You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@trafficserver.apache.org by Mauro Gasparini <mj...@cablenet.com.ar> on 2014/08/13 20:34:08 UTC

Trafficserver and HTTPS (SSL)

I would like to get help to configure Trafficserver and HTTPS.
My goal is to achieve Transparent Proxying to perform caching of http 
and https (mainly of videos for youtube/googlevideo and facebook/akamai 
images).
I've been reading this week 
mail-archives.apache.org/mod_mbox/trafficserver-users and 
docs.trafficserver.apache.org but could not achieve my objective.

Questions:
. Do I have to install an SSL server certificate?
. Do I have to make a remap rule?
. Did I make something good?

Thanks and Regards. Mauro.

##########################################################33
  --------------
| General data |
  --------------

ATS Version
# traffic_server -V
[TrafficServer] using root directory '/opt/ats'
Apache Traffic Server - traffic_server - 5.0.1 - (build # 63016 on Jul 
30 2014 at 16:46:34)

ATS OS: debian 7.6

ATS interfaces: eth0

  ---------------
| Configuration |
  ---------------

Routing
-------
                    /-----\
                    | ATS |
                    \-----/
                       /\
                        |
                        |
                        |
                       \/
/----------\      /--------\       /---------\
| Internet | <--> | router |  <--> | clients |
\----------/      \--------/       \---------/

router redirect traffic from clients with dst-port 80 and 443 to ATS

In ATS I've got the following rules and routes:
net/ipv4/ip_forward=1

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j 
TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --sport 80 -j 
MARK --set-mark 1/1
iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j 
TPROXY --on-ip 0.0.0.0 --on-port 443 --tproxy-mark 2/2
iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --sport 443 -j 
MARK --set-mark 2/2
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (due to works as a 
transparent proxy)

ip rule add fwmark 1/1 table 1
ip rule add fwmark 2/2 table 1
ip route add local 0.0.0.0/0 dev eth0 table 1

ssl_multicert.config
--------------------
dest_ip=* ssl_cert_name=cert.pem ssl_key_name=key.pem

I created an X.509 Certificate Signing Request (CSR) and RSA key as 
follow in etc/trafficserver/ssl:
openssl req -x509 -newkey rsa:2048 -keyout keypriv.pem -out cert.pem 
-days 365
openssl rsa -in keypriv.pem -out key.pem

records.config
--------------
##############################################################################
# Thread configurations. Docs:
##############################################################################
CONFIG proxy.config.exec_thread.autoconfig INT 1
CONFIG proxy.config.exec_thread.autoconfig.scale FLOAT 1.500000
CONFIG proxy.config.exec_thread.limit INT 2
CONFIG proxy.config.ssl.number.threads INT 1
CONFIG proxy.config.accept_threads INT 1
CONFIG proxy.config.task_threads INT 2
CONFIG proxy.config.cache.threads_per_disk INT 8
CONFIG proxy.config.exec_thread.affinity INT 0
##############################################################################
# Specify server addresses and ports to bind for HTTP and HTTPS. Docs:
##############################################################################
CONFIG proxy.config.http.server_ports STRING 8080:tr-full, 443:ssl:tr-full
CONFIG proxy.config.http.server_port_attr STRING =
CONFIG proxy.config.reverse_proxy.enabled INT 1
##############################################################################
# Via: headers. Docs:
##############################################################################
CONFIG proxy.config.http.insert_request_via_str INT 0
CONFIG proxy.config.http.insert_response_via_str INT 0
##############################################################################
# Parent proxy configuration, in addition to these settings also see 
parent.config. Docs:
##############################################################################
CONFIG proxy.config.http.parent_proxy_routing_enable INT 0
CONFIG proxy.config.http.parent_proxy.retry_time INT 300
CONFIG proxy.config.http.parent_proxy.connect_attempts_timeout INT 30
CONFIG proxy.config.http.forward.proxy_auth_to_parent INT 0
##############################################################################
# HTTP connection timeouts (secs). Docs:
##############################################################################
CONFIG proxy.config.http.keep_alive_no_activity_timeout_in INT 600
CONFIG proxy.config.http.keep_alive_no_activity_timeout_out INT 600
CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 30
CONFIG proxy.config.http.transaction_no_activity_timeout_out INT 30
CONFIG proxy.config.http.transaction_active_timeout_in INT 43200
CONFIG proxy.config.http.transaction_active_timeout_out INT 43200
CONFIG proxy.config.http.accept_no_activity_timeout INT 30
CONFIG proxy.config.net.default_inactivity_timeout INT 30
##############################################################################
# Origin server connect attempts. Docs:
##############################################################################
CONFIG proxy.config.http.connect_attempts_max_retries INT 6
CONFIG proxy.config.http.connect_attempts_max_retries_dead_server INT 3
CONFIG proxy.config.http.connect_attempts_rr_retries INT 3
CONFIG proxy.config.http.connect_attempts_timeout INT 30
CONFIG proxy.config.http.post_connect_attempts_timeout INT 1800
CONFIG proxy.config.http.down_server.cache_time INT 300
CONFIG proxy.config.http.down_server.abort_threshold INT 10
##############################################################################
# Negative response caching, for redirects and errors. Docs:
##############################################################################
CONFIG proxy.config.http.negative_caching_enabled INT 0
CONFIG proxy.config.http.negative_caching_lifetime INT 1800
##############################################################################
# Proxy users variables. Docs:
##############################################################################
CONFIG proxy.config.http.anonymize_insert_client_ip INT 0
CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 0
##############################################################################
# Security. Docs:
##############################################################################
CONFIG proxy.config.http.push_method_enabled INT 0
##############################################################################
# Cache control. Docs:
##############################################################################
CONFIG proxy.config.http.cache.ignore_client_cc_max_age INT 1
CONFIG proxy.config.http.normalize_ae_gzip INT 1
CONFIG proxy.config.http.cache.cache_responses_to_cookies INT 1
CONFIG proxy.config.http.cache.cache_urls_that_look_dynamic INT 1
CONFIG proxy.config.http.cache.when_to_revalidate INT 0
CONFIG proxy.config.http.cache.required_headers INT 2
#improvements from trafficserver wiki added by Emiliano
CONFIG proxy.config.http.chunking.size INT 131072
CONFIG proxy.config.http.server_session_sharing.match STRING host
CONFIG proxy.config.http.cache.ignore_server_no_cache INT 1
##############################################################################
# Heuristic cache expiration. Docs:
##############################################################################
CONFIG proxy.config.http.cache.heuristic_min_lifetime INT 3600
CONFIG proxy.config.http.cache.heuristic_max_lifetime INT 86400
CONFIG proxy.config.http.cache.heuristic_lm_factor FLOAT 0.100000
##############################################################################
# Network. Docs:
##############################################################################
CONFIG proxy.config.net.connections_throttle INT 30000
##############################################################################
# RAM and disk cache configurations. Docs:
##############################################################################
CONFIG proxy.config.cache.ram_cache.size INT 6
CONFIG proxy.config.cache.ram_cache_cutoff INT 4194304
CONFIG proxy.config.cache.limits.http.max_alts INT 5
CONFIG proxy.config.cache.max_doc_size INT 0
CONFIG proxy.config.cache.min_average_object_size INT 8000
##############################################################################
# Logging Config. Docs:
##############################################################################
CONFIG proxy.config.log.logging_enabled INT 3
CONFIG proxy.config.log.max_space_mb_for_logs INT 25000
CONFIG proxy.config.log.max_space_mb_headroom INT 1000
CONFIG proxy.config.log.squid_log_enabled INT 1
CONFIG proxy.config.log.squid_log_is_ascii INT 1
CONFIG proxy.config.log.rolling_enabled INT 1
CONFIG proxy.config.log.rolling_interval_sec INT 86400
CONFIG proxy.config.log.rolling_size_mb INT 10
CONFIG proxy.config.log.auto_delete_rolled_files INT 1
##############################################################################
# These settings control remapping, and if the proxy allows (open) 
forward proxy or not. Docs:
##############################################################################
CONFIG proxy.config.url_remap.remap_required INT 0
CONFIG proxy.config.url_remap.pristine_host_hdr INT 0
##############################################################################
# SSL Termination. Docs:
##############################################################################
CONFIG proxy.config.ssl.client.verify.server INT 0
CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
CONFIG proxy.config.ssl.server.cipher_suite STRING 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2
CONFIG proxy.config.ssl.enabled INT 1
CONFIG proxy.config.ssl.server.honor_cipher_order INT 0
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.compression INT 1
CONFIG proxy.config.ssl.server.cert.filename STRING cert.pem
CONFIG proxy.config.ssl.server.private_key.filename STRING key.pem
CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver/ssl
CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver/ssl
CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver/ssl
CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver/ssl
CONFIG proxy.config.ssl.client.private_key.path STRING etc/trafficserver/ssl
CONFIG proxy.config.ssl.client.CA.cert.path STRING etc/trafficserver/ssl
CONFIG proxy.config.ssl.server.multicert.filename STRING 
ssl/ssl_multicert.config
##############################################################################
# ICP Configuration. Docs:
##############################################################################
CONFIG proxy.config.icp.enabled INT 0
##############################################################################
# Debugging. Docs:
##############################################################################
CONFIG proxy.config.diags.debug.enabled INT 1
CONFIG proxy.config.diags.debug.tags STRING cache_control|middlecast|ssl
# ToDo: Undocumented
CONFIG proxy.config.dump_mem_info_frequency INT 0
CONFIG proxy.config.http.slow.log.threshold INT 0
##############################################################################
# These are necessary (for now) to keep traffic_manager/_cop happy.
##############################################################################
CONFIG proxy.config.proxy_name STRING host160-253
CONFIG proxy.config.admin.user_id STRING nobody
CONFIG proxy.config.log.logfile_dir STRING var/log/trafficserver
CONFIG proxy.config.output.logfile STRING traffic.out
##############################################################################
# Cluster Subsystem. Docs:
##############################################################################
LOCAL proxy.local.cluster.type INT 3
CONFIG proxy.config.cluster.ethernet_interface STRING lo
CONFIG proxy.config.cluster.cluster_port INT 8086
CONFIG proxy.config.cluster.rsport INT 8088
CONFIG proxy.config.cluster.mcport INT 8089
CONFIG proxy.config.cluster.mc_group_addr STRING 224.0.1.37
CONFIG proxy.config.http.response_server_enabled INT 0
CONFIG proxy.config.http.insert_age_in_response INT 0
CONFIG proxy.config.cluster.cluster_configuration STRING cluster.config
CONFIG proxy.config.body_factory.template_sets_dir STRING 
etc/trafficserver/body_factory
CONFIG proxy.config.cache.control.filename STRING cache.config
CONFIG proxy.config.cache.permit.pinning INT 1
CONFIG proxy.config.cache.enable_read_while_writer INT 0
CONFIG proxy.config.http.background_fill_active_timeout INT 1
CONFIG proxy.config.http.background_fill_completed_threshold FLOAT 0.500000

Re: Trafficserver and HTTPS (SSL)

Posted by Mauro Gasparini <mj...@cablenet.com.ar>.

Certainly I am referring to Susan's work "SSL support extensions - 
design review request".
Thank you very much for the description of use cases.


El 21/08/14 16:05, Alan M. Carroll wrote:

Mauro,

I couldn't follow your links, but if you mean Susan's work on SSL, that's based on some work I did for a client who agreed that I could (when I had time) incorporate the ATS changes I did back in to ATS. Susan made it work for 5.X and added some additional functionality (e.g., SNI support). Based on a number of discussions with ATS users this work seemed to be of general interest for a variety of reasons. For example, one use case was to intercept SSL for origin servers listed in ssl_multicert.cfg and blind tunnel the rest. I think one of the example plugins does it the other way, white (tunnel) listing clients who bypass interception, another request that came up in my discussions.

The short answer is, it is being done both for improved architecture and because many users have a use for these extensions so the work is being done in as general a way as possible.

Re: Trafficserver and HTTPS (SSL)

Posted by "Alan M. Carroll" <am...@network-geographics.com>.

Mauro,

I couldn't follow your links, but if you mean Susan's work on SSL, that's based on some work I did for a client who agreed that I could (when I had time) incorporate the ATS changes I did back in to ATS. Susan made it work for 5.X and added some additional functionality (e.g., SNI support). Based on a number of discussions with ATS users this work seemed to be of general interest for a variety of reasons. For example, one use case was to intercept SSL for origin servers listed in ssl_multicert.cfg and blind tunnel the rest. I think one of the example plugins does it the other way, white (tunnel) listing clients who bypass interception, another request that came up in my discussions.

The short answer is, it is being done both for improved architecture and because many users have a use for these extensions so the work is being done in as general a way as possible.

Re: Trafficserver and HTTPS (SSL)

Posted by Mauro Gasparini <mj...@cablenet.com.ar>.

Thanks Leif, I did not want to answer you this mail before, prior to 
performing other tests.
On the other hand, I saw that developers are still working on extensions 
from SSL 
(https:www.mail-archive.comdevtrafficserver.apache.orgmsg06487.html).
Do you know if it is a modification for design improvement or do they 
want to prepare for future some form of dynamic generation of certificates?

Regards. Mauro.

El 13/08/14 19:37, Leif Hedstrom escribió:
> On Aug 14, 2014, at 2:34 AM, Mauro Gasparini <mj...@cablenet.com.ar> wrote:
>
>> I would like to get help to configure Trafficserver and HTTPS.
>> My goal is to achieve Transparent Proxying to perform caching of http and https (mainly of videos for youtube/googlevideo and facebook/akamai images).
>> I've been reading this week mail-archives.apache.org/mod_mbox/trafficserver-users and docs.trafficserver.apache.org but could not achieve my objective.
>>
>> Questions:
>> . Do I have to install an SSL server certificate?
> Yes. For every domain that you want to cache / proxy HTTPS for. Or use some other MITM type attacks against TLS.
>
>> . Do I have to make a remap rule?
> No.
>
>
> Lets take HTTPS out of the picture, because without some major effort (such as creating a CA that your clients trust, and injecting certificates for all domains), it won’t work in tproxy. With the remaining configs, does it not work? I didn’t examine your setups, but we do support transparent proxy for HTTP.
>
> — Leif
>
>

Re: Trafficserver and HTTPS (SSL)

Posted by Leif Hedstrom <zw...@apache.org>.

On Aug 14, 2014, at 2:34 AM, Mauro Gasparini <mj...@cablenet.com.ar> wrote:

> I would like to get help to configure Trafficserver and HTTPS.
> My goal is to achieve Transparent Proxying to perform caching of http and https (mainly of videos for youtube/googlevideo and facebook/akamai images).
> I've been reading this week mail-archives.apache.org/mod_mbox/trafficserver-users and docs.trafficserver.apache.org but could not achieve my objective.
> 
> Questions:
> . Do I have to install an SSL server certificate?

Yes. For every domain that you want to cache / proxy HTTPS for. Or use some other MITM type attacks against TLS.

> . Do I have to make a remap rule?

No.

Lets take HTTPS out of the picture, because without some major effort (such as creating a CA that your clients trust, and injecting certificates for all domains), it won’t work in tproxy. With the remaining configs, does it not work? I didn’t examine your setups, but we do support transparent proxy for HTTP.

— Leif