Setting up SSL Termination on Apache Traffic Server (Reverse Proxy)

Question

We are attempting to setup Apache Traffic Server to act as reverse proxy for our web server. Here are the basics:

Apache Traffic Server, built from source (6.1.0) and installed into /opt, is running on a CentOS 7 (7.1.1503) server.
Apache Traffic Server is setup to redirect port 80 and 443 traffic (via the remap.config) to our web server which is IIS running on Windows Server 2012
From my local machine, with my host file appropriately modified (we are not running the reverse proxy in production), I can get to our website as normal, and it is redirected through the reverse proxy to the web server as expected.
When I try to go to the HTTPS version of our website, I instead get, in Firefox, "Secure Connection Failed". With the error code "ssl_error_rx_record_too_long". In Chrome I get "ERR_SSL_PROTOCOL_ERROR".

I've uploaded an anonymized version of our records.config and remap.config to Pastebin (see here and here), and our ssl_multicert.config is configured thus:

ip_dest=* ssl_cert_name=star_foo_com.pem

I'm not particularly well versed in the web side of things, but it's fallen to me to set this up. I'm sure I've simply missed something simple in the configuration process.

Run it through https://www.ssllabs.com/ssltest/ (Tick the *Do not show the results on the boards* checkbox if you worry about that.) What does it say? — StackzOfZtuff, Nov 06 '15 at 12:47
Here is what we get when I run that SSLLabs test: [link](http://i.imgur.com/DivxNTo.jpg) — thunderbird32, Nov 09 '15 at 16:30
A little more information: when i run the command "openssl s_client -connect localhost:443" — thunderbird32, Nov 13 '15 at 19:54
You seem to have ip_dest=* wrong, correct syntax is dest_ip=* — PHZ.fi-Pharazon, Jan 28 '23 at 12:14

PHZ.fi-Pharazon · Answer 1 · 2023-01-28T12:11:25.193

0

I managed to get it to work when I placed :ssl to the end of 443 in records.config

CONFIG proxy.config.http.server_ports STRING 80 80:ipv6 443:ssl

In addition it seems that you need to have in your ssl_multicert.config at least one line with dest_ip for example

dest_ip=* ssl_cert_name=yourdomain.crt ssl_key_name=yourdomain.key ssl_ca_name=ca.crt

edited Jan 28 '23 at 12:11

answered Jan 28 '23 at 12:05

PHZ.fi-Pharazon

261
1
10

I appreciate the followup, but in the intervening seven years we gave up on using Apache Traffic Server for that purpose (we ended up using NGINX instead) and in any case I no longer work at the company I was trying to set it up for anyway. :D – thunderbird32 Feb 23 '23 at 04:28
I think Trafficserver is much easier to configure than nginx, in the end. After years, I haven't seen almost any project using nginx having configured caching on. But we use both for different purposes. – PHZ.fi-Pharazon Mar 11 '23 at 08:02

Setting up SSL Termination on Apache Traffic Server (Reverse Proxy)

1 Answers1