bryancall commented on issue #9529: URL: https://github.com/apache/trafficserver/issues/9529#issuecomment-4828018523
When Apache Traffic Server is used as a forward proxy, HTTPS clients reach it with the CONNECT method, which establishes an encrypted, blind tunnel between the client and the origin server. Because the bytes inside that tunnel are end-to-end encrypted, the AuthProxy plugin (which runs on plaintext HTTP transaction hooks) never sees the request and so is not invoked. That is why authentication works for plain HTTP but not for HTTPS in your setup, and the 403 Tunnel Forbidden is a separate CONNECT, forward-proxy policy matter. This is expected behavior rather than a defect: inspecting tunneled HTTPS requires intercepting (man in the middle) the TLS connection, which is what the experimental certifier plugin is for, and that is a different configuration topic from AuthProxy. Since this is a configuration and support question, the original report has had no reproduction follow-up since 2023, and the plugin still behaves as designed, I am closing this. Please reopen or start a discussi on on the users mailing list if you want help with TLS interception plus AuthProxy specifically. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
