Re: Connection rejected for MTLS forward proxy

If you are in a test environment where you can share your wireshark pcap file that might also be interesting. On Wed, Feb 21, 2018 at 11:58 AM, Persia Aziz wrote: > Do you see this EOF if you have client verification disabled? > > Syeda Persia Aziz > Software Developer > Yahoo! Inc. > Champaign,

Re: Connection rejected for MTLS forward proxy

more from process start, which is the only certificate I see > loaded: > > 2018-02-21T08:32:50.209+00:00 gmt-dvor-vcsc1 traffic_server[10353]: > {0x7fd7da831740} DEBUG: (ssl) > importing SNI names from server.pem > 2018-02-21T08:32:50.209+00:00 gmt-dvor-vcsc1 traffic_server[10353]:

Re: Connection rejected for MTLS forward proxy

ke client verification failure in server side only I guess ? > > Thanks > ~S > > On 22 February 2018 at 01:14, Susan Hinrichs wrote: > >> It looks like in this exchange the client did not send a client >> certificate. But the other exchanges in the log file don&#x

Re: Connection rejected for MTLS forward proxy

fication in server side. So proxy.config.ssl.client.CA.cert.filename > and proxy.config.ssl.client.CA.cert.path are set > I have verified tomcat certificate ( which is what client is using for > connection ) using ca.pem in the server and they are good. > > > > On Feb 22, 2018 7:49 PM,

Re: Connection rejected for MTLS forward proxy

> On 22 February 2018 at 22:16, Susan Hinrichs wrote: > >> Alan also pointed out that you are running ATS 6.x. Could you try your >> test scenario on ATS 7.1.2? We've made considerable cleanup on the TLS >> handshake and more debugging in the client cert verification.

Re: What is the best way to scale ATS?

We use a load balancer in front of our clusters of ATS servers to scale horizontally. You could also just leverage ECMP routing in your router to similarly distribute connections (plus some extra work to deal with servers coming up and down).We have a proprietary CARP plugin to share cached da

Re: ATS and TLS close-notify

Yes, ATS should respond with close notify or at least FIN the connection. What version of ATS are you seeing this with? If there was already an application data packet in flight, it may arrive after the client sends the close notify. But in general ATS should shut down the connection. On Fri, Aug

Re: ATS and TLS close-notify

? Appreciate > any insights. > > > > Thanks, > > Peter > > > > > > *From:* Susan Hinrichs [mailto:shinr...@oath.com] > *Sent:* Saturday, September 01, 2018 3:57 PM > *To:* users@trafficserver.apache.org > *Subject:* Re: ATS and TLS close-notify >

Re: ATS and TLS close-notify

traffic server in inappropriate cases but it is not perfect and has varied over time. Earlier this year there was a PR to add a knob to turn off this behavior, but I don't know where it landed. I will check that out when I get back to the office. Susan On Sat, Sep 1, 2018, 5:56 PM Susan Hin

Re: ATS and TLS close-notify

n Sun, Sep 2, 2018 at 11:51 AM, Leif Hedstrom wrote: > That seems plausible , but isn’t the indication that things got a lot > worse from v6.x to 7.x? > > The half close logic is old, isn’t it? Did we change something into it in > 7.x? > > — Leif > > On Sep 2, 2018,

Re: Failover Scenario in Trafficserver

Another option is to place several Traffic Server boxes behind a VIP, i.e. a router or load balancer that owns a common IP and distributes connections to whichever Traffic Server box is alive. A router capable of basic ECMP routing can mostly do this. Or a dedicated state-aware load balancer can

Re: [PROPOSAL] HTTP Metrics Overhaul

I completely agree with the stats re-normalizing. I've been messed up multiple times by assuming that a http metric covers both protocols but was in fact http/1.x specific. On Tue, Oct 16, 2018 at 12:44 PM Bryan Call wrote: > The proxy.process.https stats (only 2 stats) should also be considere

Re: [VOTE] Release Apache Traffic Server 7.1.5 (RC0)

Sounds like the issue fixed in https://github.com/apache/trafficserver/pull/4538 If the Docker container is not run with sufficient privilege (IPC and NETADMIN in addition to NETBIND), traffic server would fail to start up. Although you state this worked in previous versions on 7.1. The code I ch

Re: Traffic server suddenly drop the packets and crashed

Are you exhausting ephemeral ports? What is the output of "ss -s" on your Traffic Server machine? That is quite easy exhaust all of the ephemeral ports for a single load testing client machine between active and time-wait connections. Is Traffic Server generating a core or a stack trace? What v

Re: Traffic server suddenly drop the packets and crashed

###this one is empty > > > > So its set by manually . > > net.ipv4.ip_local_reserved_ports = 3-31000 > > > > Is this ok ? . > > > > > __Vasanth > > Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for > Windows 1

Re: trafficserver 8 - Logging Client request (domain)

Do you have any error messages in diags.log, error.log, or traffic.out? Our organization doesn't use that field, but perhaps there is a bug in its support. I'll try to sent that up on a test box today. On Sun, Nov 18, 2018 at 1:31 AM Sevan Gelici wrote: > Hello, > > I dont know if its a issue o

Looking for opinions on additions to ssl_server_name.yaml

We currently have the ability to turn off HTTP/2 support on a per domain basis via the disable_h2 option in ssl_server_name.yaml https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_server_name.yaml.en.html Folks have asked for a similar mechanism to not offer TLS protocols (e.g.

Re: Looking for opinions on additions to ssl_server_name.yaml

ot; in which case > the protocol levels are enabled by default. > > On Mon, Nov 19, 2018 at 4:11 PM Susan Hinrichs > wrote: > >> We currently have the ability to turn off HTTP/2 support on a per domain >> basis via the disable_h2 option in ssl_server_name.yaml >> >&

Re: Cannot proxy to site HTTPS on port 8443

If you are proxying through ATS instead of terminating the TLS on the ATS box, you will need to update the set of allowed connect_ports proxy.config.http.connect_ports https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html?highlight=connect_ports#proxy.config.ht

Re: SSL Handshake Error with TS 8.0.2 and self signed certificate

I am guessing that your FireFox failure is due to the self-signed certificate. The mainstream browsers have been getting more picky. Does a GET request work if you use curl with the -k (don't verify server certificate) argument? I am more concerned by the crash of your signed certificate. Could

Re: [PROPOSAL] Remove SSL v3 code and configs

+1 On Fri, Jun 7, 2019 at 9:52 PM Bryan Call wrote: > +1 > > -Bryan > > > > On Jun 6, 2019, at 5:32 PM, Leif Hedstrom wrote: > > > > This code is disabled and does not build by default. I think it’s time > to remove this code path completely, it’s an insecure protocol, and I don’t > think any o

Re: TS_SSL_VERIFY_SERVER_HOOK

That feature was added as TS_SSL_SERVER_VERIFY in 8.0.x. The name was normalized to TS_SSL_VERIFY_SERVER_HOOK (to match the naming of TS_SSL_VERIFY_CLIENT_HOOK) in the branch for 9.0.x. In theory, that functionality could be backported if you could get the 7.1.x release manager to agree to it, bu

[proposal] Removing remap thread feature

While working on other things, I noticed the feature that sets up dedicated threads to process remap rules. Thinking this was remnants of an obsolete feature, I set up a PR to remove it. https://github.com/apache/trafficserver/pull/6025 However, in the last steps of setting up that PR, I saw some

Re: Query regarding proxy.config.ssl.client.certification_level

You can specialize the client certificate requirements using sni.yaml. So only request it for specific domain names. There is also an ip_allow action in sni.yaml (which I see is not documented) which would allow to control requiring client certificate based on the peer's IP. https://docs.traffic

Re: Query regarding proxy.config.ssl.client.certification_level

_client: MODERATE >> >> >> On Mon, Nov 25, 2019 at 11:59 PM Susan Hinrichs < >> shinr...@verizonmedia.com> wrote: >> >>> You can specialize the client certificate requirements using sni.yaml. >>> So only request it for specific domain names.

Re: Revocation checks on client certificate

No, ATS does not support revocation checks on the client certificate. By default it checks that the certificate is signed by a trusted root and is not expired. Adding revocation logic is an interesting idea. There is a hook (TS_EVENT_SSL_VERIFY_CLIENT) where you can you can have your plugin atta

Re: CPU load at idle

Clicking through to the description of the poll_timeout setting gives you a better description of what is going on. https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html#proxy-config-net-poll-timeout If your poll is set too low, your threads will spend very littl

Re: ATS and letsencrypt

You combine your cert.pem and your chain.pem files and specify that file in the ssl_cert_name attribute. The specific certificate should go first. Then the chain certs. On Tue, Mar 10, 2020 at 7:14 AM Jacobo Nájera wrote: > Hi, > > How can I declarate Let's encrypt certs in ssl_multicert.config

Re: ATS and letsencrypt

_cert_name cert and via ssl_ca_name) is not necessary. On Wed, Mar 11, 2020 at 6:05 PM Jacobo Nájera wrote: > El 10/03/20 a las 9:16, Susan Hinrichs escribió: > > You combine your cert.pem and your chain.pem files and specify that file > > in the ssl_cert_name attribute. The

Re: Extended Master Secret extension and session ticket reuse

Yes, I believe it should. ATS doesn't set SSL_OP_NO_EXTENDED_MASTER_SECRET, and the default is for that feature to be enabled. Are you having problems with session reuse? Perhaps the client does not support the Extended Master secret? Susan On Tue, Jul 14, 2020 at 1:26 AM supraja sridhar wrot

Re: Extended Master Secret extension and session ticket reuse

until openssl 3. On Wed, Jul 15, 2020 at 4:38 AM supraja sridhar wrote: > Hello, > Yes, I am using ATS 7.1.1 with openssl 1.0.2 version. The client supports > the extended master secret extension. Could the openssl version be an issue? > > On Tue, Jul 14, 2020 at 5:45 PM Susan Hinrich

Re: Extended Master Secret extension and session ticket reuse

tem > through configure script of ATS? > > On Wed, Jul 15, 2020 at 8:39 PM Susan Hinrichs > wrote: > >> I think the version of openssl is it. A quick grep through the code it >> appears that openssl 1.1.1 supports extended master secret but openssl >> 1.0.2 does not

Re: [PROPOSAL] TS API for Status,Note,Warning,Alert

+1 On Tue, Sep 8, 2020 at 1:34 PM Alan Carroll < solidwallofc...@verizonmedia.com> wrote: > +1. > > On Tue, Sep 8, 2020 at 12:04 PM Aaron Canary > wrote: > >> I'd like to propose adding API calls for the remaining methods in diag.h: >> TSStatus(const char *fmt, ...) // prints to diags log (infor

Re: [E] Query

The master branch includes an iCAP plugin. We have used that plugin to integrate with a Symantec filtering product and some preliminary testing with Clam AV. It is not merged into the 9.0.x branch so the earliest it would show up in an official release is 9.1.x or 10.x.. Susan On Wed, Oct 14, 2

Re: [E] Stress-resistance settings || or any advise please?

Sounds like ATS should be able to keep up with that work load. However, I've not worked with httpress specifically, so I'm not certain what kind of RPS those arguments would correspond to.. How did your ATS box fail? Did it crash? Did it just get so slow that the requests started timing out? I

Re: [E] Stress-resistance settings || or any advise please?

ite STRING ECDHE-ECDSA-AES256- > GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM- > SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS- > AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM- > SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-

Re: [E] Stress-resistance settings || or any advise please?

ing (without Cloudflare) > > > I'll try to play with port: with "local port range and other port reuse > settings " and increasing / decreasing default security limits too. > > Plus for future i'm planning to use ingres shaping / policing? to > mitigate suc

Re: [E] ATS 7.1 as reverse proxy timeouts on POST after 30 seconds instead of 1800 seconds

There are two kinds of timeouts involved. One is the various *connect_attempts_timeout. This timeout only applies while the connection to the origin is being established (e.g. TLS handshake or TCP three-way for non-TLS). Then the regular proxy.config.http.transaction_no_activity_timeout_out appl

Re: [E] Re: [VOTE] Release Apache Traffic Server 9.0.0 (RC0)

-1 Concern about the second PR that Masaori identified. The original PR caused asserts with a debug build.. I am testing another fix to this in production. Looking good so far. I will update the PR shortly. Without this patch, the 9.0.x build crashes on a production machine within an hour. 2

Re: [E] [VOTE] Release Apache Traffic Server 9.0.0 (RC0)

The analysis of this crash is in https://github.com/apache/trafficserver/issues/7338. On Wed, Dec 2, 2020 at 12:44 PM Leif Hedstrom wrote: > > > > On Dec 2, 2020, at 10:01 AM, Susan Hinrichs > wrote: > > > > -1 > > > > Concern about the second PR th

Re: [E] https issue

The --resolve option is very helpful for using curl to direct requests to the proxy to terminate. curl -k -v --resolve 'httbin.org:4443:127.0.0.1' https://httpbin.org:4443/get?answer=4a Adding the -k assuming you are using a self-signed cert in ATS for testing. Also assuming your ATS is configur

Re: [E] pssc/proxy response status code: 000

It means that ATS did not get an origin response before the transaction ended. If the transaction lasted 30 seconds, it seems likely that your client or origin timed out. Either due to the inactivity_timeout's set in ATS, or due to timeout logic in the client or origin. On Tue, Dec 8, 2020 at 8:

Re: [UPDATED: RC1] Re: [E] [VOTE] Release Apache Traffic Server 9.0.0 (RC0)

$ > > https://urldefense.com/v3/__https://docs.trafficserver.apache.org/en/9.0.x/release-notes/whats-new.en.html__;!!BhdT!z8VSKqhv7LB3HRgqyevwmCScfJUwFVJi_6sI5eGkJ2jKBfxgjFZRUXfSe0sxCms$ > > > > On Dec 2, 2020, at 1:39 PM, Susan Hinrichs > wrote: > > > &

Re: [E] Force trafficserver to TLSv1.3

Sounds like the origin is requesting a client certificate which ATS is not providing. Do you have your ATS configured to specify a client certificate if the origin requests one? This can be configured by the records.config setting proxy.config.ssl.client.cert.filename (and related) These settings

Re: [E] Force trafficserver to TLSv1.3

gt;Servers MUST NOT send a post-handshake CertificateRequest to clients >which do not offer this extension. Servers MUST NOT send this extension. > > > > On Thu, Dec 10, 2020 at 5:48 PM Susan Hinrichs > wrote: > >> Sounds like the origin is requesting a client cer

Re: Client / TS certificates 7.x vs 8.x

The config looks good to me. There are autests that exercise ATS requiring certs from the client with a variety of CA verification configurations. I haven't worked with the 8.x branch, but those tests are run against that branch I believe. Is your client certificate directly signed by the certi

Re: Client / TS certificates 7.x vs 8.x

NTvVzsIr4oMX8X4S6-8igbwFdenlRaU7SzsGbsuN4&s=5R00uQMyJ9YmmMafXRE9xHQzKiK1yEVJf-X57vJ0jGg&e=> > (sslServerHandShakeEvent)> (ssl-diag) > SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=0 > > > The certificate is quite old but valid. > Validity &

Re: [E] Some disconnections from origin

At a quick glance, your settings seem reasonable. Judging from the debug output you shared, I'd suggest looking at your origin. Based on the debug output, ATS successfully makes a connection to the origin and thinks it sends the request (doesn't necessarily means the origin has processed the requ

Re: [E] ssllabs test fails : Assessment failed: String index out of range: 130

What version of ATS are you running? Our production servers running 9.0 are scanned without problem. On Thu, Mar 11, 2021 at 3:44 PM juergenp wrote: > > Hello, > > did anyone also get such errors ? > > > > i tried ssl-test through ATS and afterwards directly on nginx/apache > > each try with AT

Re: [E] Unable to use ATS 7.1.1 with openssl 1.1.1

I'm sorry, I haven't seen that crash. But I haven't run on the base 7.1.x branch for several years and not with openssl 1.1.1 code. I poked around the openssl code and based on the line numbers, it looks like the v->get_cert_methods method in X509_STORE_add_lookup is getting messed up. This is u

Re: [E] Passing ftp, ftps etc. to Squid?

My understanding is that the FTP proxy support in ATS was removed some time back, so you will need to route your ftp traffic to another proxy. I can think of three options 1. Use a different DNS name to resolve to the address of your FTP proxy. 2. Run your FTP proxy on the same machine as ATS.

Re: [E] Re: [VOTE] Release Apache Traffic Server 9.0.1 (RC1)

+1 Synced and running in production. On Mon, Apr 12, 2021 at 2:55 PM Randall Meyer wrote: > > +1 > On Saturday, April 10, 2021, 03:21:58 PM PDT, Leif Hedstrom > wrote: > > I've prepared a another release for 9.0.1 (RC1), which is a bug fix release > only. For a list of all PRs, see > >

Re: [E] Installation error from GIT

We are using systemd to start the service in our environment. There is a starter service file in the rc directory. On Wed, May 26, 2021 at 10:23 AM Alan Carroll wrote: > > I'm not sure what you mean. There are scripts in the "bin" directory of the > installation that start and stop the processe

Re: records.config to records.yaml

Single format is fine with me as long as start up will fail if there is no records.yaml and there is an old style records.config present. As I recall in the ipallow upgrade it would just go with defaults. That caused a number of us a day or so debugging. On Thu, Sep 22, 2022, 10:50 AM Sudheer Vinu

Re: SSL results in segmentation fault

Matt, Is there a basic stack trace in traffic.out? What is your SSL configuration? Do you have certs set up in ssl_multicert.config? Or are you doing a blind tunnel on the SSL traffic? Susan On 9/30/2014 2:14 AM, Matthieu Bienvenüe wrote: Hello ! I'm configuring ATS as a reverse proxy a

Re: ts crash for whildcard ssl certificate with version 5.2.0

Hi, The warning messages are likely harmless. They are probably complaints about conflicts if the main subject name is repeated as a subject alternative name. This has been addressed via TS-3243. I've successfully tested a basic wildcard certificated in 5.2/master. But obviously we must b

Re: 5.2.1: DHE ciphers gone?

On 4/1/2015 11:56 AM, Reindl Harald wrote: Am 01.04.2015 um 15:30 schrieb Leif Hedstrom: It was decided from experiences at LinkedIn that DHE was unstable and/or causing problems in general. It was deemed an incompatible change that should not have happened in the 5.x cycle, so we restored

Re: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Are you seeing actual failed connections? Or is ATS just logging more intermediate error cases than httpd? On 4/16/2015 6:13 AM, Reindl Harald wrote: Am 16.04.2015 um 13:08 schrieb Neddy, NH. Nam: Yeah, it's been long time: https://issues.apache.org/jira/browse/TS-2402 "SSL v3 is disabled

Re: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

by an ATS server. The only client handshake error it reported was IE6 on winXP (since SSLv3 is disabled). Can you give details about your configuration? We must be doing something different. On 4/16/2015 6:31 AM, Reindl Harald wrote: Am 16.04.2015 um 13:22 schrieb Susan Hinrichs: Are you see

Re: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

hrieb Susan Hinrichs: I just tried "ab" against my dev master build without problems. I have SSLv3 disabled. It ended up negotiating tlsv1.2. I saw one error about protocol mismatch while I was playing around. interesting I also ran the the ssllabs tests against docs.trafficserver.apac

Re: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

params.pem On 4/16/2015 6:31 AM, Reindl Harald wrote: Am 16.04.2015 um 13:22 schrieb Susan Hinrichs: Are you seeing actual failed connections? Or is ATS just logging more intermediate error cases than httpd? it is just impossible to use "ab" against a ATS, see difference below an

Re: memory leak related to ssl termination

We are tracking a memory leak issue on ssl_multicert.config reload. But I'm not aware of substantial memory leak for SSL traffic passing through. Are you running in forward proxy or reverse proxy? Are you running in transparent mode? Operating with SSL will use more memory than straight HTTP

Re: 5.3.0: TLS completly broken (reverse-proxy)

Hi Riendl, I'll have to try to reproduce from outside the office. If I understand you correctly, you can access the server behind ATS ok. Then you do the ssllabs scan (which fails badly). Then your browser can no longer access the server. Definitely sounds like badness. Susan On 5/26/201

Re: 5.3.0: TLS completly broken (reverse-proxy)

get this figured out before you need to move up to 5.3.x. On 5/26/2015 2:40 PM, Reindl Harald wrote: Am 26.05.2015 um 21:32 schrieb Susan Hinrichs: Hi Riendl, I'll have to try to reproduce from outside the office. If I understand you correctly, you can access the server behind ATS ok.

Proposed change in default cipher_suite list for ATS 6.0

We are planning on changing the default cipher_suite list as we move to ATS 6.0. The jira outlines the discussion on this issue https://issues.apache.org/jira/browse/TS-3136 Here is the last entry of the jira with the proposal and rationale. Ran some tests on a production box in Y! Based on

Re: [VOTE] Release Apache Traffic Server 5.3.1 (RC0)

+1 also tested on CentOS 6.5. On 7/3/2015 11:03 AM, Phil Sorber wrote: +1 Tested on CentOS 6.5 On Thu, Jul 2, 2015 at 4:09 PM Bryan Call > wrote: +1 Tested on Fedora 22. Signatures and regression passed. -Bryan > On Jun 29, 2015, at 9:56 PM, Phil

Re: transparent proxy (inline on a linux bridge) not work

Are you starting traffic manager as a privileged user? Sounds like a permission error. On 8/10/2015 9:37 PM, Wayne Zhang wrote: Hi. I followed the steps strictly from the official documents here : http://trafficserver.readthedocs.org/en/latest/admin/transparent-proxy/bridge.en.html#inline-on-

Re: transparent proxy (inline on a linux bridge) not work

iting gets timeout) remained. Wireshark on client PC showed that it didn't receive the SYN/ACK packet. 2015-08-11 21:35 GMT+08:00 Susan Hinrichs <mailto:shinr...@network-geographics.com>>: Are you starting traffic manager as a privileged user? Sounds like a permission error.

CFP Apachecon NA 2016 deadline is Friday

The deadline for talk proposals for Apachecon NA is this Friday. http://events.linuxfoundation.org/events/apachecon-north-america/program/cfp Please consider submitting something about your current work, planned work, experiences, etc. using ATS and/or other Apache open source projects. We n

Re: Bandwidth on certain destination (squid delay pool)

Sudheer, is this similar to the patch you helped Faysal with? https://issues.apache.org/jira/browse/TS-2643 On 4/7/2016 10:32 AM, Sudheer Vinukonda wrote: Not to the best of my knowledge. However, you can write a plugin to do that (in fact, I've such a plugin that I'm using internally in our

Re: Bandwidth on certain destination (squid delay pool)

But a TC based solution might work for Faisal. In the short term. On 4/7/2016 1:23 PM, Sudheer Vinukonda wrote: No, that was based on TC; The plugin I wrote doesn't depend on TC and is all handled within ATS. On Thursday, April 7, 2016 11:08 AM, Susan Hinrichs wrote: Sudheer, is

Re: [VOTE] Release Apache Traffic Server 7.1.0 (RC0)

+1    I have run this on two machines over the weekend successfully. On Thursday, July 13, 2017, 9:44:34 PM CDT, Leif Hedstrom wrote: I've prepared a release for 7.1.0 (RC0) which is the next major version of Apache Traffic Server. As per our new release schedule and process, v7.1.x is an Lon

Re: [VOTE] Release Apache Traffic Server 7.1.0 (RC1)

+1 Running for 24 hours on a production box without problems. On Thursday, July 20, 2017, 1:19:26 AM CDT, Phillip Moore wrote: +1 Have running on internal staging and production traffic and it is working fine.  I had no build troubles on SL6.9. --pdm

Please add me

shinr...@ieee.org

Re: Traffic server request

In addition the underlying single box configuration is described in the ATS documentation https://docs.trafficserver.apache.org/en/latest/ On Tue, Nov 14, 2017 at 7:08 AM, Eric Friedrich (efriedri) < efrie...@cisco.com> wrote: > Hi Vasanth- > Please take a look at Apache Traffic Control. It pr