Hi, I'm not sure I understand what you are trying to achieve. If the ATS is acting as a terminating reverse proxy (which is what I guess you are trying to achieve): Receiving an HTTPS request on port 443 (Straight TLS -- Not an HTTP CONNECT request), terminating the SSL connection and creating a new SSL connection upstream.
It needs to present some certificate to the client. The certificate it selects can be configured via the ssl_multicert config file -- the one that you have attached tells the ATS to use a single cert for all origin servers. If you want it to be able to display the cert for site X then you need to copy the certificate to the proxy and configure it in the ssl_multicert.config.... (You also need to ensure that your browser sends SNI information -- All modern ones do except for IE over Windows XP) If this isn't clear, could you send a cURL request/response? Cheers, Uri ________________________________ > Date: Tue, 12 Mar 2013 11:22:15 +0800 > From: [email protected] > To: [email protected] > Subject: Re:Re: ssl reverse proxy and ssl sni ? > > hi, Leif > > it seems does'nt work... following is my test config: > > ssl_multicert.config: > dest_ip=* ssl_cert_name=cert.pem ssl_key_name=key.pem > > records.config: > CONFIG proxy.config.http.server_ports STRING 80 443:ssl > > remap.config: > map https://.*.test.com/ https://$1.test.com/ > > with SNI and SSL Termination, i want when browser access > https://a.test.com, shows the certificate of a.test.com; > > but the above configuration , show all the https sites the same > certificate... > > i don't know wheather i misunderstand the sni and ssl termination, or > the config is not correct~ > > > > At 2013-03-11 22:19:24, "Leif Hedstrom" <[email protected]> wrote: > If you run a version of ATS that supports SNI, yes. Pretty sure v3.2.4 > does, for example. > > -- Leif > > On Mar 11, 2013, at 4:00 AM, Esmq <[email protected]<mailto:[email protected]>> wrote: > > hi, all > > we know that an extension to TLS called Server Name Indication (SNI) > ,enable web server to select a correct virtual domain > and shows the borwser the cerficate containing the correct name... > > apache/nginx just do the right thing... > > and i know when configure ats as ssl reverse proxy, the cerficated > shows to the browser is the cerficate that on ats, not the cerficated > on the original server... > > so. when ats act as reverse proxy, does sni work? > > > >
