ATS doesn't have the SSL Man-In-The-Middle feature to decrypt SSL traffic in forward proxy mode.
In order to implement the MITM for ATS in forward proxy mode, you should do below things at least: 1. Generate your self CA key and cert 2. Add your CA cert into all the clients behind the forward proxy and trust the CA cert as a trusted certificate authority. 3. Write a ATS plugin which hooks on CERT HOOK or SNI HOOK, the plugin will dynamically issue fake certificates for the requested SNI. If your ATS is deployed in explicit mode, you should handle the HTTP CONNECT request and migrate the UnixNetVConnection to the SSLNetVConnection once the "200 OK Tunnel Established" is send to client. - Oknet Zhiyong Lin (BLOOMBERG/ PRINCETON) <zl...@bloomberg.net> 于2019年8月5日周一 下午9:28写道: > > Yes, we want to decrypt SSL traffic in forward proxy with ATS? > > From: ok...@apache.org At: 08/05/19 09:20:26 > To: dev@trafficserver.apache.org > Cc: Zhiyong Lin (BLOOMBERG/ PRINCETON ) > Subject: Re: dev@trafficserver.apache.org > > Hi Zhiyong, > > Do you want to decrypt the SSL traffic in forward proxy with ATS ? > > - Oknet > > Sudheer Vinukonda <sudheervinuko...@yahoo.com.invalid> 于2019年7月19日周五 > 上午3:24写道: > > > > Hi Zhiyong, > > SSL termination for ATS is not any different when ATS is being used as a > forward vs reverse proxy. > > This might be a good start to configure SSL termination on ATS (if you've > not already read it) - > > Security — Apache Traffic Server 9.0.0 documentation > > > > | > > | > > | | > > Security — Apache Traffic Server 9.0.0 documentation > > > > > > | > > > > | > > > > | > > > > > > > > You can also navigate other linked docs in there for other aspects related > > to > ATS. > > Good luck and we will be curious to hear your experiences in setting up. > > - Sudheer > > > > > > On Thursday, July 18, 2019, 12:18:47 PM PDT, Zhiyong Lin (BLOOMBERG/ > PRINCETON) <zl...@bloomberg.net> wrote: > > > > Hi All, > > > > We are setting up ATS as a forward proxy and try to examine both HTTP/HTTPS > traffic. For HTTPS we need to terminate ssl, and we find plugin certifier that > can dynamically generate certificate. We read through the certifier plugin's > document but still not sure how to setup ATS so that SSL termination in > forward > proxy mode works. Any help will be appreciated. > > Also is there any document of the whole flow of an HTTP/HTTPS request? > > > > -- > - Oknet Xu > > -- - Oknet Xu
