Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-4468

http.server_session_sharing.match = both unsafe with HTTPS

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.1.1
    • Fix Version/s: 7.0.0
    • Component/s: HTTP, SSL
    • Labels:
      None

      Description

      proxy.config.http.server_session_sharing.match has a default value of "both", which compares IP address, port, and FQDN when determining whether a connection can be reused for further user agent requests.

      The "host" (FQDN) matching does not behave safely when ATS is operating as a reverse proxy. The compared value is the origin server FQDN after mapping, rather than the initial "Host" target.

      If multiple Hosts map to the same origin server and the scheme is HTTPS, ATS will attempt to reuse a connection that may have an SNI Host that does not match the HTTP Host. With Apache 2.4 origin servers this results in 400 Bad Request to the user agent.

      PROBLEM REPRODUCTION:

      You can observe this behavior with two mapping rules such as:

      map https://example.com/ https://origin.example.com/
      map https://www.example.com/ https://origin.example.com/

      Non-caching clients alternately fetching URIs from the two targets will see 400 Bad Request responses intermittently.

      WORKAROUND:

      proxy.config.http.server_session_sharing.match should have a default value of "none" when proxy.config.reverse_proxy.enabled is "1"

      SUGGESTED FIXES:

      In order of completeness:

      1) Do not share server sessions on reverse_proxy requests.

      2) Do not share server sessions on reverse_proxy requests where scheme is HTTPS.

      3) Compare target host (SNI host) rather than replacement host when determining if reuse of server session is allowed (when server_session_sharing.match is set to "host" or "both").

        Attachments

        1. TS-4468.patch
          4 kB
          Jered Floyd

          Issue Links

            Activity

              People

              • Assignee:
                shinrich Susan Hinrichs
                Reporter:
                jered Jered Floyd
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 3h 10m
                  3h 10m