Thank you Jeremy and Miles for the help with this. I've confirmed the requests are getting sent to the upstream proxy in plaintext rather that TLS. So the plaintext CONNECT is going to the upstream rather than doing the TLS handshake first.
[cid:67451761-59A3-4918-B117-7658FD210F6A] I've gone through all the config and can't identify anything that stands out that would do this. Do you guys or anyone else know how the connection to the upstream could not be encrypted? Relevant config: records.config CONFIG proxy.config.http.no_dns_just_forward_to_parent INT 1 CONFIG proxy.config.http.forward.proxy_auth_to_parent INT 1 CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1 CONFIG proxy.config.http.forward_connect_method INT 1 CONFIG proxy.config.http.parent_proxies STRING my-upstream.proxy.com:443<http://my-upstream.proxy.com:443> CONFIG proxy.config.diags.debug.enabled INT 1 CONFIG proxy.config.diags.debug.tags STRING 'dns|http|ssl|http.*|parent.*|ssl.*' parent.config: dest_domain=. parent="my-upstream.proxy.com:443<http://my-upstream.proxy.com:443>" round_robin=true ignore_self_detect=true go_direct=false I also tried adding an entry in sni.yaml for the upstream. Thanks again for your help with this. Zack Bartel On Nov 10, 2021, at 11:48 AM, Jeremy Payne <[email protected]<mailto:[email protected]>> wrote: as miles suggested you can play with the verify server settings to see if youre sending an sni that doesnt match on the upstream server. you can also place ATS in debug mode while running your tests. something like the below. CONFIG proxy.config.diags.debug.enabled INT 1 CONFIG proxy.config.diags.debug.tags STRING 'http.*|parent.*|ssl.*' for more data points, i'm a packet trace guy, so i always like to see whats being sent on the wire. On Wed, Nov 10, 2021 at 12:12 PM Zack Bartel <[email protected]<mailto:[email protected]>> wrote: Thanks for the help with this. We don't have a remap in this situation as we want all traffic to go to this single upstream, which is another intermediary proxy. So ATS sits in the middle, but should forward all requests to a single upstream proxy that is itself https. In squid it's like this: cache_peer my-upstream.proxy.com<http://my-upstream.proxy.com> parent 443 0 no-query tls But I don't want to use squid. Thanks again, Zack On Nov 9, 2021, at 11:55 AM, Jeremy Payne <[email protected]<mailto:[email protected]>> wrote: also.. please provide the remap entry in question. you can sanitize the hostnames.. but keep the scheme references. i do believe the parent selection must match the origin scheme defined in the remap. '502 connection refused' sounds like the parent selection is not matching and the request is going directly to origin. unless things have changed, ATS to upstream certificate verify failure usually results in a '502 service unavailable' On Thu, Nov 4, 2021 at 2:12 PM Zack Bartel <[email protected]<mailto:[email protected]>> wrote: Hello everyone, I am trying to configure ATS 9.0.0 to upstream to another secure proxy over https. I can't get it to work and all connections 502 Connection Refused. Is it possible to use https for the parent proxy? url_regex=.+ scheme=https parent="my-upstream.proxy.com:443<http://my-upstream.proxy.com:443>" round_robin=true ignore_self_detect=true Thank you, Zack Bartel
