On Jan 29, 2014, at 8:14 AM, Reindl Harald <[email protected]> wrote:
> Hi > > https://trafficserver.readthedocs.org/en/latest/admin/security-options.en.html#client-and-traffic-server-connections > > i don't get with the documentation how to have several domains > in reverse-proxy mode each of them having their own certificates > and how that plays with “remap.conf" Not sure I fully understand, but yes, you’d have entries in both ssl_multicert.config and remap.config for each domain you want to support HTTPS for. > ___________________________________ > > > how to enforce that a domain-mapping redirects to https > with httpd this can done with mod_rewrite but in case > ATS working as reverse-proxy that would lead in a loop > or not work at all because httpd does and should not > know how the connection to the reverse-proxy is > > <IfModule mod_rewrite.c> > RewriteEngine on > RewriteCond %{HTTPS} off > RewriteRule (.*) https://whatever.thelounge.net%{REQUEST_URI} > </IfModule> > Maybe you just want map http://whatever.thelounge.net https://origin.thelounge.net map https://whatever.thelounge.net https://origin.thelounge.net This would enforce HTTPS to origin, always. About the loops, I’d have to see the https config, but for example, I do the following in my setup (http://www.ogre.com/node/430): map https://www.ogre.com http://127.0.0.1 @plugin=header_rewrite.so @pparam=/server/etc/ssl-header.conf Where ssl-header.conf is cond %{SEND_REQUEST_HDR_HOOK} set-header X-Forwarded-Proto “https" and in httpd.config, I do RewriteCond %{HTTP:X-Forwarded-Proto} !=https … This lets httpd know that the client request was HTTPS (or not). Maybe this helps? Note that the above only works in recent ATS (v4.1.2 or later), before that, you’d have to use the header_filter.so plugin. — Leif
