I am still not quite sure if i understand what you are trying to do. But let me take a guess.
The error "error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number" probably means that you are talking to a invalid https endpoint through ATS. "https://httpbin.org/"; is a pretty normal destination. So are you already using lua plugin/script to change the destination? That destination is probably not a valid https endpoint. So the CONNECT may still work and return status 200 and follow the lua script program to route request to new destination. That destination is not valid https and so curl does not like it. If I am right so far, then I think disable the lua plugin will make ATS to work just like squid. If you really want to use lua to change the destination, I think you need to make sure to set the scheme to https as well in your lua script. Thanks . Kit On Sat, Dec 5, 2020 at 6:25 PM Lei Sun <[email protected]> wrote: > > Hi Kit, > > I set up the ATS to be a forward proxy, so I turned remap off. >> >> CONFIG proxy.config.url_remap.remap_required INT 0 >> CONFIG proxy.config.reverse_proxy.enabled INT 0 > > > I was trying to use lua scripts to intercept the incoming request, and > passing the request to upstream/parent cache proxy dynamically based on some > custom logic. > I was able to make the http work by intercepting and modifying request, url, > server_request.server_addr, etc. in do_global_post_remap and > do_global_send_request hooks. However, it threw the following error when I > tried https >> >> $ curl --proxy http://127.0.0.1:8080 https://httpbin.org/get?answer=42 -v >> * Trying 127.0.0.1... >> * TCP_NODELAY set >> * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) >> * Establish HTTP proxy tunnel to httpbin.org:443 >> > CONNECT httpbin.org:443 HTTP/1.1 >> > Host: httpbin.org:443 >> > User-Agent: curl/7.54.0 >> > Proxy-Connection: Keep-Alive >> > >> < HTTP/1.1 200 OK >> < Date: Sun, 06 Dec 2020 02:22:49 GMT >> < Proxy-Connection: keep-alive >> < Server: ATS/10.0.0 >> < >> * Proxy replied OK to CONNECT request >> * ALPN, offering h2 >> * ALPN, offering http/1.1 >> * Cipher selection: >> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH >> * successfully set certificate verify locations: >> * CAfile: /etc/ssl/cert.pem >> CApath: none >> * TLSv1.2 (OUT), TLS handshake, Client hello (1): >> * error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number >> * stopped the pause stream! >> * Closing connection 0 >> curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version >> number > > > I was able to get the desired request forwarding functionality working using > squid's cache_peer feature, see below > curl --proxy http://127.0.0.1:3128 http://httpbin.org/get?answer=42 -v > curl --proxy http://127.0.0.1:3128 https://httpbin.org/get?answer=42 -v > > However, squid only supports hard coded configuration of cache_peer directive. >> >> cache_peer 23.105.0.211 parent 29842 0 no-query no-digest >> login=USERNAME:PASSWORD > > > Could you please give me some advice on what to modify in lua so that we can > get the same functionality as squid, except that we can do it dynamically > with custom rules, which is a lot more powerful. > > Cheers, > Lei > > On Sat, Dec 5, 2020 at 4:42 PM Shu Kit Chan <[email protected]> wrote: >> >> do_global_send_request in lua is the function called for the >> TS_HTTP_SEND_REQUEST_HDR_HOOK - >> https://docs.trafficserver.apache.org/en/latest/developer-guide/plugins/hooks-and-transactions/adding-hooks.en.html >> >> You are getting a 502 from ATS for this - >> curl -k -H "Host: httbin.org:443" https://127.0.0.1:8443 -vv" . >> >> So what does your remap.config looks like? >> For the above to work, you will need a remap rule to map httbin.org >> (not httpbin.org?) to somewhere. It looks like ATS is not able to >> connect to that "somewhere" and thus if you have a >> "do_global_send_request" function in your lua script, it won't get >> executed. >> >> Kit >>
