dev@trafficserver.apache.org: There are situations in which an origin needs to be connected to on the same port that the client connected to ATS on. Consider the following configuration:
client -> ats1 -> ats2 -> server The `client` connects to `ats1` on one of a number of possible ports over a non-contiguous port range, and the application running on `server` needed `ats2` to connect to it on the same port that `ats1` was connected to. I suggest we provide a solution for this via the Proxy Protocol feature: https://docs.trafficserver.apache.org/admin-guide/configuration/proxy-protocol.en.html#proxy-protocol Using this, `ats1` communicates the port that `client` connected to it upon via Proxy Protocol to `ats2`. It is then pretty straightforward to tweak the tunnel_route sni.yaml configuration to be able to specify that it should use the port specified in the Proxy Protocol payload. >From a configuration standpoint, I suggest we add support for the user to specify the destination Proxy Protocol port as the string literal {proxy_protocol_port} for the host designated in the tunnel_route. With that specification, ATS will connect to the server on whatever the destination port was in the Proxy Protocol string on the inbound connection. Here's an example sni.yaml configuration: sni:- fqdn: tunnel-pp.example.com tunnel_route: my.backend.example.com:{proxy_protocol_port} In this case, if the client side connection contains tunnel-pp.example.com as the SNI in the CLIENT_HELLO handshake, then ATS will connect to my.backend.example.com on whatever destination port was specified in the client-side Proxy Protocol for the initiating connection. Related to this, it is also easy to add support for {inbound_local_port} in which ATS will connect to the origin server on whatever the destination port was of the inbound (client-side) connection. Adding {inbound_local_port} simplifies the solution for when there is only a single ATS between the client and server. I've created a draft PR with a possible patch, including updated documentation and some autests, here: https://github.com/apache/trafficserver/pull/9358 The rendered sni.yaml doc changes can be viewed here: https://ci.trafficserver.apache.org/job/Github_Builds/job/docs/741/artifact/output/9358/docbuild/html/admin-guide/files/sni.yaml.en.html#std-configfile-sni.yaml Please provide any feedback or concerns you may have. Thanks! Brian -- "Come to Me, all who are weary and heavy-laden, and I will give you rest. Take My yoke upon you and learn from Me, for I am gentle and humble in heart, and you will find rest for your souls. For My yoke is easy and My burden is light." ~ Matthew 11:28-30
