I am using the CentOS 7 as the OS. The version of trafficserver is v5.3.0 which come from EPEL 7. CentOS 7 is updated with all patches.
I would like to set a reverse proxy which listen on 80 and 443. It accepts SSL connection host, with mapping the connection to internal host also with SSL. The below is the portion of records.conf I modified. CONFIG proxy.config.ssl.client.cert.filename STRING mycert.crt CONFIG proxy.config.ssl.client.private_key.filename STRING mykey.key #CONFIG proxy.config.ssl.allow_client_renegotiation INT 1 CONFIG proxy.config.ssl.SSLv2 INT 0 CONFIG proxy.config.ssl.SSLv3 INT 0 CONFIG proxy.config.ssl.TLSv1 INT 1 CONFIG proxy.config.ssl.TLSv1_1 INT 1 CONFIG proxy.config.ssl.TLSv1_2 INT 1 CONFIG proxy.config.ssl.client.verify.server INT 0 CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL CONFIG proxy.config.ssl.server.cipher_suite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 CONFIG proxy.config.diags.debug.enabled INT 1 CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*|ssl.* Below is the remap.conf I modified. map https://publichost https://internalhost/path I used Chrome to connect to https://publichost and give me the following ERR_SSL_VERSION_OR_CIPHER_MISMATCH The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure. >From my understanding, RC4 should already disabled in above cipher_suite >setting. I would like to ask if there is anything I missed. I tested with >non-SSL reverse proxy and seems OK. Regards, Anthony [http://mlm.polyu.edu.hk/intimate/templates/images/PolyU/PolyU_Email_Signature.jpg] Disclaimer: This message (including any attachments) contains confidential information intended for a specific individual and purpose. If you are not the intended recipient, you should delete this message and notify the sender and The Hong Kong Polytechnic University (the University) immediately. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited and may be unlawful. The University specifically denies any responsibility for the accuracy or quality of information obtained through University E-mail Facilities. Any views and opinions expressed are only those of the author(s) and do not necessarily represent those of the University and the University accepts no liability whatsoever for any losses or damages incurred or caused to any party as a result of the use of such information.
