This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 59d5e13 Document ip_allow in sni.yaml (#6723)
59d5e13 is described below
commit 59d5e1373b19f1441353d139517bb143b40ec1aa
Author: Susan Hinrichs <[email protected]>
AuthorDate: Fri May 1 09:31:23 2020 -0500
Document ip_allow in sni.yaml (#6723)
Co-authored-by: Susan Hinrichs <[email protected]>
(cherry picked from commit 11041d9368de4e68a6447d23d1fa9d04c7bbc7c7)
---
doc/admin-guide/files/sni.yaml.en.rst | 43 +++++++++++++++++++----------------
1 file changed, 24 insertions(+), 19 deletions(-)
diff --git a/doc/admin-guide/files/sni.yaml.en.rst
b/doc/admin-guide/files/sni.yaml.en.rst
index 76f5aa9..b6e3780 100644
--- a/doc/admin-guide/files/sni.yaml.en.rst
+++ b/doc/admin-guide/files/sni.yaml.en.rst
@@ -47,11 +47,16 @@ the user needs to enter the fqdn in the configuration with
a ``*.`` followed by
.. _override-verify-server-properties:
.. _override-host-sni-policy:
-=========================
==============================================================================
+=========================
========================================================================================
Key Meaning
-=========================
==============================================================================
+=========================
========================================================================================
fqdn Fully Qualified Domain Name. This item is used if
the SNI value matches this.
+ip_allow Specify a list of client IP address, subnets, or
ranges what are allowed to complete
+ the connection. This list is comma separated. IPv4
and IPv6 addresses can be specified.
+ Here is an example list:
192.168.1.0/24,192.168.10.1-4. This would allow connections
+ from clients in the 19.168.1.0 network or in the
range from 192.168.10.1 to 192.168.1.4.
+
verify_server_policy One of the values :code:`DISABLED`,
:code:`PERMISSIVE`, or :code:`ENFORCED`.
By default this is
:ts:cv:`proxy.config.ssl.client.verify.server.policy`.
@@ -76,18 +81,18 @@ verify_client One of the values :code:`NONE`,
:code:`MODERATE`, or :
host_sni_policy One of the values :code:`DISABLED`,
:code:`PERMISSIVE`, or :code:`ENFORCED`.
- If not specified, the value of
:ts:cv:`proxy.config.http.host_sni_policy` is used. This controls
- how policy impacting mismatches between host header
and SNI values are dealt with.
+ If not specified, the value of
:ts:cv:`proxy.config.http.host_sni_policy` is used.
+ This controls how policy impacting mismatches
between host header and SNI values are
+ dealt with.
valid_tls_versions_in This specifies the list of TLS protocols that will
be offered to user agents during
- the TLS negotiation. This replaces the global
settings in :ts:cv:`proxy.config.ssl.TLSv1`,
- :ts:cv:`proxy.config.ssl.TLSv1_1`,
:ts:cv:`proxy.config.ssl.TLSv1_2`,
- and :ts:cv:`proxy.config.ssl.TLSv1_3`. The potential
values are TLSv1, TLSv1_1, TLSv1_2, and
- TLSv1_3. You must list all protocols that |TS|
should offer to the client when using
- this key. This key is only valid for openssl 1.1.0
and later. Older versions of openssl do not
- provide a hook early enough to update the SSL
object. It is a syntax error for |TS| built
- against earlier versions.
-
+ the TLS negotiation. This replaces the global
settings in
+ :ts:cv:`proxy.config.ssl.TLSv1`,
:ts:cv:`proxy.config.ssl.TLSv1_1`,
+ :ts:cv:`proxy.config.ssl.TLSv1_2`, and
:ts:cv:`proxy.config.ssl.TLSv1_3`. The potential
+ values are TLSv1, TLSv1_1, TLSv1_2, and TLSv1_3.
You must list all protocols that |TS|
+ should offer to the client when using this key.
This key is only valid for openssl
+ 1.1.0 and later. Older versions of openssl do not
provide a hook early enough to update
+ the SSL object. It is a syntax error for |TS| built
against earlier versions.
client_cert The file containing the client certificate to use
for the outbound connection.
@@ -110,8 +115,8 @@ disable_h2 Deprecated for the more general
h2 setting. Setting d
to :code:`true` is the same as setting http2 to
:code:`on`.
tunnel_route Destination as an FQDN and port, separated by a
colon ``:``.
- Match group number can be specified by ``$N`` where
N should refer to a specified group in
- the FQDN, ``tunnel_route: $1.domain``.
+ Match group number can be specified by ``$N`` where
N should refer to a specified group
+ in the FQDN, ``tunnel_route: $1.domain``.
This will forward all traffic to the specified
destination without first terminating
the incoming TLS connection.
@@ -124,11 +129,11 @@ forward_route Destination as an FQDN and
port, separated by a colon
partial_blind_route Destination as an FQDN and port, separated by a
colon ``:``.
- This is similar to forward_route in that |TS|
terminates the incoming TLS connection. In
- addition partial_blind_route creates a new TLS
connection to the specified origin. It does
- not interpret the decrypted data before passing it
to the origin TLS connection, so
- the contents do not need to be HTTP.
-=========================
==============================================================================
+ This is similar to forward_route in that |TS|
terminates the incoming TLS connection.
+ In addition partial_blind_route creates a new TLS
connection to the specified origin.
+ It does not interpret the decrypted data before
passing it to the origin TLS
+ connection, so the contents do not need to be HTTP.
+=========================
========================================================================================
Client verification, via ``verify_client``, corresponds to setting
:ts:cv:`proxy.config.ssl.client.certification_level` for this connection as
noted below.
