bryancall commented on issue #9949: URL: https://github.com/apache/trafficserver/issues/9949#issuecomment-4013670478
Resolved. The issue was that HTTPS CONNECT tunnel remap rules require the port to be explicitly specified (e.g., `map https://example.com:443 https://example.com:443`). Without the explicit `:443`, the remap lookup for the CONNECT request doesn't match, causing the tunnel to fail. For whitelisting CONNECT destinations, there are two layers of control: - **`proxy.config.http.connect_ports`** (default: `443`) — restricts which ports CONNECT tunnels can target. Checked before remap. - **`remap_required: 1`** with `map` rules — restricts which hostnames CONNECT tunnels can target. CONNECT requests do go through the remap engine. Verified on ATS 11.0.0 (master, March 6 2026) with AddressSanitizer. Test scenarios with `connect_ports: "443 8443"` and `remap_required: 1`: | Test | Port | In `connect_ports`? | Remap rule? | Result | |------|------|---------------------|-------------|--------| | `www.example.com:443` | 443 | Yes | Yes | **200 OK** — tunnel established | | `www.example.com:8443` | 8443 | Yes | Yes | **200 OK** — tunnel established | | `www.example.com:9999` | 9999 | No | Yes | **403 Tunnel Forbidden** — blocked by `connect_ports` before remap | | `www.unmapped.com:443` | 443 | Yes | No | **404 Not Found** — blocked by `remap_required` (no matching rule) | No memory errors detected. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
