You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by supraja sridhar <su...@gmail.com> on 2019/11/25 05:08:45 UTC
Query regarding proxy.config.ssl.client.certification_level
Hello,
I understand that -
proxy.config.ssl.client.certification_level provides the option to
enable/disable client certificate verification across all connections. Is
it possible to skip client certificate verification based on source IP?
Thanks,
Supraja
Re: Query regarding proxy.config.ssl.client.certification_level
Posted by Susan Hinrichs <sh...@verizonmedia.com>.
Yes, ip_allow takes a list of IP's. I think it takes ranges as well. You
may also need a fqdn value.
No, sni.yaml does not make an appearance until 8.x as
ssl_server_name.yaml. The file becomes sni.yaml in 9.0.x.
Susan
On Tue, Dec 3, 2019 at 8:23 AM supraja sridhar <su...@gmail.com>
wrote:
> Also, does sni.yaml exist in ATS 7.1.1?
>
> Thanks
> Supraja
>
> On Tue, Dec 3, 2019 at 9:32 AM supraja sridhar <su...@gmail.com>
> wrote:
>
>> Thanks. Will ip_allow take IPs as input. Is the following a valid example
>> ?
>> sni
>> ip_allow: x.y.z.a
>> verify_client: MODERATE
>>
>>
>> On Mon, Nov 25, 2019 at 11:59 PM Susan Hinrichs <
>> shinrich@verizonmedia.com> wrote:
>>
>>> You can specialize the client certificate requirements using sni.yaml.
>>> So only request it for specific domain names. There is also an ip_allow
>>> action in sni.yaml (which I see is not documented) which would allow to
>>> control requiring client certificate based on the peer's IP.
>>>
>>>
>>> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html?highlight=sni%20yaml#std:configfile-sni.yaml
>>>
>>> I'll work on putting up a PR with some documentation on the ip_allow
>>> action.
>>>
>>> Susan
>>>
>>> On Sun, Nov 24, 2019 at 11:09 PM supraja sridhar <
>>> suprajasridhar95@gmail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> I understand that -
>>>> proxy.config.ssl.client.certification_level provides the option to
>>>> enable/disable client certificate verification across all connections. Is
>>>> it possible to skip client certificate verification based on source IP?
>>>>
>>>>
>>>> Thanks,
>>>> Supraja
>>>>
>>>
>>
>> --
>> Regards,
>> S.SUPRAJA
>> MIT
>>
>
>
> --
> Regards,
> S.SUPRAJA
> MIT
>
Re: Query regarding proxy.config.ssl.client.certification_level
Posted by supraja sridhar <su...@gmail.com>.
Also, does sni.yaml exist in ATS 7.1.1?
Thanks
Supraja
On Tue, Dec 3, 2019 at 9:32 AM supraja sridhar <su...@gmail.com>
wrote:
> Thanks. Will ip_allow take IPs as input. Is the following a valid example
> ?
> sni
> ip_allow: x.y.z.a
> verify_client: MODERATE
>
>
> On Mon, Nov 25, 2019 at 11:59 PM Susan Hinrichs <sh...@verizonmedia.com>
> wrote:
>
>> You can specialize the client certificate requirements using sni.yaml.
>> So only request it for specific domain names. There is also an ip_allow
>> action in sni.yaml (which I see is not documented) which would allow to
>> control requiring client certificate based on the peer's IP.
>>
>>
>> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html?highlight=sni%20yaml#std:configfile-sni.yaml
>>
>> I'll work on putting up a PR with some documentation on the ip_allow
>> action.
>>
>> Susan
>>
>> On Sun, Nov 24, 2019 at 11:09 PM supraja sridhar <
>> suprajasridhar95@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I understand that -
>>> proxy.config.ssl.client.certification_level provides the option to
>>> enable/disable client certificate verification across all connections. Is
>>> it possible to skip client certificate verification based on source IP?
>>>
>>>
>>> Thanks,
>>> Supraja
>>>
>>
>
> --
> Regards,
> S.SUPRAJA
> MIT
>
--
Regards,
S.SUPRAJA
MIT
Re: Query regarding proxy.config.ssl.client.certification_level
Posted by supraja sridhar <su...@gmail.com>.
Thanks. Will ip_allow take IPs as input. Is the following a valid example ?
sni
ip_allow: x.y.z.a
verify_client: MODERATE
On Mon, Nov 25, 2019 at 11:59 PM Susan Hinrichs <sh...@verizonmedia.com>
wrote:
> You can specialize the client certificate requirements using sni.yaml. So
> only request it for specific domain names. There is also an ip_allow
> action in sni.yaml (which I see is not documented) which would allow to
> control requiring client certificate based on the peer's IP.
>
>
> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html?highlight=sni%20yaml#std:configfile-sni.yaml
>
> I'll work on putting up a PR with some documentation on the ip_allow
> action.
>
> Susan
>
> On Sun, Nov 24, 2019 at 11:09 PM supraja sridhar <
> suprajasridhar95@gmail.com> wrote:
>
>> Hello,
>>
>> I understand that -
>> proxy.config.ssl.client.certification_level provides the option to
>> enable/disable client certificate verification across all connections. Is
>> it possible to skip client certificate verification based on source IP?
>>
>>
>> Thanks,
>> Supraja
>>
>
--
Regards,
S.SUPRAJA
MIT
Re: Query regarding proxy.config.ssl.client.certification_level
Posted by Susan Hinrichs <sh...@verizonmedia.com>.
You can specialize the client certificate requirements using sni.yaml. So
only request it for specific domain names. There is also an ip_allow
action in sni.yaml (which I see is not documented) which would allow to
control requiring client certificate based on the peer's IP.
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html?highlight=sni%20yaml#std:configfile-sni.yaml
I'll work on putting up a PR with some documentation on the ip_allow action.
Susan
On Sun, Nov 24, 2019 at 11:09 PM supraja sridhar <su...@gmail.com>
wrote:
> Hello,
>
> I understand that -
> proxy.config.ssl.client.certification_level provides the option to
> enable/disable client certificate verification across all connections. Is
> it possible to skip client certificate verification based on source IP?
>
>
> Thanks,
> Supraja
>