The config file defines the properties of the fqdns. ATS reads from the config
during initialization and populates its own internal data structure. Hence the
configuration is not dynamic that way yet unfortunately. The config is
reloadable by the way.
Syeda Persia Aziz
Software DeveloperYahoo! (Oath).Champaign, Illinois
On Tuesday, March 27, 2018, 3:53:18 PM CDT, Jeremy Payne
<[email protected]> wrote:
Will lua code run from these lua 'config' files? Or is the main purpose of the
'config' file is to define a set of dictionaries ?Since this config is read
during the client handshake, would seem the best time to dynamically set
upstream servers(based on whatever conditions) for tunneled connections..
On Tue, Mar 27, 2018 at 2:15 PM, Persia Aziz <[email protected]> wrote:
ATS 8 includes ssl_servername.config to do such SNI based tasks.
ssl_server_name.config — Apache Traffic Server 8.0.0 documentation
|
|
| |
ssl_server_name.config — Apache Traffic Server 8.0.0 documentation
|
|
|
Example:
server_config = {
{ fqdn="example.com", verify_client=MODERATE },
{ fqdn="*.yahoo.com", verify_client=STRICT }
}
Syeda Persia Aziz
Software DeveloperYahoo! Inc.Champaign, Illinois
On Tuesday, March 27, 2018, 2:08:18 PM CDT, Jeremy Payne
<[email protected]> wrote:
Context:
ATS server terminating multiple secure sites
Question:
Is there an out-the-box configuration that allows me to
require client certificates if the client hello/handshake matches a
specific SNI value?
Something like:
+++
if
SNI matches foor.bar
then
proxy.config.ssl.client. certification_level INT 3
+++
I can't simply set 'proxy.config.ssl.client. certification_level' to 3
on a global basis as this would impact other secure sites that dont
require a client certificate.
Thanks!
