mhomaid1 opened a new issue, #9949: URL: https://github.com/apache/trafficserver/issues/9949
I'm using `trafficserver` 9.1.1 and running it as forward proxy, when I set remap_required to 1, and added this line `map https://example.com https://example.com @action=allow` in remap.config. My question is this the *correct way to do whitelisting be cause I don't want to do any mapping I just want to whitelist? also this works fine but we are currently facing the issue below with 20% of our domains. When I try to connect with remap_required set to 0 it works fine ``` curl -x localhost:8080 https://example.com -v * Trying localhost:8080... * Connected to (nil) (localhost) port 8080 (#0) * allocate connect buffer! * Establish HTTP proxy tunnel to example.com:443 > CONNECT example.com:443 HTTP/1.1 > Host: example.com:443 > User-Agent: curl/7.81.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 OK < Date: Wed, 05 Jul 2023 12:15:35 GMT < Proxy-Connection: keep-alive < Server: ATS/9.1.1 < * Proxy replied 200 to CONNECT request * CONNECT phase completed! * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS header, Finished (20): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS header, Finished (20): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=example.com * start date: Jun 29 23:34:04 2023 GMT * expire date: Sep 27 23:34:03 2023 GMT * subjectAltName: host "example.com" matched cert's "example.com" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. * TLSv1.2 (OUT), TLS header, Supplemental data (23): > GET / HTTP/1.1 > Host: example.com > User-Agent: curl/7.81.0 > Accept: */* > * TLSv1.2 (IN), TLS header, Supplemental data (23): * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Wed, 05 Jul 2023 12:15:36 GMT < Server: Apache < Content-Length: 0 < Content-Type: text/html; charset=UTF-8 < * Connection #0 to host (nil) left intact ``` When I try to connect with remap_required set to 1 and add `map https://example.com https://example.com @action=allow` it get stuck at TLS Client hello and then I receive a timeout. ``` curl -x localhost:8080 https://example.com -v * Trying localhost:8080... * Connected to (nil) (localhost) port 8080 (#0) * allocate connect buffer! * Establish HTTP proxy tunnel to example.com:443 > CONNECT example.com:443 HTTP/1.1 > Host: example.com:443 > User-Agent: curl/7.81.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 OK < Date: Tue, 04 Jul 2023 15:12:51 GMT < Proxy-Connection: keep-alive < Server: ATS/9.1.1 < * Proxy replied 200 to CONNECT request * CONNECT phase completed! * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): ^[^C ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
