You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Jeremy Payne <jp...@gmail.com> on 2017/01/17 21:56:17 UTC
Origin SNI Value
Hello,
I currently have ATS configured to support a pristine host header.
proxy.config.url_remap.pristine_host_hdr 1
I also have ATS configured to verify the origin server certificate.
proxy.config.ssl.client.verify.server 1
My remap looks like this.
map https://edge.abc.com/ https://origin.xyz.com/
Because pristine is enabled, when ATS sends a request back to the origin,
it uses a SNI value of:
edge.abc.com
However, the origin returns a certificate that does not match the SNI.
Because the requested SNI and the returned CN/SAN do not match, coupled
with verify.server enabled, ATS terminates the origin session and sends a
502 back to the client.
Is there another control or configuration that allows me to define which
SNI value to
send back to the origin ?
I need to keep pristine enabled and I need verify.server enabled.
Thanks in advance.
Re: Origin SNI Value
Posted by Jeremy Payne <jp...@gmail.com>.
Brian,
Yes, Kishore is part of our dev team. He should be reaching out to you here
soon.
Thanks for offering your expert guidance.
On Fri, Jan 20, 2017 at 12:20 AM, Brian Geffon <br...@gmail.com>
wrote:
> Hey Jeremy, is the guy who requested the bug on your team? I'm happy to
> advise on how to fix it if you guys need.
>
> Brian
>
> On Thu, Jan 19, 2017, 05:30 Jeremy Payne <jp...@gmail.com> wrote:
>
>> "bug" filed.
>>
>> https://github.com/apache/trafficserver/issues/1344
>>
>> On Thu, Jan 19, 2017 at 6:37 AM, Jeremy Payne <jp...@gmail.com> wrote:
>>
>> Thus far it appears right before the origin request is built the SNI
>> value is derived from the original client(end user) defined HOST header
>> Since we have pristine enabled, we dont want the original client HOST
>> header to be used as the origin SNI. So right after the cache look up we
>> change the client HOST header to the desired SNI value. This seems to work
>> without impacts to the cache key, etc.
>>
>> ++++++++
>> function cache_lookup()
>> ts.client_request.header['Host'] = 'origin.tld'
>> return 0
>> end
>>
>> function do_remap()
>>
>> ts.hook(TS_LUA_HOOK_CACHE_LOOKUP_COMPLETE, cache_lookup)
>>
>> return 0
>> end
>> ++++++++
>>
>> On Wed, Jan 18, 2017 at 8:09 PM, Leif Hedstrom <zw...@apache.org> wrote:
>>
>> I think we ran into just this same problem. Gancho, what was the solution?
>>
>> -- Leif
>>
>> On Jan 17, 2017, at 3:06 PM, Brian Geffon <br...@gmail.com> wrote:
>>
>> That sounds like a bug and after looking through the code it does appear
>> to be:
>>
>> https://github.com/apache/trafficserver/blob/master/
>> proxy/http/HttpSM.cc#L5046
>>
>> That's the wrong value to use since it never gets overwritten here:
>>
>> https://github.com/apache/trafficserver/blob/master/proxy/http/remap/
>> RemapProcessor.cc#L242
>>
>> Can you please file a bug?
>>
>> Brian
>>
>> On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <jp...@gmail.com> wrote:
>>
>> Hello,
>>
>>
>>
>> I currently have ATS configured to support a pristine host header.
>>
>> proxy.config.url_remap.pristine_host_hdr 1
>>
>> I also have ATS configured to verify the origin server certificate.
>>
>> proxy.config.ssl.client.verify.server 1
>>
>> My remap looks like this.
>>
>> map https://edge.abc.com/ https://origin.xyz.com/
>>
>>
>> Because pristine is enabled, when ATS sends a request back to the origin,
>> it uses a SNI value of:
>>
>> edge.abc.com
>>
>> However, the origin returns a certificate that does not match the SNI.
>>
>> Because the requested SNI and the returned CN/SAN do not match, coupled
>> with verify.server enabled, ATS terminates the origin session and sends a
>> 502 back to the client.
>>
>> Is there another control or configuration that allows me to define which
>> SNI value to
>> send back to the origin ?
>> I need to keep pristine enabled and I need verify.server enabled.
>>
>> Thanks in advance.
>>
>>
>>
>>
Re: Origin SNI Value
Posted by Brian Geffon <br...@gmail.com>.
Hey Jeremy, is the guy who requested the bug on your team? I'm happy to
advise on how to fix it if you guys need.
Brian
On Thu, Jan 19, 2017, 05:30 Jeremy Payne <jp...@gmail.com> wrote:
> "bug" filed.
>
> https://github.com/apache/trafficserver/issues/1344
>
> On Thu, Jan 19, 2017 at 6:37 AM, Jeremy Payne <jp...@gmail.com> wrote:
>
> Thus far it appears right before the origin request is built the SNI value
> is derived from the original client(end user) defined HOST header Since we
> have pristine enabled, we dont want the original client HOST header to be
> used as the origin SNI. So right after the cache look up we change the
> client HOST header to the desired SNI value. This seems to work without
> impacts to the cache key, etc.
>
> ++++++++
> function cache_lookup()
> ts.client_request.header['Host'] = 'origin.tld'
> return 0
> end
>
> function do_remap()
>
> ts.hook(TS_LUA_HOOK_CACHE_LOOKUP_COMPLETE, cache_lookup)
>
> return 0
> end
> ++++++++
>
> On Wed, Jan 18, 2017 at 8:09 PM, Leif Hedstrom <zw...@apache.org> wrote:
>
> I think we ran into just this same problem. Gancho, what was the solution?
>
> -- Leif
>
> On Jan 17, 2017, at 3:06 PM, Brian Geffon <br...@gmail.com> wrote:
>
> That sounds like a bug and after looking through the code it does appear
> to be:
>
>
> https://github.com/apache/trafficserver/blob/master/proxy/http/HttpSM.cc#L5046
>
> That's the wrong value to use since it never gets overwritten here:
>
>
> https://github.com/apache/trafficserver/blob/master/proxy/http/remap/RemapProcessor.cc#L242
>
> Can you please file a bug?
>
> Brian
>
> On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <jp...@gmail.com> wrote:
>
> Hello,
>
>
>
> I currently have ATS configured to support a pristine host header.
>
> proxy.config.url_remap.pristine_host_hdr 1
>
> I also have ATS configured to verify the origin server certificate.
>
> proxy.config.ssl.client.verify.server 1
>
> My remap looks like this.
>
> map https://edge.abc.com/ https://origin.xyz.com/
>
>
> Because pristine is enabled, when ATS sends a request back to the origin,
> it uses a SNI value of:
>
> edge.abc.com
>
> However, the origin returns a certificate that does not match the SNI.
>
> Because the requested SNI and the returned CN/SAN do not match, coupled
> with verify.server enabled, ATS terminates the origin session and sends a
> 502 back to the client.
>
> Is there another control or configuration that allows me to define which
> SNI value to
> send back to the origin ?
> I need to keep pristine enabled and I need verify.server enabled.
>
> Thanks in advance.
>
>
>
>
Re: Origin SNI Value
Posted by Jeremy Payne <jp...@gmail.com>.
"bug" filed.
https://github.com/apache/trafficserver/issues/1344
On Thu, Jan 19, 2017 at 6:37 AM, Jeremy Payne <jp...@gmail.com> wrote:
> Thus far it appears right before the origin request is built the SNI value
> is derived from the original client(end user) defined HOST header Since we
> have pristine enabled, we dont want the original client HOST header to be
> used as the origin SNI. So right after the cache look up we change the
> client HOST header to the desired SNI value. This seems to work without
> impacts to the cache key, etc.
>
> ++++++++
> function cache_lookup()
> ts.client_request.header['Host'] = 'origin.tld'
> return 0
> end
>
> function do_remap()
>
> ts.hook(TS_LUA_HOOK_CACHE_LOOKUP_COMPLETE, cache_lookup)
>
> return 0
> end
> ++++++++
>
> On Wed, Jan 18, 2017 at 8:09 PM, Leif Hedstrom <zw...@apache.org> wrote:
>
>> I think we ran into just this same problem. Gancho, what was the solution?
>>
>> -- Leif
>>
>> On Jan 17, 2017, at 3:06 PM, Brian Geffon <br...@gmail.com> wrote:
>>
>> That sounds like a bug and after looking through the code it does appear
>> to be:
>>
>> https://github.com/apache/trafficserver/blob/master/proxy/
>> http/HttpSM.cc#L5046
>>
>> That's the wrong value to use since it never gets overwritten here:
>>
>> https://github.com/apache/trafficserver/blob/master/proxy/
>> http/remap/RemapProcessor.cc#L242
>>
>> Can you please file a bug?
>>
>> Brian
>>
>> On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <jp...@gmail.com> wrote:
>>
>> Hello,
>>
>>
>>
>> I currently have ATS configured to support a pristine host header.
>>
>> proxy.config.url_remap.pristine_host_hdr 1
>>
>> I also have ATS configured to verify the origin server certificate.
>>
>> proxy.config.ssl.client.verify.server 1
>>
>> My remap looks like this.
>>
>> map https://edge.abc.com/ https://origin.xyz.com/
>>
>>
>> Because pristine is enabled, when ATS sends a request back to the origin,
>> it uses a SNI value of:
>>
>> edge.abc.com
>>
>> However, the origin returns a certificate that does not match the SNI.
>>
>> Because the requested SNI and the returned CN/SAN do not match, coupled
>> with verify.server enabled, ATS terminates the origin session and sends a
>> 502 back to the client.
>>
>> Is there another control or configuration that allows me to define which
>> SNI value to
>> send back to the origin ?
>> I need to keep pristine enabled and I need verify.server enabled.
>>
>> Thanks in advance.
>>
>>
>
Re: Origin SNI Value
Posted by Jeremy Payne <jp...@gmail.com>.
Thus far it appears right before the origin request is built the SNI value
is derived from the original client(end user) defined HOST header Since we
have pristine enabled, we dont want the original client HOST header to be
used as the origin SNI. So right after the cache look up we change the
client HOST header to the desired SNI value. This seems to work without
impacts to the cache key, etc.
++++++++
function cache_lookup()
ts.client_request.header['Host'] = 'origin.tld'
return 0
end
function do_remap()
ts.hook(TS_LUA_HOOK_CACHE_LOOKUP_COMPLETE, cache_lookup)
return 0
end
++++++++
On Wed, Jan 18, 2017 at 8:09 PM, Leif Hedstrom <zw...@apache.org> wrote:
> I think we ran into just this same problem. Gancho, what was the solution?
>
> -- Leif
>
> On Jan 17, 2017, at 3:06 PM, Brian Geffon <br...@gmail.com> wrote:
>
> That sounds like a bug and after looking through the code it does appear
> to be:
>
> https://github.com/apache/trafficserver/blob/master/
> proxy/http/HttpSM.cc#L5046
>
> That's the wrong value to use since it never gets overwritten here:
>
> https://github.com/apache/trafficserver/blob/master/proxy/http/remap/
> RemapProcessor.cc#L242
>
> Can you please file a bug?
>
> Brian
>
> On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <jp...@gmail.com> wrote:
>
> Hello,
>
>
>
> I currently have ATS configured to support a pristine host header.
>
> proxy.config.url_remap.pristine_host_hdr 1
>
> I also have ATS configured to verify the origin server certificate.
>
> proxy.config.ssl.client.verify.server 1
>
> My remap looks like this.
>
> map https://edge.abc.com/ https://origin.xyz.com/
>
>
> Because pristine is enabled, when ATS sends a request back to the origin,
> it uses a SNI value of:
>
> edge.abc.com
>
> However, the origin returns a certificate that does not match the SNI.
>
> Because the requested SNI and the returned CN/SAN do not match, coupled
> with verify.server enabled, ATS terminates the origin session and sends a
> 502 back to the client.
>
> Is there another control or configuration that allows me to define which
> SNI value to
> send back to the origin ?
> I need to keep pristine enabled and I need verify.server enabled.
>
> Thanks in advance.
>
>
Re: Origin SNI Value
Posted by Leif Hedstrom <zw...@apache.org>.
I think we ran into just this same problem. Gancho, what was the solution?
-- Leif
> On Jan 17, 2017, at 3:06 PM, Brian Geffon <br...@gmail.com> wrote:
>
> That sounds like a bug and after looking through the code it does appear to be:
>
> https://github.com/apache/trafficserver/blob/master/proxy/http/HttpSM.cc#L5046
>
> That's the wrong value to use since it never gets overwritten here:
>
> https://github.com/apache/trafficserver/blob/master/proxy/http/remap/RemapProcessor.cc#L242
>
> Can you please file a bug?
>
> Brian
>
> On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <jp...@gmail.com> wrote:
> Hello,
>
>
>
> I currently have ATS configured to support a pristine host header.
>
> proxy.config.url_remap.pristine_host_hdr 1
>
> I also have ATS configured to verify the origin server certificate.
>
> proxy.config.ssl.client.verify.server 1
>
> My remap looks like this.
>
> map https://edge.abc.com/ https://origin.xyz.com/
>
>
> Because pristine is enabled, when ATS sends a request back to the origin, it uses a SNI value of:
>
> edge.abc.com
>
> However, the origin returns a certificate that does not match the SNI.
>
> Because the requested SNI and the returned CN/SAN do not match, coupled with verify.server enabled, ATS terminates the origin session and sends a 502 back to the client.
>
> Is there another control or configuration that allows me to define which SNI value to
> send back to the origin ?
> I need to keep pristine enabled and I need verify.server enabled.
>
> Thanks in advance.
Re: Origin SNI Value
Posted by Brian Geffon <br...@gmail.com>.
That sounds like a bug and after looking through the code it does appear to
be:
https://github.com/apache/trafficserver/blob/master/proxy/http/HttpSM.cc#L5046
That's the wrong value to use since it never gets overwritten here:
https://github.com/apache/trafficserver/blob/master/proxy/http/remap/RemapProcessor.cc#L242
Can you please file a bug?
Brian
On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <jp...@gmail.com> wrote:
Hello,
I currently have ATS configured to support a pristine host header.
proxy.config.url_remap.pristine_host_hdr 1
I also have ATS configured to verify the origin server certificate.
proxy.config.ssl.client.verify.server 1
My remap looks like this.
map https://edge.abc.com/ https://origin.xyz.com/
Because pristine is enabled, when ATS sends a request back to the origin,
it uses a SNI value of:
edge.abc.com
However, the origin returns a certificate that does not match the SNI.
Because the requested SNI and the returned CN/SAN do not match, coupled
with verify.server enabled, ATS terminates the origin session and sends a
502 back to the client.
Is there another control or configuration that allows me to define which
SNI value to
send back to the origin ?
I need to keep pristine enabled and I need verify.server enabled.
Thanks in advance.