GitHub user jp557198 opened an issue: https://github.com/apache/trafficserver/issues/1344
Origin SNI I currently have ATS configured to support a pristine host header. proxy.config.url_remap.pristine_host_hdr 1 I also have ATS configured to verify the origin server certificate. proxy.config.ssl.client.verify.server 1 My remap looks like this. map https://edge.tld/ https://origin.tld/ Because pristine is enabled, when ATS sends a request back to the origin, it uses a SNI value of: edge.tld However, the origin returns a certificate that does not match the SNI. Specifically a CN of 'origin.tld' Because the requested SNI and the returned CN/SAN do not match, coupled with verify.server enabled, ATS throws a TLS alert and sends a 502 back to the client. After some testing it appears that when the origin request is built, the SNI is derived from the original client HOST header. In situations where the origin certificate will not match the requested SNI value, the ATS administrator needs the ability to change the SNI accordingly. A current work around is to use a lua script to modify the original client HOST header as the origin request is being built. ++++++++ function cache_lookup() ts.client_request.header['Host'] = 'origin.tld' return 0 end function do_remap() ts.hook(TS_LUA_HOOK_CACHE_LOOKUP_COMPLETE, cache_lookup) return 0 end ++++++++ Ideally there should be an over-ride option that sets the SNI which has priority over the client HOST header. One thought is to pass origin TLS options on the remap line. Something like.. map https://edge.tld/ https://origin.tld/ tlsopt:sni=origin.tld;tlsopt2=foo;tlsopt3=bar (maybe as a start only support a SNI tlsopt. add support for more tlsopts as ATS evolves) ---- ---- --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---