You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ma...@apache.org on 2022/02/02 04:12:44 UTC
[trafficserver] branch master updated: Update descriptions of sni.yaml.default (#8568)
This is an automated email from the ASF dual-hosted git repository.
masaori pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 016a82d Update descriptions of sni.yaml.default (#8568)
016a82d is described below
commit 016a82d8372af00611008528320479e53ab42917
Author: takkitano <35...@users.noreply.github.com>
AuthorDate: Wed Feb 2 13:12:33 2022 +0900
Update descriptions of sni.yaml.default (#8568)
---
configs/sni.yaml.default | 39 +++++++++++++++++++++++++++++----------
1 file changed, 29 insertions(+), 10 deletions(-)
diff --git a/configs/sni.yaml.default b/configs/sni.yaml.default
index e14fee0..3d95c10 100644
--- a/configs/sni.yaml.default
+++ b/configs/sni.yaml.default
@@ -1,26 +1,45 @@
# sni.yaml
#
+# Documentation:
+# https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html
+#
+#
# This configuration file
-# - sets the SSL actions to be performed based on the servername provided during SSL handhshake phase (SNI extension)
+# - sets the SSL actions to be performed based on the servername provided during SSL handshake phase (SNI extension)
# - sets the SSL properties required to make SSL connection with the next hop or origin server.
#
# YAML-based Configuration file
# Format :
# Actions available:
-# http2 - adds or removes HTTP/2 (H2) from the protocol list advertised by ATS; parameter required = None, parameters = on or off
-# verify_client - sets the verification flag for verifying the client certificate; parameters = one of 'NONE', 'MODERATE' or 'STRICT'
-# verify_origin_server - sets the verification flag for verifying the server certificate; parameters = one of 'NONE', 'MODERATE' or 'STRICT'
-# client_cert - sets the client certificate to present to the server specified in dest_host; parameters = certificate file .
-# The location of the certificate file is relative to proxy.config.ssl.server.cert.path directory.
-# tunnel_route - sets the e2e tunnel route
-# ip_allow - lists or range of client IP addresses, subnets that are allowed for this connection. This accepts CIDR format
-# for subnet specification.
+# ip_allow - lists or range of client IP addresses, subnets that are allowed for this connection. This accepts CIDR format
+# for subnet specification.
+# verify_server_policy - sets the verification flag for verifying the server certificate; parameters = one of 'DISABLED', 'PERMISSIVE', 'ENFORCED'
+# verify_server_properties - sets the flag to control what Traffic Server checks when evaluating the origin certificate;
+# parameters = one of 'NONE', 'SIGNATURE', 'NAME', and 'ALL'
+# verify_client - sets the verification flag for verifying the client certificate; parameters = one of 'NONE', 'MODERATE' or 'STRICT'
+# verify_client_ca_certs - specifies an alternate set of certificate authority certs to use to verify the client cert.
+# host_sni_policy - sets the flag to control how policy impacting mismatches between host header and SNI values are dealt with;
+# parameters = one of 'DISABLED', 'PERMISSIVE', or 'ENFORCED'
+# valid_tls_versions_in - sets the list of TLS protocols that will be offered to user agents during the TLS negotiation;
+# parameters = one of 'TLSv1', 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3'.
+# client_cert - sets the client certificate to present to the server specified in dest_host; parameters = certificate file .
+# The location of the certificate file is relative to proxy.config.ssl.server.cert.path directory.
+# client_key - sets the file containing the client private key that corresponds to the certificate for the outbound connection.
+# client_sni_policy - policy of SNI on outbound connection.
+# http2 - adds or removes HTTP/2 (H2) from the protocol list advertised by ATS; parameter required = None, parameters = on or off
+# tunnel_route - sets the e2e tunnel route
+# forward_route - destination as an FQDN and port, separated by a colon :.
+# this is similar to tunnel_route, but it terminates the TLS connection and forwards the decrypted traffic.
+# partial_blind_route - destination as an FQDN and port, separated by a colon :.
+# this is similar to forward_route in that Traffic Server terminates the incoming TLS connection.
+# in addition partial_blind_route creates a new TLS connection to the specified origin.
+# tunnel_alpn - list of ALPN Protocol Ids for Partial Blind Tunnel.
#
# Example:
# sni:
# - fqdn: one.com
# http2: off
-# verify_origin_server: STRICT
+# verify_server_policy: ENFORCED
# client_cert: somepem.pem
# verify_client: MODERATE
# - fqdn: two.com