abdulsalam3105 commented on issue #12064: URL: https://github.com/apache/trafficserver/issues/12064#issuecomment-2700223824
@shukitchan am upgrading from 8.1.11 to 9.2.8 and found that while accessing trafficserver url, it throws error my setup is trafficserver is placed in front of IBM httpd server and my application (origin) is placed behind httpd server. and when request reaches application server (origin) it checks whether it is authenticated or not based on that, it redirect to auth server. once auth is done, it should redirect to request server which is trafficserver . below is my curl response curl -v "https://trafficserverurl.com/ccm"; Trying xx.xx.xx.xx.:443... Connected to Trafficserverurl.com (xx.xx.xx.x.) port 443 (#0) ALPN, offering h2 ALPN, offering http/1.1 CAfile: /etc/pki/tls/certs/ca-bundle.crt TLSv1.0 (OUT), TLS header, Certificate Status (22): TLSv1.3 (OUT), TLS handshake, Client hello (1): TLSv1.2 (IN), TLS header, Certificate Status (22): TLSv1.3 (IN), TLS handshake, Server hello (2): TLSv1.2 (IN), TLS header, Certificate Status (22): TLSv1.2 (IN), TLS handshake, Certificate (11): TLSv1.2 (IN), TLS header, Certificate Status (22): TLSv1.2 (IN), TLS handshake, Server key exchange (12): TLSv1.2 (IN), TLS header, Certificate Status (22): TLSv1.2 (IN), TLS handshake, Server finished (14): TLSv1.2 (OUT), TLS header, Certificate Status (22): TLSv1.2 (OUT), TLS handshake, Client key exchange (16): TLSv1.2 (OUT), TLS header, Finished (20): TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): TLSv1.2 (OUT), TLS header, Certificate Status (22): TLSv1.2 (OUT), TLS handshake, Finished (20): TLSv1.2 (IN), TLS header, Finished (20): TLSv1.2 (IN), TLS header, Certificate Status (22): TLSv1.2 (IN), TLS handshake, Finished (20): SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 ALPN, server accepted to use h2 Server certificate: subject: C=US; ST=XX; L=XXXX; O=compnay myurl; CN=Trafficserverurl.com start date: Nov 7 10:50:29 2024 GMT expire date: Nov 7 10:50:29 2026 GMT subjectAltName: host "Trafficserverurl.com" matched cert's "Trafficserverurl.com" issuer: C=US; O=compnay myurl; CN=ba IssuingCA SSL certificate verify ok. Using HTTP2, server supports multi-use Connection state changed (HTTP/2 confirmed) Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 TLSv1.2 (OUT), TLS header, Unknown (23): TLSv1.2 (OUT), TLS header, Unknown (23): TLSv1.2 (OUT), TLS header, Unknown (23): Using Stream ID: 1 (easy handle 0x55e4c5b2b660) TLSv1.2 (OUT), TLS header, Unknown (23): GET /ccm HTTP/2 Host: Trafficserverurl.com user-agent: curl/7.76.1 accept: / TLSv1.2 (IN), TLS header, Unknown (23): TLSv1.2 (OUT), TLS header, Unknown (23): TLSv1.2 (IN), TLS header, Unknown (23): TLSv1.2 (IN), TLS header, Unknown (23): < HTTP/2 401 < date: Fri, 28 Feb 2025 17:51:08 GMT < vary: Host < x-powered-by: Servlet/3.0 < www-authenticate: Basic realm="JSA" < www-authenticate: Bearer realm="JSA" < x-jsa-authorization-url: https://ihsurl.com/oidc/endpoint/jazzop < x-jsa-authorization-redirect: https://ihsurl.com/oidc/endpoint/jazzop/authorize?client_id=xxxxxxxxxx&response_type=code&state=security_token1%3DqubzMyXHqJkhCoVvX%2B1V4uXRQMJk6mJpx3AVPU879uQ%3D%26security_token2%3D5eA4KecA0eqxe4LlZ0z2cZW63baKS4bqXSMqAfk5sg8%3D%26return%3Dhttps%253A%252F%252FIHSurl.com%252Fccm%26scope%3Dopenid%2Bgeneral%2Bprofile%2Bemail%2B%26impersonation%3Dtrue&scope=openid+general+profile+email+&redirect_uri=https%3A%2F%2FIHSurl.com%2Fccm%2Fjsa < content-length: 0 < set-cookie: JSA_CSRF_aa89488a-1e9c-46c6-a51f-37a125090265=0d4c3570-5b07-406c-9f03-3cc8dd6d25af; Path=/ccm; Secure; HttpOnly; SameSite=None < content-language: en-US < age: 0 < strict-transport-security: max-age=63072000 < via: https/1.1 Trafficserverurl.com (ATS) < server: ATS my remap.config looks like below map https://trafficserverurl.com/ https://ibmhttpd.com/ reverse_map https://ibmhttpd.com/ https://trafficserverurl.com/ i have header_rewrite.config file cond %{SEND_REQUEST_HDR_HOOK} set-header Host "trafficserfqdn" this works in 8.1.11 but not works in 9.2.8, thats why i used lua and also tired you script that also doesnt works. < x-jsa-authorization-redirect: https://ihsurl.com/oidc/endpoint/jazzop/authorize?client_id=xxxxxxxxxx&response_type=code&state=security_token1%3DqubzMyXHqJkhCoVvX%2B1V4uXRQMJk6mJpx3AVPU879uQ%3D%26security_token2%3D5eA4KecA0eqxe4LlZ0z2cZW63baKS4bqXSMqAfk5sg8%3D%26return%3Dhttps%253A%252F%252FIHSurl.com%252Fccm%26scope%3Dopenid%2Bgeneral%2Bprofile%2Bemail%2B%26impersonation%3Dtrue&scope=openid+general+profile+email+&redirect_uri=https%3A%2F%2FIHSurl.com%2Fccm%2Fjsa In that curl : redirecturi and return should be trafficserver url, but somehow it keep havign IHS url. it seems trafficserver didnt send correct header. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
