trafficserver icon indicating copy to clipboard operation
trafficserver copied to clipboard

Published 20 hours ago verified publisher icon apache

Apache Traffic Server with AuthProxy plugin not works to HTTPS origin server

Open geanjunior opened this issue 1 year ago • 2 comments

I'm configuring Apache Traffic server as a proxy to be used as an intermediator between clients and one external API.

I need to implement a custom authentication service to be used together the AuthProxy plugin as discribed in documentation below:

  • https://docs.trafficserver.apache.org/en/latest/admin-guide/plugins/authproxy.en.html#authproxy-plugin

I've configured the remap.config with the below lines:

regex_map http://(.*) http://$1 \
  @plugin=authproxy.so @pparam=--auth-transform=redirect @pparam=--auth-host=127.0.0.1 @pparam=--auth-port=5000

regex_map https://(.*) https://$1 \
  @plugin=authproxy.so @pparam=--auth-transform=redirect @pparam=--auth-host=127.0.0.1 @pparam=--auth-port=5000

When I make an HTTP request, everything works as expected. The client call the proxy, the proxy call the auth server in 5000 port, and then return 200 (when pass in auth).

curl -I http://www.google.com -x http://127.0.0.1:8080 -H "token: abc"

Response:

HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Date: Thu, 16 Mar 2023 19:45:24 GMT
Server: ATS/9.1.1
X-XSS-Protection: 0

But when I use the HTTPS, the same request not works. The client call the proxy, I can see it at the logs, but the auth plugin is not called.

curl -I https://www.google.com -x http://127.0.0.1:8080 -H "token: abc"

Response:

HTTP/1.1 403 Tunnel Forbidden
Date: Thu, 16 Mar 2023 19:45:46 GMT
Proxy-Connection: close
Server: ATS/9.1.1
Cache-Control: no-store
Content-Type: text/plain
Content-Language: en
Content-Length: 14

curl: (56) Received HTTP code 403 from proxy after CONNECT

I have tried to configure the experimental plugin certifier.so to configure the SSL Interceptor as described in documentation below:

  • https://docs.trafficserver.apache.org/admin-guide/plugins/certifier.en.html

I generate the certificate files as documentation exemplo:

  • openssl req -newkey rsa:2048 -nodes -keyout ca.key -x509 -days 365 -out ca.cert

And put the line bellow in plugin.config file:

  • certifier.so –store=/home/ubuntu/proxy-server/certs –max=1000 –sign-cert=/home/ubuntu/proxy-server/certs/ca.cert –sign-key=/home/ubuntu/proxy-server/certs/ca.key –sign-serial=/home/ubuntu/proxy-server/certs/ca-serial.txt

Some idea about what's wrong in my configuration or what can I do to Apache Traffic Server authenticate HTTPS requests with my custom auth service?

geanjunior avatar Mar 16 '23 21:03 geanjunior

This issue has been automatically marked as stale because it has not had recent activity. Marking it stale to flag it for further consideration by the community.

github-actions[bot] avatar Mar 20 '24 01:03 github-actions[bot]

what happens if you try curl -I http://www.google.com/ -H "token: abc" --connect-to ::127.0.0.1:8080 (eg, it looks like curl is trying the CONNECT method, but you want it to use GET)

mlibbey avatar Mar 20 '24 16:03 mlibbey