I think we ran into just this same problem. Gancho, what was the solution? -- Leif
> On Jan 17, 2017, at 3:06 PM, Brian Geffon <[email protected]> wrote: > > That sounds like a bug and after looking through the code it does appear to > be: > > https://github.com/apache/trafficserver/blob/master/proxy/http/HttpSM.cc#L5046 > > That's the wrong value to use since it never gets overwritten here: > > https://github.com/apache/trafficserver/blob/master/proxy/http/remap/RemapProcessor.cc#L242 > > Can you please file a bug? > > Brian > > On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <[email protected]> wrote: > Hello, > > > > I currently have ATS configured to support a pristine host header. > > proxy.config.url_remap.pristine_host_hdr 1 > > I also have ATS configured to verify the origin server certificate. > > proxy.config.ssl.client.verify.server 1 > > My remap looks like this. > > map https://edge.abc.com/ https://origin.xyz.com/ > > > Because pristine is enabled, when ATS sends a request back to the origin, it > uses a SNI value of: > > edge.abc.com > > However, the origin returns a certificate that does not match the SNI. > > Because the requested SNI and the returned CN/SAN do not match, coupled with > verify.server enabled, ATS terminates the origin session and sends a 502 back > to the client. > > Is there another control or configuration that allows me to define which SNI > value to > send back to the origin ? > I need to keep pristine enabled and I need verify.server enabled. > > Thanks in advance.
