TS-2525: Remove restriction on outbound transparency with SSL.
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/c2434df8 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/c2434df8 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/c2434df8 Branch: refs/heads/5.0.x Commit: c2434df8c2a0726cb69d1b95c50857cd073f7ce2 Parents: cd86569 Author: Alan M. Carroll <[email protected]> Authored: Thu Jan 23 12:22:48 2014 -0600 Committer: Alan M. Carroll <[email protected]> Committed: Thu Jan 23 12:22:48 2014 -0600 ---------------------------------------------------------------------- CHANGES | 2 ++ .../configuration/records.config.en.rst | 24 ++++++++++---------- lib/records/RecHttp.cc | 10 ++++++-- 3 files changed, 22 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/c2434df8/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index e795406..162e255 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 4.2.0 + *) [TS-2525] Remove restrictions on outbound transparency with SSL. + *) [TS-2425] Update to TS-2261 for loading plugins as root *) [TS-2505] Add traffic_line --offline option. http://git-wip-us.apache.org/repos/asf/trafficserver/blob/c2434df8/doc/reference/configuration/records.config.en.rst ---------------------------------------------------------------------- diff --git a/doc/reference/configuration/records.config.en.rst b/doc/reference/configuration/records.config.en.rst index a7d03d8..c0d78a5 100644 --- a/doc/reference/configuration/records.config.en.rst +++ b/doc/reference/configuration/records.config.en.rst @@ -250,7 +250,7 @@ Value Effect Network ======= -.. ts:cv:: LOCAL proxy.local.incoming_ip_to_bind STRING 0.0.0.0 :: +.. ts:cv:: LOCAL proxy.local.incoming_ip_to_bind STRING 0.0.0.0 [::] Controls the global default IP addresses to which to bind proxy server ports. The value is a space separated list of IP addresses, one per supported IP address family (currently IPv4 and IPv6). @@ -270,9 +270,9 @@ Unless explicitly specified in `proxy.config.http.server_ports`_ the server port Set the global default for IPv4 to ``191.68.101.18`` and the global default for IPv6 to ``fc07:192:168:101::17``.:: - LOCAL proxy.local.incoming_ip_to_bind STRING 192.168.101.18 fc07:192:168:101::17 + LOCAL proxy.local.incoming_ip_to_bind STRING 192.168.101.18 [fc07:192:168:101::17] -.. ts:cv:: LOCAL proxy.local.outgoing_ip_to_bind STRING 0.0.0.0 :: +.. ts:cv:: LOCAL proxy.local.outgoing_ip_to_bind STRING 0.0.0.0 [::] This controls the global default for the local IP address for outbound connections to origin servers. The value is a list of space separated IP addresses, one per supported IP address family (currently IPv4 and IPv6). @@ -284,7 +284,7 @@ Unless explicitly specified in `proxy.config.http.server_ports`_ the server port .. topic:: Example - Set the default local outbound IP address for IPv4 connectionsn to ``192.168.101.18``.:: + Set the default local outbound IP address for IPv4 connections to ``192.168.101.18``.:: LOCAL proxy.local.outgoing_ip_to_bind STRING 192.168.101.18 @@ -292,7 +292,7 @@ Unless explicitly specified in `proxy.config.http.server_ports`_ the server port Set the default local outbound IP address to ``192.168.101.17`` for IPv4 and ``fc07:192:168:101::17`` for IPv6.:: - LOCAL proxy.local.outgoing_ip_to_bind STRING 192.168.101.17 fc07:192:168:101::17 + LOCAL proxy.local.outgoing_ip_to_bind STRING 192.168.101.17 [fc07:192:168:101::17] Cluster ======= @@ -433,14 +433,14 @@ ipv6 Use IPv6. This is forced if the ``ip-in`` option is used with an IPv6 address. tr-in - Inbound transparent. The proxy port will accept connections to any IP address on the port. To have IPv6 inbound transparent you must use this and the ``ipv6`` option. This overrides :ts:cv:`proxy.local.incoming_ip_to_bind`. + Inbound transparent. The proxy port will accept connections to any IP address on the port. To have IPv6 inbound transparent you must use this and the ``ipv6`` option. This overrides :ts:cv:`proxy.local.incoming_ip_to_bind` for this port. Not compatible with: ``ip-in``, ``ssl``, ``blind`` tr-out - Outbound transparent. If ATS connects to an origin server for a transaction on this port, it will use the client's address as its local address. This overrides :ts:cv:`proxy.local.outgoing_ip_to_bind`. + Outbound transparent. If ATS connects to an origin server for a transaction on this port, it will use the client's address as its local address. This overrides :ts:cv:`proxy.local.outgoing_ip_to_bind` for this port. - Not compatible with: ``ip-out``, ``ssl``, ``ip-resolve`` + Not compatible with: ``ip-out``, ``ip-resolve`` tr-full Fully transparent. This is a convenience option and is identical to specifying both ``tr-in`` and ``tr-out``. @@ -451,7 +451,7 @@ tr-pass Transparent pass through. This option is useful only for inbound transparent proxy ports. If the parsing of the expected HTTP header fails, then the transaction is switched to a blind tunnel instead of generating an error response to the client. It effectively enables :ts:cv:`proxy.config.http.use_client_target_addr` for the transaction as there is no other place to obtain the origin server address. ip-in - Set the local IP address for the port. This is the address to which clients will connect. This forces the IP address family for the port. The ``ipv4`` or ``ipv6`` can be used but it is optional and is an error for it to disagree with the IP address family of this value. An IPv6 address **must** be enclosed in square brackets. If this options is omitted :ts:cv:`proxy.local.incoming_ip_to_bind` is used. + Set the local IP address for the port. This is the address to which clients will connect. This forces the IP address family for the port. The ``ipv4`` or ``ipv6`` can be used but it is optional and is an error for it to disagree with the IP address family of this value. An IPv6 address **must** be enclosed in square brackets. If this option is omitted :ts:cv:`proxy.local.incoming_ip_to_bind` is used. Not compatible with: ``tr-in``. @@ -470,7 +470,7 @@ ip-resolve ssl Require SSL termination for inbound connections. SSL :ref:`must be configured <configuring-ssl-termination>` for this option to provide a functional server port. - Not compatible with: ``tr-in``, ``tr-out``, ``blind``. + Not compatible with: ``tr-in``, ``blind``. blind Accept only ``CONNECT`` transactions on this port. @@ -905,9 +905,9 @@ Negative Response Caching .. ts:cv:: CONFIG proxy.config.http.negative_caching_lifetime INT 1800 - How long (in seconds) Traffic Server keeps the negative responses valid in cache. This value only affects negative + How long (in seconds) Traffic Server keeps the negative responses valid in cache. This value only affects negative responses that do have explicit ``Expires:`` or ``Cache-Control:`` lifetimes set by the server. - + Proxy User Variables ==================== http://git-wip-us.apache.org/repos/asf/trafficserver/blob/c2434df8/lib/records/RecHttp.cc ---------------------------------------------------------------------- diff --git a/lib/records/RecHttp.cc b/lib/records/RecHttp.cc index e9ad2b5..fc75907 100644 --- a/lib/records/RecHttp.cc +++ b/lib/records/RecHttp.cc @@ -264,7 +264,6 @@ HttpProxyPort::processOptions(char const* opts) { af_set_p = true; } else if (0 == strcasecmp(OPT_SSL, item)) { m_type = TRANSPORT_SSL; - m_inbound_transparent_p = m_outbound_transparent_p = false; } else if (0 == strcasecmp(OPT_PLUGIN, item)) { m_type = TRANSPORT_PLUGIN; } else if (0 == strcasecmp(OPT_TRANSPARENT_INBOUND, item)) { @@ -321,8 +320,9 @@ HttpProxyPort::processOptions(char const* opts) { (m_host_res_preference[0] != HOST_RES_PREFER_CLIENT || m_host_res_preference[1] != HOST_RES_PREFER_NONE )) { - Warning("Outbound transparent ports require the IP address resolution ordering '%s,%s'. " + Warning("Outbound transparent port '%s' requires the IP address resolution ordering '%s,%s'. " "This is set automatically and does not need to be set explicitly." + , opts , HOST_RES_PREFERENCE_STRING[HOST_RES_PREFER_CLIENT] , HOST_RES_PREFERENCE_STRING[HOST_RES_PREFER_NONE] ); @@ -331,6 +331,12 @@ HttpProxyPort::processOptions(char const* opts) { m_host_res_preference[1] = HOST_RES_PREFER_NONE; } + // Can't be inbound transparent and SSL. + if (TRANSPORT_SSL == m_type && m_inbound_transparent_p) { + Warning("SSL and inbound transparency on the same port is not supported - transparency disabled: '%s'", opts); + m_inbound_transparent_p = false; + } + // Transparent pass-through requires tr-in if (m_transparent_passthrough && !m_inbound_transparent_p) { Warning("Port descriptor '%s' has transparent pass-through enabled without inbound transparency, this will be ignored.", opts);
