Brian, Yes, Kishore is part of our dev team. He should be reaching out to you here soon. Thanks for offering your expert guidance.
On Fri, Jan 20, 2017 at 12:20 AM, Brian Geffon <[email protected]> wrote: > Hey Jeremy, is the guy who requested the bug on your team? I'm happy to > advise on how to fix it if you guys need. > > Brian > > On Thu, Jan 19, 2017, 05:30 Jeremy Payne <[email protected]> wrote: > >> "bug" filed. >> >> https://github.com/apache/trafficserver/issues/1344 >> >> On Thu, Jan 19, 2017 at 6:37 AM, Jeremy Payne <[email protected]> wrote: >> >> Thus far it appears right before the origin request is built the SNI >> value is derived from the original client(end user) defined HOST header >> Since we have pristine enabled, we dont want the original client HOST >> header to be used as the origin SNI. So right after the cache look up we >> change the client HOST header to the desired SNI value. This seems to work >> without impacts to the cache key, etc. >> >> ++++++++ >> function cache_lookup() >> ts.client_request.header['Host'] = 'origin.tld' >> return 0 >> end >> >> function do_remap() >> >> ts.hook(TS_LUA_HOOK_CACHE_LOOKUP_COMPLETE, cache_lookup) >> >> return 0 >> end >> ++++++++ >> >> On Wed, Jan 18, 2017 at 8:09 PM, Leif Hedstrom <[email protected]> wrote: >> >> I think we ran into just this same problem. Gancho, what was the solution? >> >> -- Leif >> >> On Jan 17, 2017, at 3:06 PM, Brian Geffon <[email protected]> wrote: >> >> That sounds like a bug and after looking through the code it does appear >> to be: >> >> https://github.com/apache/trafficserver/blob/master/ >> proxy/http/HttpSM.cc#L5046 >> >> That's the wrong value to use since it never gets overwritten here: >> >> https://github.com/apache/trafficserver/blob/master/proxy/http/remap/ >> RemapProcessor.cc#L242 >> >> Can you please file a bug? >> >> Brian >> >> On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <[email protected]> wrote: >> >> Hello, >> >> >> >> I currently have ATS configured to support a pristine host header. >> >> proxy.config.url_remap.pristine_host_hdr 1 >> >> I also have ATS configured to verify the origin server certificate. >> >> proxy.config.ssl.client.verify.server 1 >> >> My remap looks like this. >> >> map https://edge.abc.com/ https://origin.xyz.com/ >> >> >> Because pristine is enabled, when ATS sends a request back to the origin, >> it uses a SNI value of: >> >> edge.abc.com >> >> However, the origin returns a certificate that does not match the SNI. >> >> Because the requested SNI and the returned CN/SAN do not match, coupled >> with verify.server enabled, ATS terminates the origin session and sends a >> 502 back to the client. >> >> Is there another control or configuration that allows me to define which >> SNI value to >> send back to the origin ? >> I need to keep pristine enabled and I need verify.server enabled. >> >> Thanks in advance. >> >> >> >>
