Hello, I feel like i’m missing some important details related to troubleshooting. I am compiling the 8.0.1 from sources, and logging is set to 3 (default value). There are three log files (manager, error, diags) with very little helpful information.
With the setup i have and connect_ports set to wildcard on all the proxies, this is what happens when i try accessing a HTTPs page from the client. [root@tecfi1pr1tool1-master0 ~]# curl -vLI https://youtube.com * About to connect() to proxy 11.4.0.68 port 3128 (#0) * Trying 11.4.0.68... * Connected to 11.4.0.68 (11.4.0.68) port 3128 (#0) * Establish HTTP proxy tunnel to youtube.com:443 > CONNECT youtube.com:443 HTTP/1.1 > Host: youtube.com:443 > User-Agent: curl/7.29.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 502 Tunnel Connection Failed HTTP/1.1 502 Tunnel Connection Failed < Date: Thu, 27 Dec 2018 13:03:08 GMT Date: Thu, 27 Dec 2018 13:03:08 GMT < Proxy-Connection: keep-alive Proxy-Connection: keep-alive < Server: ATS/8.0.1 Server: ATS/8.0.1 < Cache-Control: no-store Cache-Control: no-store < Content-Type: text/html Content-Type: text/html < Content-Language: en Content-Language: en < Content-Length: 247 Content-Length: 247 Trying to access the same page from the child proxy through the parent proxy works as expected. Any hints? Best regards, Dmitri From: Alan Carroll <[email protected]> Sent: Monday, December 17, 2018 10:47 PM To: [email protected] Subject: Re: Questions on forwarding proxy in hierarchical mode Sorry, was out at a conference last week. If you're getting "Tunnel Forbidden" it means a `CONNECT` request is going through ATS and getting blocked because `proxy.config.http.connect_ports` [1] doesn't allow the remote port. This may have changed between 5 and 8. I suspect that the HTTPS change is related, because that may be causing the `CONNECT` request. I suspect the 502 is due to confusion about whether the connection is HTTP or HTTPs, where an HTTP request is treated as an TLS Client Hello or vice versa. The first step I would take is finding where the `CONNECT` is happening. [1] https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-http-connect-port
