"bug" filed. https://github.com/apache/trafficserver/issues/1344
On Thu, Jan 19, 2017 at 6:37 AM, Jeremy Payne <[email protected]> wrote: > Thus far it appears right before the origin request is built the SNI value > is derived from the original client(end user) defined HOST header Since we > have pristine enabled, we dont want the original client HOST header to be > used as the origin SNI. So right after the cache look up we change the > client HOST header to the desired SNI value. This seems to work without > impacts to the cache key, etc. > > ++++++++ > function cache_lookup() > ts.client_request.header['Host'] = 'origin.tld' > return 0 > end > > function do_remap() > > ts.hook(TS_LUA_HOOK_CACHE_LOOKUP_COMPLETE, cache_lookup) > > return 0 > end > ++++++++ > > On Wed, Jan 18, 2017 at 8:09 PM, Leif Hedstrom <[email protected]> wrote: > >> I think we ran into just this same problem. Gancho, what was the solution? >> >> -- Leif >> >> On Jan 17, 2017, at 3:06 PM, Brian Geffon <[email protected]> wrote: >> >> That sounds like a bug and after looking through the code it does appear >> to be: >> >> https://github.com/apache/trafficserver/blob/master/proxy/ >> http/HttpSM.cc#L5046 >> >> That's the wrong value to use since it never gets overwritten here: >> >> https://github.com/apache/trafficserver/blob/master/proxy/ >> http/remap/RemapProcessor.cc#L242 >> >> Can you please file a bug? >> >> Brian >> >> On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <[email protected]> wrote: >> >> Hello, >> >> >> >> I currently have ATS configured to support a pristine host header. >> >> proxy.config.url_remap.pristine_host_hdr 1 >> >> I also have ATS configured to verify the origin server certificate. >> >> proxy.config.ssl.client.verify.server 1 >> >> My remap looks like this. >> >> map https://edge.abc.com/ https://origin.xyz.com/ >> >> >> Because pristine is enabled, when ATS sends a request back to the origin, >> it uses a SNI value of: >> >> edge.abc.com >> >> However, the origin returns a certificate that does not match the SNI. >> >> Because the requested SNI and the returned CN/SAN do not match, coupled >> with verify.server enabled, ATS terminates the origin session and sends a >> 502 back to the client. >> >> Is there another control or configuration that allows me to define which >> SNI value to >> send back to the origin ? >> I need to keep pristine enabled and I need verify.server enabled. >> >> Thanks in advance. >> >> >
