> On Jul 7, 2016, at 4:57 AM, Rob Maidment <[email protected]> wrote: > > Hello > > I notice TS supports SSL termination in reverse proxy mode only. > > I would like to write a plug-in to achieve SSL termination (for HTTPS) > in forward proxy mode. The plug-in would need to generate > certificates on-the-fly for sites being requested, and the clients > would need to trust these certificates (or the signing CA). > > My questions are: > > 1. Does the plug-in have access to the CONNECT request and the TLS > exchange that follows it?
Yes. CONNECT flows through to remap, so at remap time (or earlier if you want) you can intercept the virtual circuit with TSHttpTxnServerIntercept. Take a look at the example/intercept/intercept.cc. You can also use network transparency and the SSL connection hook to terminate directly. > 2. Does the plug-in have access to the encrypted data from the client? Yes. > 3. How should the plug-in create its own SSL connection with the server? There are a few approaches. You can use an API like TSHttpConnect() to route a HTTP(S) request through the Traffic Server cache. You can use something like TSNetConnect() or TSVConnFdCreate() to set up virtual circuit and handle the TLS yourself. > 4. Is anyone else working on this already? I'm sure it has been done in Traffic Server before, but I'm not aware of any open projects. cheers, James
