Am 29.01.2014 23:21, schrieb Leif Hedstrom: > On Jan 29, 2014, at 8:14 AM, Reindl Harald <[email protected]> wrote: > >> Hi >> >> https://trafficserver.readthedocs.org/en/latest/admin/security-options.en.html#client-and-traffic-server-connections >> >> i don't get with the documentation how to have several domains >> in reverse-proxy mode each of them having their own certificates >> and how that plays with “remap.conf" > > > Not sure I fully understand, but yes, you’d have entries in both > ssl_multicert.config and remap.config for each domain you want to support HTTPS for. > >> ___________________________________ >> >> >> how to enforce that a domain-mapping redirects to https >> with httpd this can done with mod_rewrite but in case >> ATS working as reverse-proxy that would lead in a loop >> or not work at all because httpd does and should not >> know how the connection to the reverse-proxy is >> >> <IfModule mod_rewrite.c> >> RewriteEngine on >> RewriteCond %{HTTPS} off >> RewriteRule (.*) https://whatever.thelounge.net%{REQUEST_URI} >> </IfModule> >> > > Maybe you just want > > map http://whatever.thelounge.net https://origin.thelounge.net > map https://whatever.thelounge.net https://origin.thelounge.net > > > This would enforce HTTPS to origin, always. About the loops, I’d have to see > the https config, but for example, I do the following in my setup (http://www.ogre.com/node/430): > > map https://www.ogre.com http://127.0.0.1 @plugin=header_rewrite.so > @pparam=/server/etc/ssl-header.conf > > Where ssl-header.conf is > > cond %{SEND_REQUEST_HDR_HOOK} > set-header X-Forwarded-Proto “https" > > > and in httpd.config, I do > > RewriteCond %{HTTP:X-Forwarded-Proto} !=https > … > > This lets httpd know that the client request was HTTPS (or not). Maybe this > helps? Note that the above only works in recent ATS (v4.1.2 or later), before that, you’d have to use the header_filter.so plugin.
ok, that all brings me further i think > you’d have entries in both ssl_multicert.config and remap.config for each > domain you want to support HTTPS for" http://trafficserver.readthedocs.org/en/4.0.x/reference/configuration/ssl_multicert.config.en.html hmmm - but what to do having one IP and different domains with different certs "I’d have to see the https config" well, there does not exist any defined config for now, i try to figure out what is the best way to plan this and integrate it in our admin-backends so that it scales over years with low maintainance what really would help in the documentation is a complete example of let say 2 complete different domains with their own cert and any related file for that in reverse mode to see a complete picture on one page for httpd both, a real SNI host and ssl-reverse-proxy is quite simple and connected in a few lines (see below) and i try to figure out how get it the same with ATS and there may also be *.domain.tld-wildcard-certs in the game, at least one the reverse-proxy below is a 1:1 example with changed names to bring some hardware-devices from a dedicated network only available from one machine ssl-encrypted to the LAN and restrcit client-IP's ______________________________________________________________________ <VirtualHost *:443> ServerName "domain1.example.com" DocumentRoot "/www/domain1.example.com" SSLEngine On SSLUseStapling On SSLCertificateFile "/etc/pki/domain1.example.com.pem" SSLCertificateKeyFile "/etc/pki/domain1.example.com.pem" SSLCACertificateFile "/etc/pki/ca.crt" </VirtualHost> <VirtualHost *:443> ServerName "domain2.example.com" DocumentRoot "/www/domain2.example.com" SSLEngine On SSLUseStapling On SSLCertificateFile "/etc/pki/domain2.example.com.pem" SSLCertificateKeyFile "/etc/pki/domain2.example.com.pem" SSLCACertificateFile "/etc/pki/ca.crt" </VirtualHost> ______________________________________________________________________ <VirtualHost *:443> ServerName "domain1.example.com" ProxyRequests Off ProxyPass / http://origin1.example.com/ ProxyPassReverse / http://origin1.example.com/ <Location /> Require ip 192.168.196.0/24 </lLocation> SSLEngine On SSLUseStapling On SSLCertificateFile "/etc/pki/domain1.example.com.pem" SSLCertificateKeyFile "/etc/pki/domain1.example.com.pem" SSLCACertificateFile "/etc/pki/ca.crt" </VirtualHost> <VirtualHost *:443> ServerName "domain2.example.com" ProxyRequests Off ProxyPass / http://origin2.example.com/ ProxyPassReverse / http://origin2.example.com/ <Location /> Require ip 192.168.196.0/24 </lLocation> SSLEngine On SSLUseStapling On SSLCertificateFile "/etc/pki/domain2.example.com.pem" SSLCertificateKeyFile "/etc/pki/domain2.example.com.pem" SSLCACertificateFile "/etc/pki/ca.crt" </VirtualHost>
signature.asc
Description: OpenPGP digital signature
