bryancall commented on issue #9529:
URL: https://github.com/apache/trafficserver/issues/9529#issuecomment-4828018523

   When Apache Traffic Server is used as a forward proxy, HTTPS clients reach 
it with the CONNECT method, which establishes an encrypted, blind tunnel 
between the client and the origin server. Because the bytes inside that tunnel 
are end-to-end encrypted, the AuthProxy plugin (which runs on plaintext HTTP 
transaction hooks) never sees the request and so is not invoked. That is why 
authentication works for plain HTTP but not for HTTPS in your setup, and the 
403 Tunnel Forbidden is a separate CONNECT, forward-proxy policy matter. This 
is expected behavior rather than a defect: inspecting tunneled HTTPS requires 
intercepting (man in the middle) the TLS connection, which is what the 
experimental certifier plugin is for, and that is a different configuration 
topic from AuthProxy. Since this is a configuration and support question, the 
original report has had no reproduction follow-up since 2023, and the plugin 
still behaves as designed, I am closing this. Please reopen or start a discussi
 on on the users mailing list if you want help with TLS interception plus 
AuthProxy specifically.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to