>>>> CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
>>>> CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
>>>> CONFIG proxy.config.ssl.client.certification_level INT 0
>>>> CONFIG proxy.config.ssl.server.multicert.filename STRING
>>>> ssl_multicert.config
>>>> CONFIG proxy.config.ssl.server.cert.path STRING
>>>> /etc/trafficserver/ssl/
>>>> CONFIG proxy.config.ssl.server.private_key.path STRING
>>>> /etc/trafficserver/ssl/
>>>> CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
>>>> CONFIG proxy.config.ssl.server.cipher_suite STRING
>>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
>>>>
>>>>
>>>> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
>>>> CONFIG proxy.config.ssl.server.dhparams_file STRING
>>>> /etc/trafficserver/ssl/dhparams.pem
>
Re: 5.3.0: TLS completly broken (reverse-proxy)
Posted by Reindl Harald <h....@thelounge.net>.
Am 26.05.2015 um 21:32 schrieb Susan Hinrichs:
> Hi Riendl,
>
> I'll have to try to reproduce from outside the office.
>
> If I understand you correctly, you can access the server behind ATS ok.
> Then you do the ssllabs scan (which fails badly). Then your browser can
> no longer access the server.
>
> Definitely sounds like badness.
forget the server behind ATS, there are multiple and they are innocent
* ATS 5.3.0 seems to work fine in the browser
* ssllabs says no connection
* the same host no longer responds in the browser
* other reverse proxy hosts appears to work still fine
* ssllabs them, they are also gone
* it's not only ssllabs, local sslscan to ATS kills it also
* the problem is "no shared ciphers"
something seems to go terrible wrong with multiple TLS hosts, some of
them configured for just TLS-offloading, some of them also use TLS to
the origin (caused by a backend CMS not handle external offloading
properly) and a mix of our wildcard certificate and host-specific ones
happily i recognized that very soon and built 5.2.1 for Fedora 21
(x86_64) wich was also running with F20 on that machine
no time to dig that deeper because i am at dist-upgrades for around 30
servers and ATS was the only problem until now, happily 5.2.1 still
works fine
> On 5/26/2015 2:22 PM, Reindl Harald wrote:
>>
>>
>> Am 26.05.2015 um 21:04 schrieb Dave Thompson:
>>> Hi Riendl,
>>>
>>> More details regarding host might help, though if the issue is related
>>> to having an external scanner contact an internal ATS, you can test TCP
>>> connectivity with just a 'telnet hostname port'.
>>
>> TLS is fucked up, nobody talks about a internal host
>>
>>> To test SSL handshake, you might alternatively try:
>>> openssl s_client -connect login.yahoo.com:443 < /dev/null
>>>
>>> If you're trying an internal scan to something that ssllabs.com can't
>>> access, you might be interested in checking out:
>>> yo/checkmyssl
>>
>> uhm that is and was a production server runnigng as reverse proxy and
>> reachable from ssllabs - the point is that *after* ssllabs try to scan
>> the host the page is dead and firefox complaints in no shared ciphers
>>
>> please read again my post!
>>
>> for me that's now done by downgrade to 5.2.1 and all is fine as before
>> with nothing else changed
>>
>>> On Tuesday, May 26, 2015 1:34 PM, Reindl Harald <h....@thelounge.net>
>>> wrote:
>>>
>>>
>>> i recently did a dist-upgrade to Fedora 21 and at that time decided to
>>> upgrade ATS to 5.3.0 since load-tests without encryption where fine
>>>
>>> well, https://www.ssllabs.com/ssltest/
>>> <https://www.ssllabs.com/ssltest/>says no connection, after that
>>> Firefox previously displayed the page said "no shared ciphers" at
>>> reload, local "sslcsan" is more than strange - in other words: as soon
>>> as you start to scan the server for ssl ciphers something goes terrible
>>> wrong
>>>
>>> it happens that another SNI host still works, until you try to scan
>>> it too
>>>
>>> downgrade to 5.2.1 and all is fine again
>>> P.S.: the download page should not only list a .0 release
>>> ______________________________________________
>>>
>>> without changing the environment these different results for "sslscan
>>> host:443" should be impossible
>>>
>>> Preferred Server Cipher(s):
>>> SSLv2 0 bits (NONE)
>>> SSLv3 0 bits (NONE)
>>> TLSv1 0 bits (NONE)
>>> TLS11 0 bits (NONE)
>>> TLS12 0 bits (NONE)
>>>
>>> Preferred Server Cipher(s):
>>> SSLv2 0 bits (NONE)
>>> SSLv3 0 bits (NONE)
>>> TLSv1 0 bits (NONE)
>>> TLS11 0 bits (NONE)
>>> TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
>>> ______________________________________________
>>>
>>> 5.2.1:
>>>
>>> Preferred Server Cipher(s):
>>> SSLv2 0 bits (NONE)
>>> SSLv3 0 bits (NONE)
>>> TLSv1 128 bits ECDHE-RSA-AES128-SHA
>>> TLS11 128 bits ECDHE-RSA-AES128-SHA
>>> TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
>>> ______________________________________________
>>>
>>> records.config
>>>
>>> ##############################################################################
>>>
>>> # System Variables
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.proxy_name STRING proxy.thelounge.net
>>> CONFIG proxy.config.config_dir STRING /etc/trafficserver
>>> CONFIG proxy.config.proxy_binary_opts STRING -M
>>> CONFIG proxy.config.temp_dir STRING /tmp
>>> CONFIG proxy.config.alarm_email STRING ats
>>> CONFIG proxy.config.syslog_facility STRING LOG_DAEMON
>>> CONFIG proxy.config.output.logfile STRING traffic.out
>>> CONFIG proxy.config.snapshot_dir STRING snapshots
>>> CONFIG proxy.config.system.mmap_max INT 2097152
>>>
>>> ##############################################################################
>>>
>>> # Main threads configuration (worker threads). Also see configurations
>>> for #
>>> # SSL threads, disk I/O threads and task threads in their respective
>>> areas #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.exec_thread.autoconfig INT 0
>>> CONFIG proxy.config.exec_thread.limit INT 4
>>> CONFIG proxy.config.exec_thread.affinity INT 1
>>> CONFIG proxy.config.accept_threads INT 0
>>>
>>> ##############################################################################
>>>
>>> # Local Manager
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.admin.admin_user STRING admin
>>> CONFIG proxy.config.admin.number_config_bak INT 0
>>> CONFIG proxy.config.admin.user_id STRING ats
>>>
>>> ##############################################################################
>>>
>>> # Process Manager
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.admin.autoconf_port INT 8083
>>> CONFIG proxy.config.process_manager.mgmt_port INT 8084
>>>
>>> ##############################################################################
>>>
>>> # HTTP Engine
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.http.server_ports STRING 80 443:ssl
>>> CONFIG proxy.config.http.connect_ports STRING 80
>>> CONFIG proxy.config.http.insert_request_via_str INT 0
>>> CONFIG proxy.config.http.insert_response_via_str INT 0
>>> CONFIG proxy.config.http.response_server_enabled INT 0
>>> CONFIG proxy.config.http.insert_age_in_response INT 1
>>> CONFIG proxy.config.http.enable_url_expandomatic INT 0
>>> CONFIG proxy.config.http.no_dns_just_forward_to_parent INT 0
>>> CONFIG proxy.config.http.uncacheable_requests_bypass_parent INT 0
>>> CONFIG proxy.config.http.keep_alive_enabled_in INT 1
>>> CONFIG proxy.config.http.keep_alive_enabled_out INT 1
>>> CONFIG proxy.config.http.chunking_enabled INT 1
>>> CONFIG proxy.config.http.chunking.size 64k
>>> CONFIG proxy.config.http.send_http11_requests INT 1
>>> CONFIG proxy.config.http.share_server_sessions INT 1
>>> CONFIG proxy.config.http.origin_server_pipeline INT 1
>>> CONFIG proxy.config.http.user_agent_pipeline INT 8
>>> CONFIG proxy.config.http.referer_filter INT 0
>>> CONFIG proxy.config.http.accept_unknown_methods INT 0
>>>
>>> ##############################################################################
>>>
>>> # parent proxy configuration
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.http.parent_proxy_routing_enable INT 0
>>>
>>> ##############################################################################
>>>
>>> # HTTP connection timeouts (secs)
>>> #
>>> # out: proxy -> origin server connection
>>> #
>>> # in : ua -> proxy connection
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.http.keep_alive_no_activity_timeout_in INT 1
>>> CONFIG proxy.config.http.keep_alive_no_activity_timeout_out INT 1
>>> CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 60
>>> CONFIG proxy.config.http.transaction_no_activity_timeout_out INT 60
>>> CONFIG proxy.config.http.transaction_active_timeout_in INT 3600
>>> CONFIG proxy.config.http.transaction_active_timeout_out INT 0
>>> CONFIG proxy.config.http.accept_no_activity_timeout INT 1
>>> CONFIG proxy.config.http.background_fill_active_timeout INT 0
>>> CONFIG proxy.config.http.background_fill_completed_threshold FLOAT 0.0
>>>
>>> ##############################################################################
>>>
>>> # origin server connect attempts
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.http.connect_attempts_max_retries INT 10
>>> CONFIG proxy.config.http.connect_attempts_max_retries_dead_server INT 10
>>> CONFIG proxy.config.http.connect_attempts_rr_retries INT 10
>>> CONFIG proxy.config.http.connect_attempts_timeout INT 30
>>> CONFIG proxy.config.http.post_connect_attempts_timeout INT 1800
>>> CONFIG proxy.config.http.down_server.cache_time INT 5
>>> CONFIG proxy.config.http.down_server.abort_threshold INT 30
>>>
>>> ##############################################################################
>>>
>>> # congestion control
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.http.congestion_control.enabled INT 0
>>>
>>> ##############################################################################
>>>
>>> # negative response caching
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.http.negative_caching_enabled INT 1
>>> CONFIG proxy.config.http.negative_caching_lifetime INT 1
>>>
>>> ##############################################################################
>>>
>>> # proxy users variables
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.http.anonymize_remove_from INT 0
>>> CONFIG proxy.config.http.anonymize_remove_referer INT 0
>>> CONFIG proxy.config.http.anonymize_remove_user_agent INT 0
>>> CONFIG proxy.config.http.anonymize_remove_cookie INT 0
>>> CONFIG proxy.config.http.anonymize_remove_client_ip INT 0
>>> CONFIG proxy.config.http.anonymize_insert_client_ip INT 0
>>> CONFIG proxy.config.http.anonymize_other_header_list STRING NULL
>>> CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1
>>>
>>> ##############################################################################
>>>
>>> # security
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.http.push_method_enabled INT 0
>>>
>>> ##############################################################################
>>>
>>> # cache control
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.http.normalize_ae_gzip INT 1
>>> CONFIG proxy.config.http.cache.http INT 1
>>> CONFIG proxy.config.http.cache.cache_responses_to_cookies INT 3
>>> CONFIG proxy.config.http.cache.cache_urls_that_look_dynamic INT 1
>>> CONFIG proxy.config.http.cache.ims_on_client_no_cache INT 1
>>> CONFIG proxy.config.http.cache.ignore_client_cc_max_age INT 0
>>> CONFIG proxy.config.http.cache.ignore_client_no_cache INT 0
>>> CONFIG proxy.config.http.cache.ignore_accept_mismatch INT 2
>>> CONFIG proxy.config.http.cache.ignore_accept_language_mismatch INT 2
>>> CONFIG proxy.config.http.cache.ignore_accept_encoding_mismatch INT 2
>>> CONFIG proxy.config.http.cache.ignore_accept_charset_mismatch INT 2
>>> CONFIG proxy.config.http.cache.ignore_server_no_cache INT 0
>>> CONFIG proxy.config.http.cache.ignore_authentication INT 0
>>> CONFIG proxy.config.http.cache.enable_default_vary_headers INT 0
>>> CONFIG proxy.config.http.cache.when_to_revalidate INT 0
>>> CONFIG proxy.config.http.cache.when_to_add_no_cache_to_msie_requests
>>> INT 0
>>> CONFIG proxy.config.http.cache.required_headers INT 0
>>> CONFIG proxy.config.http.cache.max_stale_age INT 1800
>>> CONFIG proxy.config.http.cache.range.lookup INT 0
>>> CONFIG proxy.config.cache.vary_on_user_agent INT 0
>>>
>>> ##############################################################################
>>>
>>> # heuristic expiration
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.http.cache.heuristic_min_lifetime INT 60
>>> CONFIG proxy.config.http.cache.heuristic_max_lifetime INT 60
>>> CONFIG proxy.config.http.cache.heuristic_lm_factor FLOAT 0.100000
>>> CONFIG proxy.config.http.cache.fuzz.time INT 60
>>> CONFIG proxy.config.http.cache.fuzz.probability FLOAT 0.005000
>>>
>>> ##############################################################################
>>>
>>> # dynamic content & content negotiation
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.http.cache.vary_default_text STRING Accept-Encoding
>>> CONFIG proxy.config.http.cache.vary_default_images STRING NULL
>>> CONFIG proxy.config.http.cache.vary_default_other STRING NULL
>>>
>>> ##############################################################################
>>>
>>> # The HTTP stats are expensive, turn off you dont need them
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.http.enable_http_stats INT 0
>>>
>>> ##############################################################################
>>>
>>> # Customizable User Response Pages
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.body_factory.enable_customizations INT 1
>>> CONFIG proxy.config.body_factory.enable_logging INT 0
>>> CONFIG proxy.config.body_factory.response_suppression_mode INT 0
>>>
>>> ##############################################################################
>>>
>>> # Net Subsystem
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.net.connections_throttle INT 30000
>>> CONFIG proxy.config.net.defer_accept INT 1
>>>
>>> ##############################################################################
>>>
>>> # Cluster Subsystem
>>> #
>>> ##############################################################################
>>>
>>> LOCAL proxy.local.cluster.type INT 3
>>>
>>> ##############################################################################
>>>
>>> # Cache
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.cache.permit.pinning INT 0
>>> CONFIG proxy.config.cache.ram_cache.size INT 2560M
>>> CONFIG proxy.config.cache.ram_cache_cutoff INT 512K
>>> CONFIG proxy.config.cache.ram_cache.algorithm INT 1
>>> CONFIG proxy.config.cache.ram_cache.use_seen_filter INT 0
>>> CONFIG proxy.config.cache.ram_cache.compress INT 0
>>> CONFIG proxy.config.cache.limits.http.max_alts INT 10
>>> CONFIG proxy.config.cache.target_fragment_size INT 262144
>>> CONFIG proxy.config.cache.max_doc_size INT 0
>>> CONFIG proxy.config.cache.enable_read_while_writer INT 1
>>> CONFIG proxy.config.connection_collapsing.hashtable_enabled INT 1
>>> CONFIG proxy.config.cache.min_average_object_size INT 32K
>>> CONFIG proxy.config.cache.threads_per_disk INT 8
>>> CONFIG proxy.config.cache.mutex_retry_delay INT 10
>>>
>>> ##############################################################################
>>>
>>> # DNS
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.dns.search_default_domains INT 1
>>> CONFIG proxy.config.dns.splitDNS.enabled INT 0
>>> CONFIG proxy.config.dns.max_dns_in_flight INT 2048
>>> CONFIG proxy.config.dns.url_expansions STRING NULL
>>> CONFIG proxy.config.dns.round_robin_nameservers INT 0
>>> CONFIG proxy.config.dns.nameservers STRING 127.0.0.1
>>> CONFIG proxy.config.dns.resolv_conf STRING NULL
>>> CONFIG proxy.config.dns.validate_query_name INT 0
>>>
>>> ##############################################################################
>>>
>>> # HostDB
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.hostdb.size INT 50000
>>> CONFIG proxy.config.hostdb.storage_size INT 14680064
>>> CONFIG proxy.config.hostdb.ttl_mode INT 1
>>> CONFIG proxy.config.hostdb.timeout INT 60
>>> CONFIG proxy.config.hostdb.strict_round_robin INT 0
>>> CONFIG proxy.config.hostdb.host_file.path STRING /etc/hosts.dnsmasq
>>> CONFIG proxy.config.hostdb.host_file.interval INT 3600
>>> CONFIG proxy.config.hostdb.ip_resolve STRING ipv4;none
>>>
>>> ##############################################################################
>>>
>>> # Logging Config
>>> #
>>> #
>>> #
>>> # 0: no logging at all
>>> #
>>> # 1: log errors only
>>> #
>>> # 2: log transactions only
>>> #
>>> # 3: full logging (errors + transactions)
>>> #
>>> ##############################################################################
>>>
>>> LOCAL proxy.local.log.collation_mode INT 0
>>> CONFIG proxy.config.log.logging_enabled INT 1
>>> CONFIG proxy.config.log.max_secs_per_buffer INT 5
>>> CONFIG proxy.config.log.max_space_mb_for_logs INT 25000
>>> CONFIG proxy.config.log.max_space_mb_for_orphan_logs INT 25
>>> CONFIG proxy.config.log.max_space_mb_headroom INT 1000
>>> CONFIG proxy.config.log.hostname STRING localhost
>>> CONFIG proxy.config.log.logfile_dir STRING /var/log/trafficserver
>>> CONFIG proxy.config.log.logfile_perm STRING rw-rw----
>>> CONFIG proxy.config.log.custom_logs_enabled INT 0
>>> CONFIG proxy.config.log.squid_log_enabled INT 0
>>> CONFIG proxy.config.log.squid_log_is_ascii INT 0
>>> CONFIG proxy.config.log.squid_log_name STRING squid
>>> CONFIG proxy.config.log.squid_log_header STRING NULL
>>> CONFIG proxy.config.log.common_log_enabled INT 0
>>> CONFIG proxy.config.log.common_log_is_ascii INT 1
>>> CONFIG proxy.config.log.common_log_name STRING common
>>> CONFIG proxy.config.log.common_log_header STRING NULL
>>> CONFIG proxy.config.log.extended_log_enabled INT 0
>>> CONFIG proxy.config.log.extended_log_is_ascii INT 0
>>> CONFIG proxy.config.log.extended_log_name STRING extended
>>> CONFIG proxy.config.log.extended_log_header STRING NULL
>>> CONFIG proxy.config.log.extended2_log_enabled INT 0
>>> CONFIG proxy.config.log.extended2_log_is_ascii INT 1
>>> CONFIG proxy.config.log.extended2_log_name STRING extended2
>>> CONFIG proxy.config.log.extended2_log_header STRING NULL
>>> CONFIG proxy.config.log.separate_icp_logs INT 0
>>> CONFIG proxy.config.log.separate_host_logs INT 0
>>> CONFIG proxy.config.log.collation_host STRING NULL
>>> CONFIG proxy.config.log.collation_port INT 8085
>>> CONFIG proxy.config.log.collation_secret STRING foobar
>>> CONFIG proxy.config.log.collation_host_tagged INT 0
>>> CONFIG proxy.config.log.collation_retry_sec INT 5
>>> CONFIG proxy.config.log.rolling_enabled INT 1
>>> CONFIG proxy.config.log.rolling_interval_sec INT 86400
>>> CONFIG proxy.config.log.rolling_offset_hr INT 0
>>> CONFIG proxy.config.log.rolling_size_mb INT 10
>>> CONFIG proxy.config.log.auto_delete_rolled_files INT 1
>>> CONFIG proxy.config.log.sampling_frequency INT 1
>>>
>>> ##############################################################################
>>>
>>> # Reverse Proxy
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.reverse_proxy.enabled INT 1
>>> CONFIG proxy.config.header.parse.no_host_url_redirect STRING NULL
>>>
>>> ##############################################################################
>>>
>>> # URL Remap Rules
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.url_remap.default_to_server_pac INT 0
>>> CONFIG proxy.config.url_remap.default_to_server_pac_port INT -1
>>> CONFIG proxy.config.url_remap.remap_required INT 1
>>> CONFIG proxy.config.url_remap.pristine_host_hdr INT 1
>>>
>>> ##############################################################################
>>>
>>> # ICP Configuration
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.icp.enabled INT 0
>>>
>>> ##############################################################################
>>>
>>> # Scheduled Update Configuration
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.update.enabled INT 0
>>> CONFIG proxy.config.update.force INT 0
>>> CONFIG proxy.config.update.retry_count INT 10
>>> CONFIG proxy.config.update.retry_interval INT 2
>>> CONFIG proxy.config.update.concurrent_updates INT 100
>>>
>>> ##############################################################################
>>>
>>> # Socket send/recv buffer sizes 0 == dont call setsockopt()
>>> #
>>> # out: proxy -> os connection
>>> #
>>> # in : ua -> proxy connection
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.net.sock_send_buffer_size_in INT 65536
>>> CONFIG proxy.config.net.sock_recv_buffer_size_in INT 65536
>>> CONFIG proxy.config.net.sock_option_flag_in INT 1
>>> CONFIG proxy.config.net.sock_send_buffer_size_out INT 65536
>>> CONFIG proxy.config.net.sock_recv_buffer_size_out INT 65536
>>> CONFIG proxy.config.net.sock_option_flag_out INT 1
>>>
>>> ##############################################################################
>>>
>>> # User Overridden Configurations Below
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.core_limit INT -1
>>>
>>> ##############################################################################
>>>
>>> # Debugging
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.diags.debug.enabled INT 0
>>> CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
>>> CONFIG proxy.config.dump_mem_info_frequency INT 0
>>> CONFIG proxy.config.stack_dump_enabled 0
>>>
>>> ##############################################################################
>>>
>>> # Log any request that takes more then x number of milliseconds, needs
>>> #
>>> # to be > 0 to be enabled
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.http.slow.log.threshold INT 0
>>>
>>> ##############################################################################
>>>
>>> # Thread pool for "misc" tasks, plugins etc. 2 is a good minimum
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.task_threads INT 2
>>> CONFIG proxy.config.cluster.cluster_configuration STRING cluster.config
>>> CONFIG proxy.config.body_factory.template_sets_dir STRING
>>> /etc/trafficserver/body_factory
>>>
>>> ##############################################################################
>>>
>>> # SSL/TLS
>>> #
>>> ##############################################################################
>>>
>>> CONFIG proxy.config.ssl.SSLv2 INT 0
>>> CONFIG proxy.config.ssl.SSLv3 INT 0
>>> CONFIG proxy.config.ssl.TLSv1 INT 1
>>> CONFIG proxy.config.ssl.TLSv1_1 INT 1
>>> CONFIG proxy.config.ssl.TLSv1_2 INT 1
>>> CONFIG proxy.config.ssl.client.SSLv2 INT 1
>>> CONFIG proxy.config.ssl.client.SSLv3 INT 1
>>> CONFIG proxy.config.ssl.client.TLSv1 INT 1
>>> CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
>>> CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
>>> CONFIG proxy.config.ssl.client.certification_level INT 0
>>> CONFIG proxy.config.ssl.server.multicert.filename STRING
>>> ssl_multicert.config
>>> CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/
>>> CONFIG proxy.config.ssl.server.private_key.path STRING
>>> /etc/trafficserver/ssl/
>>> CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
>>> CONFIG proxy.config.ssl.server.cipher_suite STRING
>>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
>>>
>>> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
>>> CONFIG proxy.config.ssl.server.dhparams_file STRING
>>> /etc/trafficserver/ssl/dhparams.pem
Re: 5.3.0: TLS completly broken (reverse-proxy)
Posted by Susan Hinrichs <sh...@network-geographics.com>.
Hi Riendl,
I'll have to try to reproduce from outside the office.
If I understand you correctly, you can access the server behind ATS ok.
Then you do the ssllabs scan (which fails badly). Then your browser can
no longer access the server.
Definitely sounds like badness.
Susan
On 5/26/2015 2:22 PM, Reindl Harald wrote:
>
>
> Am 26.05.2015 um 21:04 schrieb Dave Thompson:
>> Hi Riendl,
>>
>> More details regarding host might help, though if the issue is related
>> to having an external scanner contact an internal ATS, you can test TCP
>> connectivity with just a 'telnet hostname port'.
>
> TLS is fucked up, nobody talks about a internal host
>
>> To test SSL handshake, you might alternatively try:
>> openssl s_client -connect login.yahoo.com:443 < /dev/null
>>
>> If you're trying an internal scan to something that ssllabs.com can't
>> access, you might be interested in checking out:
>> yo/checkmyssl
>
> uhm that is and was a production server runnigng as reverse proxy and
> reachable from ssllabs - the point is that *after* ssllabs try to scan
> the host the page is dead and firefox complaints in no shared ciphers
>
> please read again my post!
>
> for me that's now done by downgrade to 5.2.1 and all is fine as before
> with nothing else changed
>
>> On Tuesday, May 26, 2015 1:34 PM, Reindl Harald <h....@thelounge.net>
>> wrote:
>>
>>
>> i recently did a dist-upgrade to Fedora 21 and at that time decided to
>> upgrade ATS to 5.3.0 since load-tests without encryption where fine
>>
>> well, https://www.ssllabs.com/ssltest/
>> <https://www.ssllabs.com/ssltest/>says no connection, after that
>> Firefox previously displayed the page said "no shared ciphers" at
>> reload, local "sslcsan" is more than strange - in other words: as soon
>> as you start to scan the server for ssl ciphers something goes terrible
>> wrong
>>
>> it happens that another SNI host still works, until you try to scan
>> it too
>>
>> downgrade to 5.2.1 and all is fine again
>> P.S.: the download page should not only list a .0 release
>> ______________________________________________
>>
>> without changing the environment these different results for "sslscan
>> host:443" should be impossible
>>
>> Preferred Server Cipher(s):
>> SSLv2 0 bits (NONE)
>> SSLv3 0 bits (NONE)
>> TLSv1 0 bits (NONE)
>> TLS11 0 bits (NONE)
>> TLS12 0 bits (NONE)
>>
>> Preferred Server Cipher(s):
>> SSLv2 0 bits (NONE)
>> SSLv3 0 bits (NONE)
>> TLSv1 0 bits (NONE)
>> TLS11 0 bits (NONE)
>> TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
>> ______________________________________________
>>
>> 5.2.1:
>>
>> Preferred Server Cipher(s):
>> SSLv2 0 bits (NONE)
>> SSLv3 0 bits (NONE)
>> TLSv1 128 bits ECDHE-RSA-AES128-SHA
>> TLS11 128 bits ECDHE-RSA-AES128-SHA
>> TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
>> ______________________________________________
>>
>> records.config
>>
>> ##############################################################################
>>
>> # System Variables
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.proxy_name STRING proxy.thelounge.net
>> CONFIG proxy.config.config_dir STRING /etc/trafficserver
>> CONFIG proxy.config.proxy_binary_opts STRING -M
>> CONFIG proxy.config.temp_dir STRING /tmp
>> CONFIG proxy.config.alarm_email STRING ats
>> CONFIG proxy.config.syslog_facility STRING LOG_DAEMON
>> CONFIG proxy.config.output.logfile STRING traffic.out
>> CONFIG proxy.config.snapshot_dir STRING snapshots
>> CONFIG proxy.config.system.mmap_max INT 2097152
>>
>> ##############################################################################
>>
>> # Main threads configuration (worker threads). Also see configurations
>> for #
>> # SSL threads, disk I/O threads and task threads in their respective
>> areas #
>> ##############################################################################
>>
>> CONFIG proxy.config.exec_thread.autoconfig INT 0
>> CONFIG proxy.config.exec_thread.limit INT 4
>> CONFIG proxy.config.exec_thread.affinity INT 1
>> CONFIG proxy.config.accept_threads INT 0
>>
>> ##############################################################################
>>
>> # Local Manager
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.admin.admin_user STRING admin
>> CONFIG proxy.config.admin.number_config_bak INT 0
>> CONFIG proxy.config.admin.user_id STRING ats
>>
>> ##############################################################################
>>
>> # Process Manager
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.admin.autoconf_port INT 8083
>> CONFIG proxy.config.process_manager.mgmt_port INT 8084
>>
>> ##############################################################################
>>
>> # HTTP Engine
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.http.server_ports STRING 80 443:ssl
>> CONFIG proxy.config.http.connect_ports STRING 80
>> CONFIG proxy.config.http.insert_request_via_str INT 0
>> CONFIG proxy.config.http.insert_response_via_str INT 0
>> CONFIG proxy.config.http.response_server_enabled INT 0
>> CONFIG proxy.config.http.insert_age_in_response INT 1
>> CONFIG proxy.config.http.enable_url_expandomatic INT 0
>> CONFIG proxy.config.http.no_dns_just_forward_to_parent INT 0
>> CONFIG proxy.config.http.uncacheable_requests_bypass_parent INT 0
>> CONFIG proxy.config.http.keep_alive_enabled_in INT 1
>> CONFIG proxy.config.http.keep_alive_enabled_out INT 1
>> CONFIG proxy.config.http.chunking_enabled INT 1
>> CONFIG proxy.config.http.chunking.size 64k
>> CONFIG proxy.config.http.send_http11_requests INT 1
>> CONFIG proxy.config.http.share_server_sessions INT 1
>> CONFIG proxy.config.http.origin_server_pipeline INT 1
>> CONFIG proxy.config.http.user_agent_pipeline INT 8
>> CONFIG proxy.config.http.referer_filter INT 0
>> CONFIG proxy.config.http.accept_unknown_methods INT 0
>>
>> ##############################################################################
>>
>> # parent proxy configuration
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.http.parent_proxy_routing_enable INT 0
>>
>> ##############################################################################
>>
>> # HTTP connection timeouts (secs)
>> #
>> # out: proxy -> origin server connection
>> #
>> # in : ua -> proxy connection
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.http.keep_alive_no_activity_timeout_in INT 1
>> CONFIG proxy.config.http.keep_alive_no_activity_timeout_out INT 1
>> CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 60
>> CONFIG proxy.config.http.transaction_no_activity_timeout_out INT 60
>> CONFIG proxy.config.http.transaction_active_timeout_in INT 3600
>> CONFIG proxy.config.http.transaction_active_timeout_out INT 0
>> CONFIG proxy.config.http.accept_no_activity_timeout INT 1
>> CONFIG proxy.config.http.background_fill_active_timeout INT 0
>> CONFIG proxy.config.http.background_fill_completed_threshold FLOAT 0.0
>>
>> ##############################################################################
>>
>> # origin server connect attempts
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.http.connect_attempts_max_retries INT 10
>> CONFIG proxy.config.http.connect_attempts_max_retries_dead_server INT 10
>> CONFIG proxy.config.http.connect_attempts_rr_retries INT 10
>> CONFIG proxy.config.http.connect_attempts_timeout INT 30
>> CONFIG proxy.config.http.post_connect_attempts_timeout INT 1800
>> CONFIG proxy.config.http.down_server.cache_time INT 5
>> CONFIG proxy.config.http.down_server.abort_threshold INT 30
>>
>> ##############################################################################
>>
>> # congestion control
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.http.congestion_control.enabled INT 0
>>
>> ##############################################################################
>>
>> # negative response caching
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.http.negative_caching_enabled INT 1
>> CONFIG proxy.config.http.negative_caching_lifetime INT 1
>>
>> ##############################################################################
>>
>> # proxy users variables
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.http.anonymize_remove_from INT 0
>> CONFIG proxy.config.http.anonymize_remove_referer INT 0
>> CONFIG proxy.config.http.anonymize_remove_user_agent INT 0
>> CONFIG proxy.config.http.anonymize_remove_cookie INT 0
>> CONFIG proxy.config.http.anonymize_remove_client_ip INT 0
>> CONFIG proxy.config.http.anonymize_insert_client_ip INT 0
>> CONFIG proxy.config.http.anonymize_other_header_list STRING NULL
>> CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1
>>
>> ##############################################################################
>>
>> # security
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.http.push_method_enabled INT 0
>>
>> ##############################################################################
>>
>> # cache control
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.http.normalize_ae_gzip INT 1
>> CONFIG proxy.config.http.cache.http INT 1
>> CONFIG proxy.config.http.cache.cache_responses_to_cookies INT 3
>> CONFIG proxy.config.http.cache.cache_urls_that_look_dynamic INT 1
>> CONFIG proxy.config.http.cache.ims_on_client_no_cache INT 1
>> CONFIG proxy.config.http.cache.ignore_client_cc_max_age INT 0
>> CONFIG proxy.config.http.cache.ignore_client_no_cache INT 0
>> CONFIG proxy.config.http.cache.ignore_accept_mismatch INT 2
>> CONFIG proxy.config.http.cache.ignore_accept_language_mismatch INT 2
>> CONFIG proxy.config.http.cache.ignore_accept_encoding_mismatch INT 2
>> CONFIG proxy.config.http.cache.ignore_accept_charset_mismatch INT 2
>> CONFIG proxy.config.http.cache.ignore_server_no_cache INT 0
>> CONFIG proxy.config.http.cache.ignore_authentication INT 0
>> CONFIG proxy.config.http.cache.enable_default_vary_headers INT 0
>> CONFIG proxy.config.http.cache.when_to_revalidate INT 0
>> CONFIG proxy.config.http.cache.when_to_add_no_cache_to_msie_requests
>> INT 0
>> CONFIG proxy.config.http.cache.required_headers INT 0
>> CONFIG proxy.config.http.cache.max_stale_age INT 1800
>> CONFIG proxy.config.http.cache.range.lookup INT 0
>> CONFIG proxy.config.cache.vary_on_user_agent INT 0
>>
>> ##############################################################################
>>
>> # heuristic expiration
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.http.cache.heuristic_min_lifetime INT 60
>> CONFIG proxy.config.http.cache.heuristic_max_lifetime INT 60
>> CONFIG proxy.config.http.cache.heuristic_lm_factor FLOAT 0.100000
>> CONFIG proxy.config.http.cache.fuzz.time INT 60
>> CONFIG proxy.config.http.cache.fuzz.probability FLOAT 0.005000
>>
>> ##############################################################################
>>
>> # dynamic content & content negotiation
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.http.cache.vary_default_text STRING Accept-Encoding
>> CONFIG proxy.config.http.cache.vary_default_images STRING NULL
>> CONFIG proxy.config.http.cache.vary_default_other STRING NULL
>>
>> ##############################################################################
>>
>> # The HTTP stats are expensive, turn off you dont need them
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.http.enable_http_stats INT 0
>>
>> ##############################################################################
>>
>> # Customizable User Response Pages
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.body_factory.enable_customizations INT 1
>> CONFIG proxy.config.body_factory.enable_logging INT 0
>> CONFIG proxy.config.body_factory.response_suppression_mode INT 0
>>
>> ##############################################################################
>>
>> # Net Subsystem
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.net.connections_throttle INT 30000
>> CONFIG proxy.config.net.defer_accept INT 1
>>
>> ##############################################################################
>>
>> # Cluster Subsystem
>> #
>> ##############################################################################
>>
>> LOCAL proxy.local.cluster.type INT 3
>>
>> ##############################################################################
>>
>> # Cache
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.cache.permit.pinning INT 0
>> CONFIG proxy.config.cache.ram_cache.size INT 2560M
>> CONFIG proxy.config.cache.ram_cache_cutoff INT 512K
>> CONFIG proxy.config.cache.ram_cache.algorithm INT 1
>> CONFIG proxy.config.cache.ram_cache.use_seen_filter INT 0
>> CONFIG proxy.config.cache.ram_cache.compress INT 0
>> CONFIG proxy.config.cache.limits.http.max_alts INT 10
>> CONFIG proxy.config.cache.target_fragment_size INT 262144
>> CONFIG proxy.config.cache.max_doc_size INT 0
>> CONFIG proxy.config.cache.enable_read_while_writer INT 1
>> CONFIG proxy.config.connection_collapsing.hashtable_enabled INT 1
>> CONFIG proxy.config.cache.min_average_object_size INT 32K
>> CONFIG proxy.config.cache.threads_per_disk INT 8
>> CONFIG proxy.config.cache.mutex_retry_delay INT 10
>>
>> ##############################################################################
>>
>> # DNS
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.dns.search_default_domains INT 1
>> CONFIG proxy.config.dns.splitDNS.enabled INT 0
>> CONFIG proxy.config.dns.max_dns_in_flight INT 2048
>> CONFIG proxy.config.dns.url_expansions STRING NULL
>> CONFIG proxy.config.dns.round_robin_nameservers INT 0
>> CONFIG proxy.config.dns.nameservers STRING 127.0.0.1
>> CONFIG proxy.config.dns.resolv_conf STRING NULL
>> CONFIG proxy.config.dns.validate_query_name INT 0
>>
>> ##############################################################################
>>
>> # HostDB
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.hostdb.size INT 50000
>> CONFIG proxy.config.hostdb.storage_size INT 14680064
>> CONFIG proxy.config.hostdb.ttl_mode INT 1
>> CONFIG proxy.config.hostdb.timeout INT 60
>> CONFIG proxy.config.hostdb.strict_round_robin INT 0
>> CONFIG proxy.config.hostdb.host_file.path STRING /etc/hosts.dnsmasq
>> CONFIG proxy.config.hostdb.host_file.interval INT 3600
>> CONFIG proxy.config.hostdb.ip_resolve STRING ipv4;none
>>
>> ##############################################################################
>>
>> # Logging Config
>> #
>> #
>> #
>> # 0: no logging at all
>> #
>> # 1: log errors only
>> #
>> # 2: log transactions only
>> #
>> # 3: full logging (errors + transactions)
>> #
>> ##############################################################################
>>
>> LOCAL proxy.local.log.collation_mode INT 0
>> CONFIG proxy.config.log.logging_enabled INT 1
>> CONFIG proxy.config.log.max_secs_per_buffer INT 5
>> CONFIG proxy.config.log.max_space_mb_for_logs INT 25000
>> CONFIG proxy.config.log.max_space_mb_for_orphan_logs INT 25
>> CONFIG proxy.config.log.max_space_mb_headroom INT 1000
>> CONFIG proxy.config.log.hostname STRING localhost
>> CONFIG proxy.config.log.logfile_dir STRING /var/log/trafficserver
>> CONFIG proxy.config.log.logfile_perm STRING rw-rw----
>> CONFIG proxy.config.log.custom_logs_enabled INT 0
>> CONFIG proxy.config.log.squid_log_enabled INT 0
>> CONFIG proxy.config.log.squid_log_is_ascii INT 0
>> CONFIG proxy.config.log.squid_log_name STRING squid
>> CONFIG proxy.config.log.squid_log_header STRING NULL
>> CONFIG proxy.config.log.common_log_enabled INT 0
>> CONFIG proxy.config.log.common_log_is_ascii INT 1
>> CONFIG proxy.config.log.common_log_name STRING common
>> CONFIG proxy.config.log.common_log_header STRING NULL
>> CONFIG proxy.config.log.extended_log_enabled INT 0
>> CONFIG proxy.config.log.extended_log_is_ascii INT 0
>> CONFIG proxy.config.log.extended_log_name STRING extended
>> CONFIG proxy.config.log.extended_log_header STRING NULL
>> CONFIG proxy.config.log.extended2_log_enabled INT 0
>> CONFIG proxy.config.log.extended2_log_is_ascii INT 1
>> CONFIG proxy.config.log.extended2_log_name STRING extended2
>> CONFIG proxy.config.log.extended2_log_header STRING NULL
>> CONFIG proxy.config.log.separate_icp_logs INT 0
>> CONFIG proxy.config.log.separate_host_logs INT 0
>> CONFIG proxy.config.log.collation_host STRING NULL
>> CONFIG proxy.config.log.collation_port INT 8085
>> CONFIG proxy.config.log.collation_secret STRING foobar
>> CONFIG proxy.config.log.collation_host_tagged INT 0
>> CONFIG proxy.config.log.collation_retry_sec INT 5
>> CONFIG proxy.config.log.rolling_enabled INT 1
>> CONFIG proxy.config.log.rolling_interval_sec INT 86400
>> CONFIG proxy.config.log.rolling_offset_hr INT 0
>> CONFIG proxy.config.log.rolling_size_mb INT 10
>> CONFIG proxy.config.log.auto_delete_rolled_files INT 1
>> CONFIG proxy.config.log.sampling_frequency INT 1
>>
>> ##############################################################################
>>
>> # Reverse Proxy
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.reverse_proxy.enabled INT 1
>> CONFIG proxy.config.header.parse.no_host_url_redirect STRING NULL
>>
>> ##############################################################################
>>
>> # URL Remap Rules
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.url_remap.default_to_server_pac INT 0
>> CONFIG proxy.config.url_remap.default_to_server_pac_port INT -1
>> CONFIG proxy.config.url_remap.remap_required INT 1
>> CONFIG proxy.config.url_remap.pristine_host_hdr INT 1
>>
>> ##############################################################################
>>
>> # ICP Configuration
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.icp.enabled INT 0
>>
>> ##############################################################################
>>
>> # Scheduled Update Configuration
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.update.enabled INT 0
>> CONFIG proxy.config.update.force INT 0
>> CONFIG proxy.config.update.retry_count INT 10
>> CONFIG proxy.config.update.retry_interval INT 2
>> CONFIG proxy.config.update.concurrent_updates INT 100
>>
>> ##############################################################################
>>
>> # Socket send/recv buffer sizes 0 == dont call setsockopt()
>> #
>> # out: proxy -> os connection
>> #
>> # in : ua -> proxy connection
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.net.sock_send_buffer_size_in INT 65536
>> CONFIG proxy.config.net.sock_recv_buffer_size_in INT 65536
>> CONFIG proxy.config.net.sock_option_flag_in INT 1
>> CONFIG proxy.config.net.sock_send_buffer_size_out INT 65536
>> CONFIG proxy.config.net.sock_recv_buffer_size_out INT 65536
>> CONFIG proxy.config.net.sock_option_flag_out INT 1
>>
>> ##############################################################################
>>
>> # User Overridden Configurations Below
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.core_limit INT -1
>>
>> ##############################################################################
>>
>> # Debugging
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.diags.debug.enabled INT 0
>> CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
>> CONFIG proxy.config.dump_mem_info_frequency INT 0
>> CONFIG proxy.config.stack_dump_enabled 0
>>
>> ##############################################################################
>>
>> # Log any request that takes more then x number of milliseconds, needs
>> #
>> # to be > 0 to be enabled
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.http.slow.log.threshold INT 0
>>
>> ##############################################################################
>>
>> # Thread pool for "misc" tasks, plugins etc. 2 is a good minimum
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.task_threads INT 2
>> CONFIG proxy.config.cluster.cluster_configuration STRING cluster.config
>> CONFIG proxy.config.body_factory.template_sets_dir STRING
>> /etc/trafficserver/body_factory
>>
>> ##############################################################################
>>
>> # SSL/TLS
>> #
>> ##############################################################################
>>
>> CONFIG proxy.config.ssl.SSLv2 INT 0
>> CONFIG proxy.config.ssl.SSLv3 INT 0
>> CONFIG proxy.config.ssl.TLSv1 INT 1
>> CONFIG proxy.config.ssl.TLSv1_1 INT 1
>> CONFIG proxy.config.ssl.TLSv1_2 INT 1
>> CONFIG proxy.config.ssl.client.SSLv2 INT 1
>> CONFIG proxy.config.ssl.client.SSLv3 INT 1
>> CONFIG proxy.config.ssl.client.TLSv1 INT 1
>> CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
>> CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
>> CONFIG proxy.config.ssl.client.certification_level INT 0
>> CONFIG proxy.config.ssl.server.multicert.filename STRING
>> ssl_multicert.config
>> CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/
>> CONFIG proxy.config.ssl.server.private_key.path STRING
>> /etc/trafficserver/ssl/
>> CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
>> CONFIG proxy.config.ssl.server.cipher_suite STRING
>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
>>
>> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
>> CONFIG proxy.config.ssl.server.dhparams_file STRING
>> /etc/trafficserver/ssl/dhparams.pem
>
Re: 5.3.0: TLS completly broken (reverse-proxy)
Posted by Reindl Harald <h....@thelounge.net>.
Am 26.05.2015 um 21:04 schrieb Dave Thompson:
> Hi Riendl,
>
> More details regarding host might help, though if the issue is related
> to having an external scanner contact an internal ATS, you can test TCP
> connectivity with just a 'telnet hostname port'.
TLS is fucked up, nobody talks about a internal host
> To test SSL handshake, you might alternatively try:
> openssl s_client -connect login.yahoo.com:443 < /dev/null
>
> If you're trying an internal scan to something that ssllabs.com can't
> access, you might be interested in checking out:
> yo/checkmyssl
uhm that is and was a production server runnigng as reverse proxy and
reachable from ssllabs - the point is that *after* ssllabs try to scan
the host the page is dead and firefox complaints in no shared ciphers
please read again my post!
for me that's now done by downgrade to 5.2.1 and all is fine as before
with nothing else changed
> On Tuesday, May 26, 2015 1:34 PM, Reindl Harald <h....@thelounge.net>
> wrote:
>
>
> i recently did a dist-upgrade to Fedora 21 and at that time decided to
> upgrade ATS to 5.3.0 since load-tests without encryption where fine
>
> well, https://www.ssllabs.com/ssltest/
> <https://www.ssllabs.com/ssltest/>says no connection, after that
> Firefox previously displayed the page said "no shared ciphers" at
> reload, local "sslcsan" is more than strange - in other words: as soon
> as you start to scan the server for ssl ciphers something goes terrible
> wrong
>
> it happens that another SNI host still works, until you try to scan it too
>
> downgrade to 5.2.1 and all is fine again
> P.S.: the download page should not only list a .0 release
> ______________________________________________
>
> without changing the environment these different results for "sslscan
> host:443" should be impossible
>
> Preferred Server Cipher(s):
> SSLv2 0 bits (NONE)
> SSLv3 0 bits (NONE)
> TLSv1 0 bits (NONE)
> TLS11 0 bits (NONE)
> TLS12 0 bits (NONE)
>
> Preferred Server Cipher(s):
> SSLv2 0 bits (NONE)
> SSLv3 0 bits (NONE)
> TLSv1 0 bits (NONE)
> TLS11 0 bits (NONE)
> TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
> ______________________________________________
>
> 5.2.1:
>
> Preferred Server Cipher(s):
> SSLv2 0 bits (NONE)
> SSLv3 0 bits (NONE)
> TLSv1 128 bits ECDHE-RSA-AES128-SHA
> TLS11 128 bits ECDHE-RSA-AES128-SHA
> TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
> ______________________________________________
>
> records.config
>
> ##############################################################################
> # System Variables
> #
> ##############################################################################
> CONFIG proxy.config.proxy_name STRING proxy.thelounge.net
> CONFIG proxy.config.config_dir STRING /etc/trafficserver
> CONFIG proxy.config.proxy_binary_opts STRING -M
> CONFIG proxy.config.temp_dir STRING /tmp
> CONFIG proxy.config.alarm_email STRING ats
> CONFIG proxy.config.syslog_facility STRING LOG_DAEMON
> CONFIG proxy.config.output.logfile STRING traffic.out
> CONFIG proxy.config.snapshot_dir STRING snapshots
> CONFIG proxy.config.system.mmap_max INT 2097152
>
> ##############################################################################
> # Main threads configuration (worker threads). Also see configurations
> for #
> # SSL threads, disk I/O threads and task threads in their respective
> areas #
> ##############################################################################
> CONFIG proxy.config.exec_thread.autoconfig INT 0
> CONFIG proxy.config.exec_thread.limit INT 4
> CONFIG proxy.config.exec_thread.affinity INT 1
> CONFIG proxy.config.accept_threads INT 0
>
> ##############################################################################
> # Local Manager
> #
> ##############################################################################
> CONFIG proxy.config.admin.admin_user STRING admin
> CONFIG proxy.config.admin.number_config_bak INT 0
> CONFIG proxy.config.admin.user_id STRING ats
>
> ##############################################################################
> # Process Manager
> #
> ##############################################################################
> CONFIG proxy.config.admin.autoconf_port INT 8083
> CONFIG proxy.config.process_manager.mgmt_port INT 8084
>
> ##############################################################################
> # HTTP Engine
> #
> ##############################################################################
> CONFIG proxy.config.http.server_ports STRING 80 443:ssl
> CONFIG proxy.config.http.connect_ports STRING 80
> CONFIG proxy.config.http.insert_request_via_str INT 0
> CONFIG proxy.config.http.insert_response_via_str INT 0
> CONFIG proxy.config.http.response_server_enabled INT 0
> CONFIG proxy.config.http.insert_age_in_response INT 1
> CONFIG proxy.config.http.enable_url_expandomatic INT 0
> CONFIG proxy.config.http.no_dns_just_forward_to_parent INT 0
> CONFIG proxy.config.http.uncacheable_requests_bypass_parent INT 0
> CONFIG proxy.config.http.keep_alive_enabled_in INT 1
> CONFIG proxy.config.http.keep_alive_enabled_out INT 1
> CONFIG proxy.config.http.chunking_enabled INT 1
> CONFIG proxy.config.http.chunking.size 64k
> CONFIG proxy.config.http.send_http11_requests INT 1
> CONFIG proxy.config.http.share_server_sessions INT 1
> CONFIG proxy.config.http.origin_server_pipeline INT 1
> CONFIG proxy.config.http.user_agent_pipeline INT 8
> CONFIG proxy.config.http.referer_filter INT 0
> CONFIG proxy.config.http.accept_unknown_methods INT 0
>
> ##############################################################################
> # parent proxy configuration
> #
> ##############################################################################
> CONFIG proxy.config.http.parent_proxy_routing_enable INT 0
>
> ##############################################################################
> # HTTP connection timeouts (secs)
> #
> # out: proxy -> origin server connection
> #
> # in : ua -> proxy connection
> #
> ##############################################################################
> CONFIG proxy.config.http.keep_alive_no_activity_timeout_in INT 1
> CONFIG proxy.config.http.keep_alive_no_activity_timeout_out INT 1
> CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 60
> CONFIG proxy.config.http.transaction_no_activity_timeout_out INT 60
> CONFIG proxy.config.http.transaction_active_timeout_in INT 3600
> CONFIG proxy.config.http.transaction_active_timeout_out INT 0
> CONFIG proxy.config.http.accept_no_activity_timeout INT 1
> CONFIG proxy.config.http.background_fill_active_timeout INT 0
> CONFIG proxy.config.http.background_fill_completed_threshold FLOAT 0.0
>
> ##############################################################################
> # origin server connect attempts
> #
> ##############################################################################
> CONFIG proxy.config.http.connect_attempts_max_retries INT 10
> CONFIG proxy.config.http.connect_attempts_max_retries_dead_server INT 10
> CONFIG proxy.config.http.connect_attempts_rr_retries INT 10
> CONFIG proxy.config.http.connect_attempts_timeout INT 30
> CONFIG proxy.config.http.post_connect_attempts_timeout INT 1800
> CONFIG proxy.config.http.down_server.cache_time INT 5
> CONFIG proxy.config.http.down_server.abort_threshold INT 30
>
> ##############################################################################
> # congestion control
> #
> ##############################################################################
> CONFIG proxy.config.http.congestion_control.enabled INT 0
>
> ##############################################################################
> # negative response caching
> #
> ##############################################################################
> CONFIG proxy.config.http.negative_caching_enabled INT 1
> CONFIG proxy.config.http.negative_caching_lifetime INT 1
>
> ##############################################################################
> # proxy users variables
> #
> ##############################################################################
> CONFIG proxy.config.http.anonymize_remove_from INT 0
> CONFIG proxy.config.http.anonymize_remove_referer INT 0
> CONFIG proxy.config.http.anonymize_remove_user_agent INT 0
> CONFIG proxy.config.http.anonymize_remove_cookie INT 0
> CONFIG proxy.config.http.anonymize_remove_client_ip INT 0
> CONFIG proxy.config.http.anonymize_insert_client_ip INT 0
> CONFIG proxy.config.http.anonymize_other_header_list STRING NULL
> CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1
>
> ##############################################################################
> # security
> #
> ##############################################################################
> CONFIG proxy.config.http.push_method_enabled INT 0
>
> ##############################################################################
> # cache control
> #
> ##############################################################################
> CONFIG proxy.config.http.normalize_ae_gzip INT 1
> CONFIG proxy.config.http.cache.http INT 1
> CONFIG proxy.config.http.cache.cache_responses_to_cookies INT 3
> CONFIG proxy.config.http.cache.cache_urls_that_look_dynamic INT 1
> CONFIG proxy.config.http.cache.ims_on_client_no_cache INT 1
> CONFIG proxy.config.http.cache.ignore_client_cc_max_age INT 0
> CONFIG proxy.config.http.cache.ignore_client_no_cache INT 0
> CONFIG proxy.config.http.cache.ignore_accept_mismatch INT 2
> CONFIG proxy.config.http.cache.ignore_accept_language_mismatch INT 2
> CONFIG proxy.config.http.cache.ignore_accept_encoding_mismatch INT 2
> CONFIG proxy.config.http.cache.ignore_accept_charset_mismatch INT 2
> CONFIG proxy.config.http.cache.ignore_server_no_cache INT 0
> CONFIG proxy.config.http.cache.ignore_authentication INT 0
> CONFIG proxy.config.http.cache.enable_default_vary_headers INT 0
> CONFIG proxy.config.http.cache.when_to_revalidate INT 0
> CONFIG proxy.config.http.cache.when_to_add_no_cache_to_msie_requests INT 0
> CONFIG proxy.config.http.cache.required_headers INT 0
> CONFIG proxy.config.http.cache.max_stale_age INT 1800
> CONFIG proxy.config.http.cache.range.lookup INT 0
> CONFIG proxy.config.cache.vary_on_user_agent INT 0
>
> ##############################################################################
> # heuristic expiration
> #
> ##############################################################################
> CONFIG proxy.config.http.cache.heuristic_min_lifetime INT 60
> CONFIG proxy.config.http.cache.heuristic_max_lifetime INT 60
> CONFIG proxy.config.http.cache.heuristic_lm_factor FLOAT 0.100000
> CONFIG proxy.config.http.cache.fuzz.time INT 60
> CONFIG proxy.config.http.cache.fuzz.probability FLOAT 0.005000
>
> ##############################################################################
> # dynamic content & content negotiation
> #
> ##############################################################################
> CONFIG proxy.config.http.cache.vary_default_text STRING Accept-Encoding
> CONFIG proxy.config.http.cache.vary_default_images STRING NULL
> CONFIG proxy.config.http.cache.vary_default_other STRING NULL
>
> ##############################################################################
> # The HTTP stats are expensive, turn off you dont need them
> #
> ##############################################################################
> CONFIG proxy.config.http.enable_http_stats INT 0
>
> ##############################################################################
> # Customizable User Response Pages
> #
> ##############################################################################
> CONFIG proxy.config.body_factory.enable_customizations INT 1
> CONFIG proxy.config.body_factory.enable_logging INT 0
> CONFIG proxy.config.body_factory.response_suppression_mode INT 0
>
> ##############################################################################
> # Net Subsystem
> #
> ##############################################################################
> CONFIG proxy.config.net.connections_throttle INT 30000
> CONFIG proxy.config.net.defer_accept INT 1
>
> ##############################################################################
> # Cluster Subsystem
> #
> ##############################################################################
> LOCAL proxy.local.cluster.type INT 3
>
> ##############################################################################
> # Cache
> #
> ##############################################################################
> CONFIG proxy.config.cache.permit.pinning INT 0
> CONFIG proxy.config.cache.ram_cache.size INT 2560M
> CONFIG proxy.config.cache.ram_cache_cutoff INT 512K
> CONFIG proxy.config.cache.ram_cache.algorithm INT 1
> CONFIG proxy.config.cache.ram_cache.use_seen_filter INT 0
> CONFIG proxy.config.cache.ram_cache.compress INT 0
> CONFIG proxy.config.cache.limits.http.max_alts INT 10
> CONFIG proxy.config.cache.target_fragment_size INT 262144
> CONFIG proxy.config.cache.max_doc_size INT 0
> CONFIG proxy.config.cache.enable_read_while_writer INT 1
> CONFIG proxy.config.connection_collapsing.hashtable_enabled INT 1
> CONFIG proxy.config.cache.min_average_object_size INT 32K
> CONFIG proxy.config.cache.threads_per_disk INT 8
> CONFIG proxy.config.cache.mutex_retry_delay INT 10
>
> ##############################################################################
> # DNS
> #
> ##############################################################################
> CONFIG proxy.config.dns.search_default_domains INT 1
> CONFIG proxy.config.dns.splitDNS.enabled INT 0
> CONFIG proxy.config.dns.max_dns_in_flight INT 2048
> CONFIG proxy.config.dns.url_expansions STRING NULL
> CONFIG proxy.config.dns.round_robin_nameservers INT 0
> CONFIG proxy.config.dns.nameservers STRING 127.0.0.1
> CONFIG proxy.config.dns.resolv_conf STRING NULL
> CONFIG proxy.config.dns.validate_query_name INT 0
>
> ##############################################################################
> # HostDB
> #
> ##############################################################################
> CONFIG proxy.config.hostdb.size INT 50000
> CONFIG proxy.config.hostdb.storage_size INT 14680064
> CONFIG proxy.config.hostdb.ttl_mode INT 1
> CONFIG proxy.config.hostdb.timeout INT 60
> CONFIG proxy.config.hostdb.strict_round_robin INT 0
> CONFIG proxy.config.hostdb.host_file.path STRING /etc/hosts.dnsmasq
> CONFIG proxy.config.hostdb.host_file.interval INT 3600
> CONFIG proxy.config.hostdb.ip_resolve STRING ipv4;none
>
> ##############################################################################
> # Logging Config
> #
> #
> #
> # 0: no logging at all
> #
> # 1: log errors only
> #
> # 2: log transactions only
> #
> # 3: full logging (errors + transactions)
> #
> ##############################################################################
> LOCAL proxy.local.log.collation_mode INT 0
> CONFIG proxy.config.log.logging_enabled INT 1
> CONFIG proxy.config.log.max_secs_per_buffer INT 5
> CONFIG proxy.config.log.max_space_mb_for_logs INT 25000
> CONFIG proxy.config.log.max_space_mb_for_orphan_logs INT 25
> CONFIG proxy.config.log.max_space_mb_headroom INT 1000
> CONFIG proxy.config.log.hostname STRING localhost
> CONFIG proxy.config.log.logfile_dir STRING /var/log/trafficserver
> CONFIG proxy.config.log.logfile_perm STRING rw-rw----
> CONFIG proxy.config.log.custom_logs_enabled INT 0
> CONFIG proxy.config.log.squid_log_enabled INT 0
> CONFIG proxy.config.log.squid_log_is_ascii INT 0
> CONFIG proxy.config.log.squid_log_name STRING squid
> CONFIG proxy.config.log.squid_log_header STRING NULL
> CONFIG proxy.config.log.common_log_enabled INT 0
> CONFIG proxy.config.log.common_log_is_ascii INT 1
> CONFIG proxy.config.log.common_log_name STRING common
> CONFIG proxy.config.log.common_log_header STRING NULL
> CONFIG proxy.config.log.extended_log_enabled INT 0
> CONFIG proxy.config.log.extended_log_is_ascii INT 0
> CONFIG proxy.config.log.extended_log_name STRING extended
> CONFIG proxy.config.log.extended_log_header STRING NULL
> CONFIG proxy.config.log.extended2_log_enabled INT 0
> CONFIG proxy.config.log.extended2_log_is_ascii INT 1
> CONFIG proxy.config.log.extended2_log_name STRING extended2
> CONFIG proxy.config.log.extended2_log_header STRING NULL
> CONFIG proxy.config.log.separate_icp_logs INT 0
> CONFIG proxy.config.log.separate_host_logs INT 0
> CONFIG proxy.config.log.collation_host STRING NULL
> CONFIG proxy.config.log.collation_port INT 8085
> CONFIG proxy.config.log.collation_secret STRING foobar
> CONFIG proxy.config.log.collation_host_tagged INT 0
> CONFIG proxy.config.log.collation_retry_sec INT 5
> CONFIG proxy.config.log.rolling_enabled INT 1
> CONFIG proxy.config.log.rolling_interval_sec INT 86400
> CONFIG proxy.config.log.rolling_offset_hr INT 0
> CONFIG proxy.config.log.rolling_size_mb INT 10
> CONFIG proxy.config.log.auto_delete_rolled_files INT 1
> CONFIG proxy.config.log.sampling_frequency INT 1
>
> ##############################################################################
> # Reverse Proxy
> #
> ##############################################################################
> CONFIG proxy.config.reverse_proxy.enabled INT 1
> CONFIG proxy.config.header.parse.no_host_url_redirect STRING NULL
>
> ##############################################################################
> # URL Remap Rules
> #
> ##############################################################################
> CONFIG proxy.config.url_remap.default_to_server_pac INT 0
> CONFIG proxy.config.url_remap.default_to_server_pac_port INT -1
> CONFIG proxy.config.url_remap.remap_required INT 1
> CONFIG proxy.config.url_remap.pristine_host_hdr INT 1
>
> ##############################################################################
> # ICP Configuration
> #
> ##############################################################################
> CONFIG proxy.config.icp.enabled INT 0
>
> ##############################################################################
> # Scheduled Update Configuration
> #
> ##############################################################################
> CONFIG proxy.config.update.enabled INT 0
> CONFIG proxy.config.update.force INT 0
> CONFIG proxy.config.update.retry_count INT 10
> CONFIG proxy.config.update.retry_interval INT 2
> CONFIG proxy.config.update.concurrent_updates INT 100
>
> ##############################################################################
> # Socket send/recv buffer sizes 0 == dont call setsockopt()
> #
> # out: proxy -> os connection
> #
> # in : ua -> proxy connection
> #
> ##############################################################################
> CONFIG proxy.config.net.sock_send_buffer_size_in INT 65536
> CONFIG proxy.config.net.sock_recv_buffer_size_in INT 65536
> CONFIG proxy.config.net.sock_option_flag_in INT 1
> CONFIG proxy.config.net.sock_send_buffer_size_out INT 65536
> CONFIG proxy.config.net.sock_recv_buffer_size_out INT 65536
> CONFIG proxy.config.net.sock_option_flag_out INT 1
>
> ##############################################################################
> # User Overridden Configurations Below
> #
> ##############################################################################
> CONFIG proxy.config.core_limit INT -1
>
> ##############################################################################
> # Debugging
> #
> ##############################################################################
> CONFIG proxy.config.diags.debug.enabled INT 0
> CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
> CONFIG proxy.config.dump_mem_info_frequency INT 0
> CONFIG proxy.config.stack_dump_enabled 0
>
> ##############################################################################
> # Log any request that takes more then x number of milliseconds, needs
> #
> # to be > 0 to be enabled
> #
> ##############################################################################
> CONFIG proxy.config.http.slow.log.threshold INT 0
>
> ##############################################################################
> # Thread pool for "misc" tasks, plugins etc. 2 is a good minimum
> #
> ##############################################################################
> CONFIG proxy.config.task_threads INT 2
> CONFIG proxy.config.cluster.cluster_configuration STRING cluster.config
> CONFIG proxy.config.body_factory.template_sets_dir STRING
> /etc/trafficserver/body_factory
>
> ##############################################################################
> # SSL/TLS
> #
> ##############################################################################
> CONFIG proxy.config.ssl.SSLv2 INT 0
> CONFIG proxy.config.ssl.SSLv3 INT 0
> CONFIG proxy.config.ssl.TLSv1 INT 1
> CONFIG proxy.config.ssl.TLSv1_1 INT 1
> CONFIG proxy.config.ssl.TLSv1_2 INT 1
> CONFIG proxy.config.ssl.client.SSLv2 INT 1
> CONFIG proxy.config.ssl.client.SSLv3 INT 1
> CONFIG proxy.config.ssl.client.TLSv1 INT 1
> CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
> CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
> CONFIG proxy.config.ssl.client.certification_level INT 0
> CONFIG proxy.config.ssl.server.multicert.filename STRING
> ssl_multicert.config
> CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/
> CONFIG proxy.config.ssl.server.private_key.path STRING
> /etc/trafficserver/ssl/
> CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
> CONFIG proxy.config.ssl.server.cipher_suite STRING
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> CONFIG proxy.config.ssl.server.dhparams_file STRING
> /etc/trafficserver/ssl/dhparams.pem
Re: 5.3.0: TLS completly broken (reverse-proxy)
Posted by Dave Thompson <da...@yahoo-inc.com>.
Hi Riendl,
More details regarding host might help, though if the issue is related to having an external scanner contact an internal ATS, you can test TCP connectivity with just a 'telnet hostname port'.
To test SSL handshake, you might alternatively try:openssl s_client -connect login.yahoo.com:443 < /dev/null
If you're trying an internal scan to something that ssllabs.com can't access, you might be interested in checking out:yo/checkmyssl
Dave
On Tuesday, May 26, 2015 1:34 PM, Reindl Harald <h....@thelounge.net> wrote:
i recently did a dist-upgrade to Fedora 21 and at that time decided to
upgrade ATS to 5.3.0 since load-tests without encryption where fine
well, https://www.ssllabs.com/ssltest/ says no connection, after that
Firefox previously displayed the page said "no shared ciphers" at
reload, local "sslcsan" is more than strange - in other words: as soon
as you start to scan the server for ssl ciphers something goes terrible
wrong
it happens that another SNI host still works, until you try to scan it too
downgrade to 5.2.1 and all is fine again
P.S.: the download page should not only list a .0 release
______________________________________________
without changing the environment these different results for "sslscan
host:443" should be impossible
Preferred Server Cipher(s):
SSLv2 0 bits (NONE)
SSLv3 0 bits (NONE)
TLSv1 0 bits (NONE)
TLS11 0 bits (NONE)
TLS12 0 bits (NONE)
Preferred Server Cipher(s):
SSLv2 0 bits (NONE)
SSLv3 0 bits (NONE)
TLSv1 0 bits (NONE)
TLS11 0 bits (NONE)
TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
______________________________________________
5.2.1:
Preferred Server Cipher(s):
SSLv2 0 bits (NONE)
SSLv3 0 bits (NONE)
TLSv1 128 bits ECDHE-RSA-AES128-SHA
TLS11 128 bits ECDHE-RSA-AES128-SHA
TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
______________________________________________
records.config
##############################################################################
# System Variables
#
##############################################################################
CONFIG proxy.config.proxy_name STRING proxy.thelounge.net
CONFIG proxy.config.config_dir STRING /etc/trafficserver
CONFIG proxy.config.proxy_binary_opts STRING -M
CONFIG proxy.config.temp_dir STRING /tmp
CONFIG proxy.config.alarm_email STRING ats
CONFIG proxy.config.syslog_facility STRING LOG_DAEMON
CONFIG proxy.config.output.logfile STRING traffic.out
CONFIG proxy.config.snapshot_dir STRING snapshots
CONFIG proxy.config.system.mmap_max INT 2097152
##############################################################################
# Main threads configuration (worker threads). Also see configurations
for #
# SSL threads, disk I/O threads and task threads in their respective
areas #
##############################################################################
CONFIG proxy.config.exec_thread.autoconfig INT 0
CONFIG proxy.config.exec_thread.limit INT 4
CONFIG proxy.config.exec_thread.affinity INT 1
CONFIG proxy.config.accept_threads INT 0
##############################################################################
# Local Manager
#
##############################################################################
CONFIG proxy.config.admin.admin_user STRING admin
CONFIG proxy.config.admin.number_config_bak INT 0
CONFIG proxy.config.admin.user_id STRING ats
##############################################################################
# Process Manager
#
##############################################################################
CONFIG proxy.config.admin.autoconf_port INT 8083
CONFIG proxy.config.process_manager.mgmt_port INT 8084
##############################################################################
# HTTP Engine
#
##############################################################################
CONFIG proxy.config.http.server_ports STRING 80 443:ssl
CONFIG proxy.config.http.connect_ports STRING 80
CONFIG proxy.config.http.insert_request_via_str INT 0
CONFIG proxy.config.http.insert_response_via_str INT 0
CONFIG proxy.config.http.response_server_enabled INT 0
CONFIG proxy.config.http.insert_age_in_response INT 1
CONFIG proxy.config.http.enable_url_expandomatic INT 0
CONFIG proxy.config.http.no_dns_just_forward_to_parent INT 0
CONFIG proxy.config.http.uncacheable_requests_bypass_parent INT 0
CONFIG proxy.config.http.keep_alive_enabled_in INT 1
CONFIG proxy.config.http.keep_alive_enabled_out INT 1
CONFIG proxy.config.http.chunking_enabled INT 1
CONFIG proxy.config.http.chunking.size 64k
CONFIG proxy.config.http.send_http11_requests INT 1
CONFIG proxy.config.http.share_server_sessions INT 1
CONFIG proxy.config.http.origin_server_pipeline INT 1
CONFIG proxy.config.http.user_agent_pipeline INT 8
CONFIG proxy.config.http.referer_filter INT 0
CONFIG proxy.config.http.accept_unknown_methods INT 0
##############################################################################
# parent proxy configuration
#
##############################################################################
CONFIG proxy.config.http.parent_proxy_routing_enable INT 0
##############################################################################
# HTTP connection timeouts (secs)
#
# out: proxy -> origin server connection
#
# in : ua -> proxy connection
#
##############################################################################
CONFIG proxy.config.http.keep_alive_no_activity_timeout_in INT 1
CONFIG proxy.config.http.keep_alive_no_activity_timeout_out INT 1
CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 60
CONFIG proxy.config.http.transaction_no_activity_timeout_out INT 60
CONFIG proxy.config.http.transaction_active_timeout_in INT 3600
CONFIG proxy.config.http.transaction_active_timeout_out INT 0
CONFIG proxy.config.http.accept_no_activity_timeout INT 1
CONFIG proxy.config.http.background_fill_active_timeout INT 0
CONFIG proxy.config.http.background_fill_completed_threshold FLOAT 0.0
##############################################################################
# origin server connect attempts
#
##############################################################################
CONFIG proxy.config.http.connect_attempts_max_retries INT 10
CONFIG proxy.config.http.connect_attempts_max_retries_dead_server INT 10
CONFIG proxy.config.http.connect_attempts_rr_retries INT 10
CONFIG proxy.config.http.connect_attempts_timeout INT 30
CONFIG proxy.config.http.post_connect_attempts_timeout INT 1800
CONFIG proxy.config.http.down_server.cache_time INT 5
CONFIG proxy.config.http.down_server.abort_threshold INT 30
##############################################################################
# congestion control
#
##############################################################################
CONFIG proxy.config.http.congestion_control.enabled INT 0
##############################################################################
# negative response caching
#
##############################################################################
CONFIG proxy.config.http.negative_caching_enabled INT 1
CONFIG proxy.config.http.negative_caching_lifetime INT 1
##############################################################################
# proxy users variables
#
##############################################################################
CONFIG proxy.config.http.anonymize_remove_from INT 0
CONFIG proxy.config.http.anonymize_remove_referer INT 0
CONFIG proxy.config.http.anonymize_remove_user_agent INT 0
CONFIG proxy.config.http.anonymize_remove_cookie INT 0
CONFIG proxy.config.http.anonymize_remove_client_ip INT 0
CONFIG proxy.config.http.anonymize_insert_client_ip INT 0
CONFIG proxy.config.http.anonymize_other_header_list STRING NULL
CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1
##############################################################################
# security
#
##############################################################################
CONFIG proxy.config.http.push_method_enabled INT 0
##############################################################################
# cache control
#
##############################################################################
CONFIG proxy.config.http.normalize_ae_gzip INT 1
CONFIG proxy.config.http.cache.http INT 1
CONFIG proxy.config.http.cache.cache_responses_to_cookies INT 3
CONFIG proxy.config.http.cache.cache_urls_that_look_dynamic INT 1
CONFIG proxy.config.http.cache.ims_on_client_no_cache INT 1
CONFIG proxy.config.http.cache.ignore_client_cc_max_age INT 0
CONFIG proxy.config.http.cache.ignore_client_no_cache INT 0
CONFIG proxy.config.http.cache.ignore_accept_mismatch INT 2
CONFIG proxy.config.http.cache.ignore_accept_language_mismatch INT 2
CONFIG proxy.config.http.cache.ignore_accept_encoding_mismatch INT 2
CONFIG proxy.config.http.cache.ignore_accept_charset_mismatch INT 2
CONFIG proxy.config.http.cache.ignore_server_no_cache INT 0
CONFIG proxy.config.http.cache.ignore_authentication INT 0
CONFIG proxy.config.http.cache.enable_default_vary_headers INT 0
CONFIG proxy.config.http.cache.when_to_revalidate INT 0
CONFIG proxy.config.http.cache.when_to_add_no_cache_to_msie_requests INT 0
CONFIG proxy.config.http.cache.required_headers INT 0
CONFIG proxy.config.http.cache.max_stale_age INT 1800
CONFIG proxy.config.http.cache.range.lookup INT 0
CONFIG proxy.config.cache.vary_on_user_agent INT 0
##############################################################################
# heuristic expiration
#
##############################################################################
CONFIG proxy.config.http.cache.heuristic_min_lifetime INT 60
CONFIG proxy.config.http.cache.heuristic_max_lifetime INT 60
CONFIG proxy.config.http.cache.heuristic_lm_factor FLOAT 0.100000
CONFIG proxy.config.http.cache.fuzz.time INT 60
CONFIG proxy.config.http.cache.fuzz.probability FLOAT 0.005000
##############################################################################
# dynamic content & content negotiation
#
##############################################################################
CONFIG proxy.config.http.cache.vary_default_text STRING Accept-Encoding
CONFIG proxy.config.http.cache.vary_default_images STRING NULL
CONFIG proxy.config.http.cache.vary_default_other STRING NULL
##############################################################################
# The HTTP stats are expensive, turn off you dont need them
#
##############################################################################
CONFIG proxy.config.http.enable_http_stats INT 0
##############################################################################
# Customizable User Response Pages
#
##############################################################################
CONFIG proxy.config.body_factory.enable_customizations INT 1
CONFIG proxy.config.body_factory.enable_logging INT 0
CONFIG proxy.config.body_factory.response_suppression_mode INT 0
##############################################################################
# Net Subsystem
#
##############################################################################
CONFIG proxy.config.net.connections_throttle INT 30000
CONFIG proxy.config.net.defer_accept INT 1
##############################################################################
# Cluster Subsystem
#
##############################################################################
LOCAL proxy.local.cluster.type INT 3
##############################################################################
# Cache
#
##############################################################################
CONFIG proxy.config.cache.permit.pinning INT 0
CONFIG proxy.config.cache.ram_cache.size INT 2560M
CONFIG proxy.config.cache.ram_cache_cutoff INT 512K
CONFIG proxy.config.cache.ram_cache.algorithm INT 1
CONFIG proxy.config.cache.ram_cache.use_seen_filter INT 0
CONFIG proxy.config.cache.ram_cache.compress INT 0
CONFIG proxy.config.cache.limits.http.max_alts INT 10
CONFIG proxy.config.cache.target_fragment_size INT 262144
CONFIG proxy.config.cache.max_doc_size INT 0
CONFIG proxy.config.cache.enable_read_while_writer INT 1
CONFIG proxy.config.connection_collapsing.hashtable_enabled INT 1
CONFIG proxy.config.cache.min_average_object_size INT 32K
CONFIG proxy.config.cache.threads_per_disk INT 8
CONFIG proxy.config.cache.mutex_retry_delay INT 10
##############################################################################
# DNS
#
##############################################################################
CONFIG proxy.config.dns.search_default_domains INT 1
CONFIG proxy.config.dns.splitDNS.enabled INT 0
CONFIG proxy.config.dns.max_dns_in_flight INT 2048
CONFIG proxy.config.dns.url_expansions STRING NULL
CONFIG proxy.config.dns.round_robin_nameservers INT 0
CONFIG proxy.config.dns.nameservers STRING 127.0.0.1
CONFIG proxy.config.dns.resolv_conf STRING NULL
CONFIG proxy.config.dns.validate_query_name INT 0
##############################################################################
# HostDB
#
##############################################################################
CONFIG proxy.config.hostdb.size INT 50000
CONFIG proxy.config.hostdb.storage_size INT 14680064
CONFIG proxy.config.hostdb.ttl_mode INT 1
CONFIG proxy.config.hostdb.timeout INT 60
CONFIG proxy.config.hostdb.strict_round_robin INT 0
CONFIG proxy.config.hostdb.host_file.path STRING /etc/hosts.dnsmasq
CONFIG proxy.config.hostdb.host_file.interval INT 3600
CONFIG proxy.config.hostdb.ip_resolve STRING ipv4;none
##############################################################################
# Logging Config
#
#
#
# 0: no logging at all
#
# 1: log errors only
#
# 2: log transactions only
#
# 3: full logging (errors + transactions)
#
##############################################################################
LOCAL proxy.local.log.collation_mode INT 0
CONFIG proxy.config.log.logging_enabled INT 1
CONFIG proxy.config.log.max_secs_per_buffer INT 5
CONFIG proxy.config.log.max_space_mb_for_logs INT 25000
CONFIG proxy.config.log.max_space_mb_for_orphan_logs INT 25
CONFIG proxy.config.log.max_space_mb_headroom INT 1000
CONFIG proxy.config.log.hostname STRING localhost
CONFIG proxy.config.log.logfile_dir STRING /var/log/trafficserver
CONFIG proxy.config.log.logfile_perm STRING rw-rw----
CONFIG proxy.config.log.custom_logs_enabled INT 0
CONFIG proxy.config.log.squid_log_enabled INT 0
CONFIG proxy.config.log.squid_log_is_ascii INT 0
CONFIG proxy.config.log.squid_log_name STRING squid
CONFIG proxy.config.log.squid_log_header STRING NULL
CONFIG proxy.config.log.common_log_enabled INT 0
CONFIG proxy.config.log.common_log_is_ascii INT 1
CONFIG proxy.config.log.common_log_name STRING common
CONFIG proxy.config.log.common_log_header STRING NULL
CONFIG proxy.config.log.extended_log_enabled INT 0
CONFIG proxy.config.log.extended_log_is_ascii INT 0
CONFIG proxy.config.log.extended_log_name STRING extended
CONFIG proxy.config.log.extended_log_header STRING NULL
CONFIG proxy.config.log.extended2_log_enabled INT 0
CONFIG proxy.config.log.extended2_log_is_ascii INT 1
CONFIG proxy.config.log.extended2_log_name STRING extended2
CONFIG proxy.config.log.extended2_log_header STRING NULL
CONFIG proxy.config.log.separate_icp_logs INT 0
CONFIG proxy.config.log.separate_host_logs INT 0
CONFIG proxy.config.log.collation_host STRING NULL
CONFIG proxy.config.log.collation_port INT 8085
CONFIG proxy.config.log.collation_secret STRING foobar
CONFIG proxy.config.log.collation_host_tagged INT 0
CONFIG proxy.config.log.collation_retry_sec INT 5
CONFIG proxy.config.log.rolling_enabled INT 1
CONFIG proxy.config.log.rolling_interval_sec INT 86400
CONFIG proxy.config.log.rolling_offset_hr INT 0
CONFIG proxy.config.log.rolling_size_mb INT 10
CONFIG proxy.config.log.auto_delete_rolled_files INT 1
CONFIG proxy.config.log.sampling_frequency INT 1
##############################################################################
# Reverse Proxy
#
##############################################################################
CONFIG proxy.config.reverse_proxy.enabled INT 1
CONFIG proxy.config.header.parse.no_host_url_redirect STRING NULL
##############################################################################
# URL Remap Rules
#
##############################################################################
CONFIG proxy.config.url_remap.default_to_server_pac INT 0
CONFIG proxy.config.url_remap.default_to_server_pac_port INT -1
CONFIG proxy.config.url_remap.remap_required INT 1
CONFIG proxy.config.url_remap.pristine_host_hdr INT 1
##############################################################################
# ICP Configuration
#
##############################################################################
CONFIG proxy.config.icp.enabled INT 0
##############################################################################
# Scheduled Update Configuration
#
##############################################################################
CONFIG proxy.config.update.enabled INT 0
CONFIG proxy.config.update.force INT 0
CONFIG proxy.config.update.retry_count INT 10
CONFIG proxy.config.update.retry_interval INT 2
CONFIG proxy.config.update.concurrent_updates INT 100
##############################################################################
# Socket send/recv buffer sizes 0 == dont call setsockopt()
#
# out: proxy -> os connection
#
# in : ua -> proxy connection
#
##############################################################################
CONFIG proxy.config.net.sock_send_buffer_size_in INT 65536
CONFIG proxy.config.net.sock_recv_buffer_size_in INT 65536
CONFIG proxy.config.net.sock_option_flag_in INT 1
CONFIG proxy.config.net.sock_send_buffer_size_out INT 65536
CONFIG proxy.config.net.sock_recv_buffer_size_out INT 65536
CONFIG proxy.config.net.sock_option_flag_out INT 1
##############################################################################
# User Overridden Configurations Below
#
##############################################################################
CONFIG proxy.config.core_limit INT -1
##############################################################################
# Debugging
#
##############################################################################
CONFIG proxy.config.diags.debug.enabled INT 0
CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
CONFIG proxy.config.dump_mem_info_frequency INT 0
CONFIG proxy.config.stack_dump_enabled 0
##############################################################################
# Log any request that takes more then x number of milliseconds, needs
#
# to be > 0 to be enabled
#
##############################################################################
CONFIG proxy.config.http.slow.log.threshold INT 0
##############################################################################
# Thread pool for "misc" tasks, plugins etc. 2 is a good minimum
#
##############################################################################
CONFIG proxy.config.task_threads INT 2
CONFIG proxy.config.cluster.cluster_configuration STRING cluster.config
CONFIG proxy.config.body_factory.template_sets_dir STRING
/etc/trafficserver/body_factory
##############################################################################
# SSL/TLS
#
##############################################################################
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 0
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.SSLv2 INT 1
CONFIG proxy.config.ssl.client.SSLv3 INT 1
CONFIG proxy.config.ssl.client.TLSv1 INT 1
CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.server.multicert.filename STRING
ssl_multicert.config
CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.server.private_key.path STRING
/etc/trafficserver/ssl/
CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.server.cipher_suite STRING
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.server.dhparams_file STRING
/etc/trafficserver/ssl/dhparams.pem