Am 30.01.2014 00:17, schrieb Reindl Harald: > Am 30.01.2014 00:03, schrieb James Peach: >> On Jan 29, 2014, at 2:51 PM, Reindl Harald <[email protected]> wrote: >>> what really would help in the documentation is a complete example of let say >>> 2 complete different domains with their own cert and any related file for >>> that in reverse mode to see a complete picture on one page >>> >>> for httpd both, a real SNI host and ssl-reverse-proxy is quite simple and >>> connected >>> in a few lines (see below) and i try to figure out how get it the same with >>> ATS >>> and there may also be *.domain.tld-wildcard-certs in the game, at least one >> >> ssl_multicert.config: >> >> ssl_cert_name=/etc/pki/domain2.example.com.pem >> ssl_cert_name=/etc/pki/domain1.example.com.pem >> >> remap.config: >> >> map https://domain1.example.com http://origin1.example.com >> map https://domain2.example.com http://origin2.example.com > > thanks, that feels like i get the picture and for "ssl_multicert.config" > i guess ATS is looking for what names the certificates are valid and > selects them by the SNI name from the client and simply closes the > connection if a bad client tries not configured SNI names > ____________________________________________ > > so that would be my "remap.config" for https://domain1.example.com/ and > make sure unencrypted connections are forwarded to https and for that > no plugin is needed i guess - sounds fine, i will play around with that > on my test-VM > > map https://domain1.example.com http://origin1.example.com > redirect http://domain1.example.com/ https://domain1.example.com/ > > many thanks!
somehow ATS does not listen on 8443 with out the "ssl=" it does but not accept https connections what i don't understand is why i need "server.cert.path" and "server.private_key.path" at all additionally to "ssl_multicert.config" and which cert this should be in production, but that's a leter problem after it accepts ssl-connections at all /etc/trafficserver/records.config: CONFIG proxy.config.http.server_ports STRING 8080,ssl=8443 CONFIG proxy.config.ssl.SSLv2 INT 0 CONFIG proxy.config.ssl.SSLv3 INT 1 CONFIG proxy.config.ssl.TLSv1 INT 1 CONFIG proxy.config.ssl.TLSv1_1 INT 1 CONFIG proxy.config.ssl.TLSv1_2 INT 1 CONFIG proxy.config.ssl.client.certification_level INT 0 CONFIG proxy.config.ssl.server.multicert.filename STRING ssl_multicert.config CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/testserver.rhsoft.net.pem CONFIG proxy.config.ssl.server.private_key.path STRING /etc/trafficserver/ssl/testserver.rhsoft.net.pem /etc/trafficserver/remap.config: map https://rhsoft.testserver.rhsoft.net:8443 http://rhsoft.testserver.rhsoft.net reverse_map http://rhsoft.testserver.rhsoft.net https://rhsoft.testserver.rhsoft.net:8443 redirect http://rhsoft.testserver.rhsoft.net:8080 https://rhsoft.testserver.rhsoft.net:8443 /etc/trafficserver/ssl_multicert.config: ssl_cert_name=/etc/trafficserver/ssl/testserver.rhsoft.net.pem
signature.asc
Description: OpenPGP digital signature
