Thus far it appears right before the origin request is built the SNI value
is derived from the original client(end user) defined HOST header Since we
have pristine enabled, we dont want the original client HOST header to be
used as the origin SNI. So right after the cache look up we change the
client HOST header to the desired SNI value. This seems to work without
impacts to the cache key, etc.
++++++++
function cache_lookup()
ts.client_request.header['Host'] = 'origin.tld'
return 0
end
function do_remap()
ts.hook(TS_LUA_HOOK_CACHE_LOOKUP_COMPLETE, cache_lookup)
return 0
end
++++++++
On Wed, Jan 18, 2017 at 8:09 PM, Leif Hedstrom <[email protected]> wrote:
> I think we ran into just this same problem. Gancho, what was the solution?
>
> -- Leif
>
> On Jan 17, 2017, at 3:06 PM, Brian Geffon <[email protected]> wrote:
>
> That sounds like a bug and after looking through the code it does appear
> to be:
>
> https://github.com/apache/trafficserver/blob/master/
> proxy/http/HttpSM.cc#L5046
>
> That's the wrong value to use since it never gets overwritten here:
>
> https://github.com/apache/trafficserver/blob/master/proxy/http/remap/
> RemapProcessor.cc#L242
>
> Can you please file a bug?
>
> Brian
>
> On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <[email protected]> wrote:
>
> Hello,
>
>
>
> I currently have ATS configured to support a pristine host header.
>
> proxy.config.url_remap.pristine_host_hdr 1
>
> I also have ATS configured to verify the origin server certificate.
>
> proxy.config.ssl.client.verify.server 1
>
> My remap looks like this.
>
> map https://edge.abc.com/ https://origin.xyz.com/
>
>
> Because pristine is enabled, when ATS sends a request back to the origin,
> it uses a SNI value of:
>
> edge.abc.com
>
> However, the origin returns a certificate that does not match the SNI.
>
> Because the requested SNI and the returned CN/SAN do not match, coupled
> with verify.server enabled, ATS terminates the origin session and sends a
> 502 back to the client.
>
> Is there another control or configuration that allows me to define which
> SNI value to
> send back to the origin ?
> I need to keep pristine enabled and I need verify.server enabled.
>
> Thanks in advance.
>
>
