[
https://issues.apache.org/jira/browse/TS-4468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15513834#comment-15513834
]
Oknet Xu commented on TS-4468:
------------------------------
For HTTP session reuse and upon my suggestion:
release/acquire server session upon server_request->get_host()
if proxy.config.url_remap.pristine_host_hdr is false:
- t_state.current.server->name == server_request->get_host() ==
"origin.example.com"
- no difference
if proxy.config.url_remap.pristine_host_hdr is true:
- t_state.current.server->name == "origin.example.com"
- server_request->get_host() == "example.com" or "www.example.com"
- reduces the value of server session reuse (but without any negative effects)
With the option enabled:
- The results of match=ip and match=ip+FQDN are almost the same.
- The "match=ip" already meet our requirements. Because the FQDN is resolved to
multiple IPs and the contents on each IP are the same.
- The result of match=ip+Host more accurate/less than the result of
match=ip+FQDN.
For Http session reuse:
- match=ip is enough <==> match = IP
- match=FQDN is acceptable and improve the value while multiple IPs for a FQDN
<==> match = HOST
- match=ip+FQDN is almost the same as match=ip <==> match = BOTH
- match=Host is acceptable and improve the value but lower than FQDN
- match=ip+Host is acceptable but reduces the value of reuse
For Https session reuse:
- match=ip is unacceptable, againest RFC 6066
- match=FQDN is unacceptable, againest RFC 6066
- match=ip+FQDN is unacceptable, againest RFC 6066
- match=Host(SNI) is acceptable and improve the value
- match=ip+Host(SNI) is required <==> match = IP
- match=FQDN+Host(SNI) is acceptable and no difference with ip+Host <==> match
= HOST
- match=ip+FQDN+Host(SNI) is acceptable and no difference with ip+Host <==>
match = BOTH
Your patch implement the addtionnal SNI match for SSLNetVC.
Depend on the analysis above, in order to get max value of reuse:
- to reuse a server session connect to parent proxy, we prefer match=ip
- to reuse a server session that reverse proxy to http origin server, we prefer
match=ip
- to reuse a server session that reverse proxy to https origin server, we
prefer match=ip+sni(with the patch)
- to reuse a server session that forward proxy to http origin server, we prefer
match=host
- to reuse a server session that forward proxy to https origin server, we
prefer match=host+sni(with the patch)
Now, ATS default setting is match=both that is middle solution(not bad but not
the best).
Thanks for your explaination and finally I'm totally understand the reuse.
However, I will reserve my opinion about match=IP+FQDN <==> match=BOTH.
> http.server_session_sharing.match = both unsafe with HTTPS
> ----------------------------------------------------------
>
> Key: TS-4468
> URL: https://issues.apache.org/jira/browse/TS-4468
> Project: Traffic Server
> Issue Type: Bug
> Components: HTTP, SSL
> Affects Versions: 6.1.1
> Reporter: Jered Floyd
> Assignee: Susan Hinrichs
> Fix For: 7.0.0
>
> Attachments: TS-4468.patch
>
> Time Spent: 3h 10m
> Remaining Estimate: 0h
>
> proxy.config.http.server_session_sharing.match has a default value of "both",
> which compares IP address, port, and FQDN when determining whether a
> connection can be reused for further user agent requests.
> The "host" (FQDN) matching does not behave safely when ATS is operating as a
> reverse proxy. The compared value is the origin server FQDN after mapping,
> rather than the initial "Host" target.
> If multiple Hosts map to the same origin server and the scheme is HTTPS, ATS
> will attempt to reuse a connection that may have an SNI Host that does not
> match the HTTP Host. With Apache 2.4 origin servers this results in 400 Bad
> Request to the user agent.
> PROBLEM REPRODUCTION:
> You can observe this behavior with two mapping rules such as:
> map https://example.com/ https://origin.example.com/
> map https://www.example.com/ https://origin.example.com/
> Non-caching clients alternately fetching URIs from the two targets will see
> 400 Bad Request responses intermittently.
> WORKAROUND:
> proxy.config.http.server_session_sharing.match should have a default value of
> "none" when proxy.config.reverse_proxy.enabled is "1"
> SUGGESTED FIXES:
> In order of completeness:
> 1) Do not share server sessions on reverse_proxy requests.
> 2) Do not share server sessions on reverse_proxy requests where scheme is
> HTTPS.
> 3) Compare target host (SNI host) rather than replacement host when
> determining if reuse of server session is allowed (when
> server_session_sharing.match is set to "host" or "both").
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
