[ https://issues.apache.org/jira/browse/TS-4468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15513834#comment-15513834 ]
Oknet Xu commented on TS-4468: ------------------------------ For HTTP session reuse and upon my suggestion: release/acquire server session upon server_request->get_host() if proxy.config.url_remap.pristine_host_hdr is false: - t_state.current.server->name == server_request->get_host() == "origin.example.com" - no difference if proxy.config.url_remap.pristine_host_hdr is true: - t_state.current.server->name == "origin.example.com" - server_request->get_host() == "example.com" or "www.example.com" - reduces the value of server session reuse (but without any negative effects) With the option enabled: - The results of match=ip and match=ip+FQDN are almost the same. - The "match=ip" already meet our requirements. Because the FQDN is resolved to multiple IPs and the contents on each IP are the same. - The result of match=ip+Host more accurate/less than the result of match=ip+FQDN. For Http session reuse: - match=ip is enough <==> match = IP - match=FQDN is acceptable and improve the value while multiple IPs for a FQDN <==> match = HOST - match=ip+FQDN is almost the same as match=ip <==> match = BOTH - match=Host is acceptable and improve the value but lower than FQDN - match=ip+Host is acceptable but reduces the value of reuse For Https session reuse: - match=ip is unacceptable, againest RFC 6066 - match=FQDN is unacceptable, againest RFC 6066 - match=ip+FQDN is unacceptable, againest RFC 6066 - match=Host(SNI) is acceptable and improve the value - match=ip+Host(SNI) is required <==> match = IP - match=FQDN+Host(SNI) is acceptable and no difference with ip+Host <==> match = HOST - match=ip+FQDN+Host(SNI) is acceptable and no difference with ip+Host <==> match = BOTH Your patch implement the addtionnal SNI match for SSLNetVC. Depend on the analysis above, in order to get max value of reuse: - to reuse a server session connect to parent proxy, we prefer match=ip - to reuse a server session that reverse proxy to http origin server, we prefer match=ip - to reuse a server session that reverse proxy to https origin server, we prefer match=ip+sni(with the patch) - to reuse a server session that forward proxy to http origin server, we prefer match=host - to reuse a server session that forward proxy to https origin server, we prefer match=host+sni(with the patch) Now, ATS default setting is match=both that is middle solution(not bad but not the best). Thanks for your explaination and finally I'm totally understand the reuse. However, I will reserve my opinion about match=IP+FQDN <==> match=BOTH. > http.server_session_sharing.match = both unsafe with HTTPS > ---------------------------------------------------------- > > Key: TS-4468 > URL: https://issues.apache.org/jira/browse/TS-4468 > Project: Traffic Server > Issue Type: Bug > Components: HTTP, SSL > Affects Versions: 6.1.1 > Reporter: Jered Floyd > Assignee: Susan Hinrichs > Fix For: 7.0.0 > > Attachments: TS-4468.patch > > Time Spent: 3h 10m > Remaining Estimate: 0h > > proxy.config.http.server_session_sharing.match has a default value of "both", > which compares IP address, port, and FQDN when determining whether a > connection can be reused for further user agent requests. > The "host" (FQDN) matching does not behave safely when ATS is operating as a > reverse proxy. The compared value is the origin server FQDN after mapping, > rather than the initial "Host" target. > If multiple Hosts map to the same origin server and the scheme is HTTPS, ATS > will attempt to reuse a connection that may have an SNI Host that does not > match the HTTP Host. With Apache 2.4 origin servers this results in 400 Bad > Request to the user agent. > PROBLEM REPRODUCTION: > You can observe this behavior with two mapping rules such as: > map https://example.com/ https://origin.example.com/ > map https://www.example.com/ https://origin.example.com/ > Non-caching clients alternately fetching URIs from the two targets will see > 400 Bad Request responses intermittently. > WORKAROUND: > proxy.config.http.server_session_sharing.match should have a default value of > "none" when proxy.config.reverse_proxy.enabled is "1" > SUGGESTED FIXES: > In order of completeness: > 1) Do not share server sessions on reverse_proxy requests. > 2) Do not share server sessions on reverse_proxy requests where scheme is > HTTPS. > 3) Compare target host (SNI host) rather than replacement host when > determining if reuse of server session is allowed (when > server_session_sharing.match is set to "host" or "both"). -- This message was sent by Atlassian JIRA (v6.3.4#6332)