as miles suggested you can play with the verify server settings to see if youre sending an sni that doesnt match on the upstream server.
you can also place ATS in debug mode while running your tests. something like the below. CONFIG proxy.config.diags.debug.enabled INT 1 CONFIG proxy.config.diags.debug.tags STRING 'http.*|parent.*|ssl.*' for more data points, i'm a packet trace guy, so i always like to see whats being sent on the wire. On Wed, Nov 10, 2021 at 12:12 PM Zack Bartel <[email protected]> wrote: > > Thanks for the help with this. We don't have a remap in this situation as we > want all traffic to go to this single upstream, which is another intermediary > proxy. So ATS sits in the middle, but should forward all requests to a single > upstream proxy that is itself https. > > In squid it's like this: > > cache_peer my-upstream.proxy.com parent 443 0 no-query tls > > But I don't want to use squid. > > Thanks again, > Zack > > > > On Nov 9, 2021, at 11:55 AM, Jeremy Payne <[email protected]> wrote: > > > > also.. please provide the remap entry in question. > > you can sanitize the hostnames.. but keep the scheme references. > > i do believe the parent selection must match the origin scheme defined > > in the remap. > > > > '502 connection refused' sounds like the parent selection is not > > matching and the request is going directly to origin. > > unless things have changed, ATS to upstream certificate verify failure > > usually results in a > > '502 service unavailable' > > > > > > > > > > On Thu, Nov 4, 2021 at 2:12 PM Zack Bartel <[email protected]> wrote: > >> > >> Hello everyone, > >> I am trying to configure ATS 9.0.0 to upstream to another secure proxy > >> over https. I can't get it to work and all connections 502 Connection > >> Refused. Is it possible to use https for the parent proxy? > >> > >> > >> url_regex=.+ scheme=https parent="my-upstream.proxy.com:443" > >> round_robin=true ignore_self_detect=true > >> > >> > >> Thank you, > >> > >> Zack Bartel >
