It seems whenever https was the end URL, *do_global_send_request* is never called.
Is it possible to force the above execution path for https? Essentially, I'm looking for a way for the ATS (dynamically through lua) to hand over the request to a parent proxy. Thanks, Lei On Sat, Dec 5, 2020 at 2:20 PM Lei Sun <[email protected]> wrote: > Hi Alan, > > Yes, great point! > > Here are the output for the latest recommandations > > *$ curl -H "Host: httbin.org:443 <http://httbin.org:443>" >> https://127.0.0.1:8443 <https://127.0.0.1:8443> -vv* >> * Rebuilt URL to: https://127.0.0.1:8443/ >> * Trying 127.0.0.1... >> * TCP_NODELAY set >> * Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0) >> * ALPN, offering h2 >> * ALPN, offering http/1.1 >> * Cipher selection: >> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH >> * successfully set certificate verify locations: >> * CAfile: /etc/ssl/cert.pem >> CApath: none >> * TLSv1.2 (OUT), TLS handshake, Client hello (1): >> * TLSv1.2 (IN), TLS handshake, Server hello (2): >> * TLSv1.2 (IN), TLS handshake, Certificate (11): >> * TLSv1.2 (OUT), TLS alert, Server hello (2): >> * SSL certificate problem: self signed certificate >> * stopped the pause stream! >> * Closing connection 0 >> curl: (60) SSL certificate problem: self signed certificate >> More details here: https://curl.haxx.se/docs/sslcerts.html >> curl performs SSL certificate verification by default, using a "bundle" >> of Certificate Authority (CA) public keys (CA certs). If the default >> bundle file isn't adequate, you can specify an alternate file >> using the --cacert option. >> If this HTTPS server uses a certificate signed by a CA represented in >> the bundle, the certificate verification probably failed due to a >> problem with the certificate (it might be expired, or the name might >> not match the domain name in the URL). >> If you'd like to turn off curl's verification of the certificate, use >> the -k (or --insecure) option. >> HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure. > > > Then I tried > >> $ *curl -k -H "Host: httbin.org:443 <http://httbin.org:443>" >> https://127.0.0.1:8443 <https://127.0.0.1:8443> -vv* >> * Rebuilt URL to: https://127.0.0.1:8443/ >> * Trying 127.0.0.1... >> * TCP_NODELAY set >> * Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0) >> * ALPN, offering h2 >> * ALPN, offering http/1.1 >> * Cipher selection: >> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH >> * successfully set certificate verify locations: >> * CAfile: /etc/ssl/cert.pem >> CApath: none >> * TLSv1.2 (OUT), TLS handshake, Client hello (1): >> * TLSv1.2 (IN), TLS handshake, Server hello (2): >> * TLSv1.2 (IN), TLS handshake, Certificate (11): >> * TLSv1.2 (IN), TLS handshake, Server key exchange (12): >> * TLSv1.2 (IN), TLS handshake, Server finished (14): >> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): >> * TLSv1.2 (OUT), TLS change cipher, Client hello (1): >> * TLSv1.2 (OUT), TLS handshake, Finished (20): >> * TLSv1.2 (IN), TLS change cipher, Client hello (1): >> * TLSv1.2 (IN), TLS handshake, Finished (20): >> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 >> * ALPN, server accepted to use h2 >> * Server certificate: >> * subject: C=US >> * start date: Dec 5 04:41:08 2020 GMT >> * expire date: Dec 3 04:41:08 2030 GMT >> * issuer: C=US >> * SSL certificate verify result: self signed certificate (18), >> continuing anyway. >> * Using HTTP2, server supports multi-use >> * Connection state changed (HTTP/2 confirmed) >> * Copying HTTP/2 data in stream buffer to connection buffer after >> upgrade: len=0 >> * Using Stream ID: 1 (easy handle 0x7f9cf9006600) >> > GET / HTTP/2 >> > Host: httbin.org:443 >> > User-Agent: curl/7.54.0 >> > Accept: */* >> > >> * Connection state changed (MAX_CONCURRENT_STREAMS updated)! >> < HTTP/2 502 >> < date: Sat, 05 Dec 2020 20:16:39 GMT >> < server: ATS/10.0.0 >> < cache-control: no-store >> < content-type: text/html >> < content-language: en >> < content-length: 247 >> < >> <HTML> >> <HEAD> >> <TITLE>Could Not Connect</TITLE> >> </HEAD> >> <BODY BGCOLOR="white" FGCOLOR="black"> >> <H1>Could Not Connect</H1> >> <HR> >> <FONT FACE="Helvetica,Arial"><B> >> Description: Could not connect to the requested server host. >> </B></FONT> >> <HR> >> </BODY> >> * Connection #0 to host 127.0.0.1 left intact > > > $ *curl -k --proxy-insecure --proxy https://127.0.0.1:8443 >> <https://127.0.0.1:8443> https://httpbin.org:8443/get?answer=42 >> <https://httpbin.org:8443/get?answer=42> -v* >> * Trying 127.0.0.1... >> * TCP_NODELAY set >> * Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0) >> * ALPN, offering h2 >> * ALPN, offering http/1.1 >> * Cipher selection: >> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH >> * successfully set certificate verify locations: >> * CAfile: /etc/ssl/cert.pem >> CApath: none >> * TLSv1.2 (OUT), TLS handshake, Client hello (1): >> * TLSv1.2 (IN), TLS handshake, Server hello (2): >> * TLSv1.2 (IN), TLS handshake, Certificate (11): >> * TLSv1.2 (IN), TLS handshake, Server key exchange (12): >> * TLSv1.2 (IN), TLS handshake, Server finished (14): >> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): >> * TLSv1.2 (OUT), TLS change cipher, Client hello (1): >> * TLSv1.2 (OUT), TLS handshake, Finished (20): >> * TLSv1.2 (IN), TLS change cipher, Client hello (1): >> * TLSv1.2 (IN), TLS handshake, Finished (20): >> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 >> * ALPN, server accepted to use h2 >> * Proxy certificate: >> * subject: C=US >> * start date: Dec 5 04:41:08 2020 GMT >> * expire date: Dec 3 04:41:08 2030 GMT >> * issuer: C=US >> * SSL certificate verify result: self signed certificate (18), >> continuing anyway. >> * Establish HTTP proxy tunnel to httpbin.org:8443 >> > CONNECT httpbin.org:8443 HTTP/1.1 >> > Host: httpbin.org:8443 >> > User-Agent: curl/7.54.0 >> > Proxy-Connection: Keep-Alive >> > >> * TLSv1.2 (IN), TLS alert, Client hello (1): >> * Proxy CONNECT aborted >> * Connection #0 to host 127.0.0.1 left intact >> curl: (56) Proxy CONNECT aborted > > > Hi Guys, if anyone has a few minutes, happy to hop on a zoom, and share my > screen, where we can quickly try out different options? > > Thanks, > Lei > > > -- Stay Hungry, Stay Foolish. Lei Sun Cell: 408-306-9199
