search

apache / trafficserver

Apache Traffic Server™ is a fast, scalable and extensible HTTP/1.1 and HTTP/2 compliant caching proxy server.
https://trafficserver.apache.org/
Apache License 2.0
1.8k stars 793 forks source link

Turning on PROXY Protocol forces clients to perform ALPN, otherwise connections are dropped #5974

Open HT154 opened 4 years ago

HT154 commented 4 years ago

ATS: 8.0.5 OpenSSL: 1.0.2r

CONFIG proxy.config.http.server_ports STRING 8080:pp:proto=http 8443:ssl:pp:proto=http

Running Nginx on localhost, proxying TCP connections on 80/443 to 8080/8443 with PROXY protocol:

stream {
  upstream internal {
    server 127.0.0.1:8443;
  }
  server {
    listen 443;
    proxy_protocol on;
    proxy_pass internal;
  }
}

Working via cURL:

$ curl https://localhost -I
HTTP/1.1 200 OK
Server: ATS/8.0.5
Date: Tue, 01 Oct 2019 00:09:30 GMT
Content-Type: text/html
Age: 0
Connection: keep-alive

Not working via cURL with ALPN disabled:

$ curl https://localhost -I --no-alpn
curl: (52) Empty reply from server

Not working via Python requests:

import requests
requests.get('https://localhost')
# <traceback snipped>
# urllib3.exceptions.ProtocolError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))

Working via Python requests after forcing ALPN:

from requests import Session
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.ssl_ import create_urllib3_context

class HTTP11ALPNAdapter(HTTPAdapter):
    def init_poolmanager(self, *args, **kwargs):
        ctx = create_urllib3_context()
        ctx.set_alpn_protocols(['http/1.1'])
        kwargs['ssl_context'] = ctx
        return super().init_poolmanager(*args, **kwargs)

s = requests.Session()
s.mount('https://localhost', HTTP11ALPNAdapter())
s.get('https://localhost')
# <Response [200]>

@masaori335 was able to reproduce this and track down that it was the pp in the server_ports config line that was triggering this behavior. When pp was not specified, clients received successful responses even when not performing ALPN

masaori335 commented 4 years ago

@reveller Could you take a look? It looks like the combination of :pp & :ssl goes something wrong. I tired some combinations with above settings (8443:ssl:pp:proto=http). What is the expected behavior of ProxyProtocol & TLS ? (I'm not sure if it's make sense or not)

1) curl -vs -k https://localhost:8443/ --http1.1 --haproxy-protocol

bryancall commented 2 years ago 
16:27:10 zues:~$ curl -vs -k https://controller.trafficserver.org --http1.1 --no-alpn
*   Trying 72.167.225.157:443...
...
< HTTP/1.1 404 Not Found on Accelerator