-
Notifications
You must be signed in to change notification settings - Fork 1
/
tls-bridge.en.html
507 lines (458 loc) · 27.7 KB
/
tls-bridge.en.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>TLS Bridge — AMC Traffic Server Documentation</title>
<link rel="stylesheet" href="_static/sphinxdoc.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: './',
VERSION: '8.0.x',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true,
SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="TSVConn Arguments" href="vconn-args.en.html" />
<link rel="prev" title="Body Factory Refactoring" href="body-factory.en.html" />
</head>
<body role="document">
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="vconn-args.en.html" title="TSVConn Arguments"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="body-factory.en.html" title="Body Factory Refactoring"
accesskey="P">previous</a> |</li>
<li class="nav-item nav-item-0"><a href="index.html">SWOC Docs</a> »</li>
<li class="nav-item nav-item-1"><a href="ats-projects.en.html" accesskey="U">Traffic Server Projects</a> »</li>
</ul>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="index.html">
<img class="logo" src="_static/balcora-gate-400x400.jpg" alt="Logo"/>
</a></p>
<h3><a href="index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">TLS Bridge</a><ul>
<li><a class="reference internal" href="#description">Description</a></li>
<li><a class="reference internal" href="#configuration">Configuration</a></li>
<li><a class="reference internal" href="#notes">Notes</a></li>
<li><a class="reference internal" href="#implementation">Implementation</a></li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="body-factory.en.html"
title="previous chapter">Body Factory Refactoring</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="vconn-args.en.html"
title="next chapter">TSVConn Arguments</a></p>
<div role="note" aria-label="source link">
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="_sources/tls-bridge.en.rst.txt"
rel="nofollow">Show Source</a></li>
</ul>
</div>
<div id="searchbox" style="display: none" role="search">
<h3>Quick search</h3>
<form class="search" action="search.html" method="get">
<div><input type="text" name="q" /></div>
<div><input type="submit" value="Go" /></div>
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="name">
<h1>TLS Bridge<a class="headerlink" href="#name" title="Permalink to this headline">¶</a></h1>
<p>This plugin is used to provide secured TLS tunnels for connections between a Client and a Service
via two gateway Traffic Server instances. By configuring the Traffic Server instances the level of security in the
tunnel can be easily controlled for all communications across the tunnels.</p>
<div class="section" id="description">
<h2>Description<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
<p>The tunnel is sustained by two instances of Traffic Server.</p>
<div class="figure align-center">
<p class="plantuml">
<object data="_images/plantuml-739cef185f7f9f9991dec8305523e17c55c33ec3.svg" type="image/svg+xml" style="width:505px;height:330px;">
<img src="_images/plantuml-739cef185f7f9f9991dec8305523e17c55c33ec3.png" alt="hide empty members
cloud "Cloud\nUntrusted\nNetworks" as Cloud
node "Ingress ATS"
node "Peer ATS"
[Client] <--> [Ingress ATS] : Unsecure
[Ingress ATS] <-> [Cloud] : Secure
[Cloud] <-> [Peer ATS] : Secure
[Peer ATS] <-u-> [Service] : Unsecure
[Ingress ATS] ..> [tls_bridge\nPlugin] : Uses" />
</object></p>
</div>
<p>The ingress Traffic Server accepts a connection from the Client. This connection gets intercepted by the
TLS Bridge plugin inside Traffic Server. The plugin then makes a TLS connection to the peer Traffic Server using the
configured level of security. The original request from the Client to the ingress Traffic Server is then sent
to the peer Traffic Server to create a connection from the peer Traffic Server to the Service. After this the
Client has a virtual circut to the Service and can use any TCP based communication (including TLS).
Effectively the plugin causes the connectivity to work as if the Client had done the <code class="docutils literal"><span class="pre">CONNECT</span></code>
directly to the peer Traffic Server. Note this means the DNS lookup for the Service is done by the peer Traffic Server,
not the ingress Traffic Server.</p>
<p>The plugin is configured with a mapping of Service names to peer Traffic Server instances. The Service
names are URLs which will in the original HTTP request made by the Client after connecting to the
ingress Traffic Server. This means the FQDN for the Service is not resolved in the environment of the peer
Traffic Server and not the ingress Traffic Server.</p>
</div>
<div class="section" id="configuration">
<h2>Configuration<a class="headerlink" href="#configuration" title="Permalink to this headline">¶</a></h2>
<p>TLS Bridge requires at least two instances of Traffic Server (Ingress and Peer).</p>
<ol class="arabic">
<li><p class="first">Disable caching on Traffic Server in <code class="docutils literal"><span class="pre">records.config</span></code>:</p>
<div class="highlight-cpp"><div class="highlight"><pre><span></span><span class="n">CONFIG</span> <span class="n">proxy</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="n">http</span><span class="p">.</span><span class="n">cache</span><span class="p">.</span><span class="n">http</span> <span class="n">INT</span> <span class="mi">0</span>
</pre></div>
</div>
</li>
<li><p class="first">Configure the ports.</p>
<ul>
<li><p class="first">The Peer Traffic Server must be listening on an SSL enabled proxy port. For instance, if the proxy port for the Peer is 4443, then configuration in <code class="docutils literal"><span class="pre">records.config</span></code> would have:</p>
<div class="highlight-cpp"><div class="highlight"><pre><span></span><span class="n">CONFIG</span> <span class="n">proxy</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="n">http</span><span class="p">.</span><span class="n">server_ports</span> <span class="n">STRING</span> <span class="mi">4443</span><span class="o">:</span><span class="n">ssl</span>
</pre></div>
</div>
</li>
<li><p class="first">The Ingress Traffic Server must allow <code class="docutils literal"><span class="pre">CONNECT</span></code> to the Peer proxy port. This would be set in <code class="docutils literal"><span class="pre">records.config</span></code> by:</p>
<div class="highlight-cpp"><div class="highlight"><pre><span></span><span class="n">CONFIG</span> <span class="n">proxy</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="n">http</span><span class="p">.</span><span class="n">connect_ports</span> <span class="n">STRING</span> <span class="mi">4443</span>
</pre></div>
</div>
<p>The Ingress Traffic Server also needs <code class="docutils literal"><span class="pre">proxy.config.http.server_ports</span></code> configured to have proxy ports
to which the Client can connect.</p>
</li>
</ul>
</li>
<li><p class="first">Remap is not required, however, Traffic Server requires remap in order to accept the request. This can be done by disabling the remap requirement:</p>
<div class="highlight-cpp"><div class="highlight"><pre><span></span><span class="n">CONFIG</span> <span class="n">proxy</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="n">url_remap</span><span class="p">.</span><span class="n">remap_required</span> <span class="n">INT</span> <span class="mi">0</span>
</pre></div>
</div>
<p>In this case Traffic Server will act as an open proxy which is unlikely to be a good idea. Traffic Server will need
to run in a restricted environment or use access control (via <code class="docutils literal"><span class="pre">ip_allow.config</span></code> or
<code class="docutils literal"><span class="pre">iptables</span></code>).</p>
</li>
<li><p class="first">Configure the Ingress Traffic Server to verify the Peer server certificate:</p>
<div class="highlight-cpp"><div class="highlight"><pre><span></span><span class="n">CONFIG</span> <span class="n">proxy</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="n">ssl</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="n">verify</span><span class="p">.</span><span class="n">server</span> <span class="n">INT</span> <span class="mi">1</span>
</pre></div>
</div>
</li>
<li><p class="first">Configure Certificate Authority used by the Ingress Traffic Server to verify the Peer server certificate. If this
is a directory all of the certificates in the directory are treated as Certificate Authorites.</p>
<div class="highlight-cpp"><div class="highlight"><pre><span></span><span class="n">CONFIG</span> <span class="n">proxy</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="n">ssl</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="n">CA</span><span class="p">.</span><span class="n">cert</span><span class="p">.</span><span class="n">filename</span> <span class="n">STRING</span> <span class="o"></</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">CA_certificate_file_name</span><span class="o">></span>
</pre></div>
</div>
</li>
<li><p class="first">Configure the Ingress Traffic Server to provide a client certificate:</p>
<div class="highlight-cpp"><div class="highlight"><pre><span></span><span class="n">CONFIG</span> <span class="n">proxy</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="n">ssl</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="n">cert</span><span class="p">.</span><span class="n">path</span> <span class="n">STRING</span> <span class="o"></</span><span class="n">path</span><span class="o">/</span><span class="n">to</span><span class="o">/</span><span class="n">certificate</span><span class="o">/</span><span class="n">dir</span><span class="o">></span>
<span class="n">CONFIG</span> <span class="n">proxy</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="n">ssl</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="n">cert</span><span class="p">.</span><span class="n">filename</span> <span class="n">STRING</span> <span class="o"><</span><span class="n">server_certificate_file_name</span><span class="o">></span>
</pre></div>
</div>
</li>
<li><p class="first">Configure the Peer Traffic Server to verify the Ingress client certificate:</p>
<div class="highlight-cpp"><div class="highlight"><pre><span></span><span class="n">CONFIG</span> <span class="n">proxy</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="n">ssl</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="n">certification_level</span> <span class="n">INT</span> <span class="mi">2</span>
</pre></div>
</div>
</li>
<li><p class="first">Enable the TLS Bridge plugin in <code class="docutils literal"><span class="pre">plugin.config</span></code>. The plugin is configured by arguments in
<code class="docutils literal"><span class="pre">plugin.config</span></code>. These are arguments are in pairs of a <em>destination</em> and a <em>peer</em>. The
destination is a anchored regular expression which is matched against the host name in the Client
<code class="docutils literal"><span class="pre">CONNECT</span></code>. The destinations are checked in order and the first match is used to select the Peer
Traffic Server. The peer should be an FQDN or IP address with an optional port. For the example above, if
the Peer Traffic Server was named “peer.example.com” on port 4443 and the Service at <code class="docutils literal"><span class="pre">*.service.com</span></code>, the
peer argument would be “peer.example.com:4443”. In <code class="docutils literal"><span class="pre">plugin.config</span></code> this would be:</p>
<div class="highlight-cpp"><div class="highlight"><pre><span></span><span class="n">tls_bridge</span><span class="p">.</span><span class="n">so</span> <span class="p">.</span><span class="o">*</span><span class="p">[.]</span><span class="n">service</span><span class="p">[.]</span><span class="n">com</span> <span class="n">peer</span><span class="p">.</span><span class="n">example</span><span class="p">.</span><span class="nl">com</span><span class="p">:</span><span class="mi">4443</span>
</pre></div>
</div>
</li>
</ol>
</div>
<div class="section" id="notes">
<h2>Notes<a class="headerlink" href="#notes" title="Permalink to this headline">¶</a></h2>
<p>TLS Bridge is distinct from more basic Layer 4 Routing available in Traffic Server. For the latter there is no
intercept or change of the TLS exchange between the Client and the Service. The exchange looks like
this</p>
<div class="figure align-center">
<p class="plantuml">
<object data="_images/plantuml-7eba0a8a7c47b32c4fc6d579cae723f8767b095e.svg" type="image/svg+xml" style="width:574px;height:412px;">
<img src="_images/plantuml-7eba0a8a7c47b32c4fc6d579cae723f8767b095e.png" alt="actor Client
participant "Ingress TS" as Ingress
participant Service
Client <-[#green]> Ingress : //TCP Connect//
Client -[#blue]-> Ingress : <font color="blue">TLS: ""CLIENT HELLO""</font>
note over Ingress : Map SNI to upstream Service
Ingress <-[#green]> Service : //TCP Connect//
Ingress -[#blue]-> Service : <font color="blue">TLS: ""CLIENT HELLO""</font>
note right : Duplicate of data from Client.
note over Ingress : Forward bytes between Client <&arrow-thick-left> <&arrow-thick-right> Service
Client <--> Service" />
</object></p>
</div>
<p>The key points are</p>
<ul class="simple">
<li>Traffic Server does no TLS negotiation at all. The properties of the connection between the Ingress Traffic Server
and the Service are completely determined by the Client and Server negotation.</li>
<li>No packets are modified, the “”CLIENT HELLO”” sent by the Ingress Traffic Server is an exact copy of that
sent to the Ingress Traffic Server by the Client. It is only examined for the SNI data in order to select
the Service.</li>
</ul>
</div>
<div class="section" id="implementation">
<h2>Implementation<a class="headerlink" href="#implementation" title="Permalink to this headline">¶</a></h2>
<p>The TLS Bridge plugin uses <code class="code docutils literal"><span class="pre">TSHttpTxnIntercept</span></code> to gain control of the ingress Client session.
If the session is valid then a separate connection to the peer Traffic Server is created using
<code class="code docutils literal"><span class="pre">TSHttpConnect</span></code>.</p>
<p>After the ingress Traffic Server connects to the peer Traffic Server it sends a duplicate of the Client <code class="docutils literal"><span class="pre">CONNECT</span></code>
request. This is processed by the peer Traffic Server to connect on to the Service. After this both Traffic Server
instances then tunnel data between the Client and the Service, in effect becoming a transparent
tunnel.</p>
<p>The overall exchange looks like the following:</p>
<div class="figure align-center">
<p class="plantuml">
<object data="_images/plantuml-f08cfcf8f12ba6ec5dcf2063de47ce9a939be24f.svg" type="image/svg+xml" style="width:641px;height:657px;">
<img src="_images/plantuml-f08cfcf8f12ba6ec5dcf2063de47ce9a939be24f.png" alt="@startuml
box "Client Network" #DDFFDD
actor Client
entity "User Agent\nVConn" as lvc
participant "Ingress ATS" as ingress
entity "Upstream\nVConn" as rvc
end box
box "Corporate Network" #DDDDFF
participant "Peer ATS" as peer
database Service
end box
Client -> ingress : TCP or TLS connect
activate lvc
Client -> ingress : HTTP CONNECT
ingress -> lvc : Intercept Transaction
ingress -> peer : TLS connect
activate rvc
note over ingress,peer : Secure Tunnel
ingress -> peer : HTTP CONNECT
note over peer : DNS for Service is\ndone here.
peer -> Service : TCP Connect
note over Client, Service : At this point data can flow between the Client and Server\nover the secure link as a virtual connection, including any TLS handshake.
Client <--> Service
lvc <-> ingress : <&arrow-thick-left> Move data <&arrow-thick-right>
ingress <-> rvc : <&arrow-thick-left> Move data <&arrow-thick-right>
note over ingress : Plugin explicitlys moves this data.
@enduml" />
</object></p>
</div>
<p>A detailed view of the plugin operation.</p>
<div class="figure align-center">
<p class="plantuml">
<object data="_images/plantuml-08fa73bf403bfd757846fd100a332f4621114eec.svg" type="image/svg+xml" style="width:710px;height:915px;">
<img src="_images/plantuml-08fa73bf403bfd757846fd100a332f4621114eec.png" alt="@startuml
scale max 720 width
ReadRequestHdr : Check for ""CONNECT""
ReadRequestHdr : =====
ReadRequestHdr : Find Peer for Service.
Intercept : Intercept Client Transaction.
Intercept : =====
Intercept : Initialize Bridge Context.
Accept : Initialize ""VConn"" data.
Accept : =====
Accept : Create internal transaction.
Accept : =====
Accept : Set up Client side tunnel.
Accept : =====
Accept : ""CONNECT"" to Peer via internal transaction.
Tunnel : Move data.
state "Flow To Peer" as FlowToPeer
FlowToPeer : Move data from Client ""TSIOBufferReader""\nto Peer ""TSIOBuffer"".
FlowToPeer : =====
FlowToPeer : Reenable VIOs
state "Flow To Client" as FlowToClient
FlowToClient : Move data from Peer ""TSIOBufferReader""\nto Client ""TSIOBuffer"".
FlowToClient : =====
FlowToClient : Reenable VIOs
state "Wait For Peer Response" as WaitForPeerResponse {
WaitForStatusCode : Parse for status code.
WaitForResponseEnd : Parse for double newline.
BadStatus : Set error data\nin Client Response.
PeerReady : Update Client Response.
PeerReady : =====
PeerReady : Set up peer tunnel.
PeerReady : =====
PeerReady : Start Tunneling.
[*] --> WaitForStatusCode
WaitForStatusCode --> WaitForResponseEnd
WaitForStatusCode --> BadStatus
BadStatus --> [*]
WaitForResponseEnd --> PeerReady
PeerReady --> [*]
}
[*] --> ReadRequestHdr : ""CONNECT"" Service
ReadRequestHdr --> [*] : Not matched.
ReadRequestHdr --> Intercept
Intercept --> Accept : ""TS_EVENT_NET_ACCEPT""
Accept -r-> WaitForPeerResponse
WaitForPeerResponse --> WaitForPeerResponse : ""TS_EVENT_VCONN_READ_READY""
WaitForPeerResponse --> Tunnel : 200 OK
WaitForPeerResponse -u-> [*] : Peer connect failure
Tunnel --> FlowToClient : ""TS_EVENT_VCONN_READ_READY""\nPeer VIO
FlowToClient --> Tunnel
Tunnel --> FlowToPeer : ""TS_EVENT_VCONN_READY_READY""\nClient VIO
FlowToPeer --> Tunnel
Tunnel -right-> Shutdown : ""TS_EVENT_VCONN_EOS""
Shutdown : Close Client VConn
Shutdown : =====
Shutdown : Close Upstream VConn
@enduml
" />
</object></p>
</div>
<p>A sequence diagram focusing on the request / response data flow. There is a <code class="code docutils literal"><span class="pre">NetVConn</span></code> for the
connection to the Peer Traffic Server which is omitted for clarity.</p>
<ul class="simple">
<li>Blue dotted lines are request or response data</li>
<li>Green lines are network connections.</li>
<li>Red lines are programmatic interactions.</li>
<li>Black lines are hook call backs.</li>
</ul>
<p>The <code class="code docutils literal"><span class="pre">200</span> <span class="pre">OK</span></code> sent from the Peer Traffic Server is parsed and consumed by the plugin. An non-<code class="code docutils literal"><span class="pre">200</span></code> response
means there was an error and the tunnel is shut down. To deal with the Client response clean up the
response code is stored and used later during cleanup.</p>
<div class="figure align-center">
<p class="plantuml">
<object data="_images/plantuml-48a838e1bddfa2e2e0914c5d872c3623fc7dfccb.svg" type="image/svg+xml" style="width:723px;height:867px;">
<img src="_images/plantuml-48a838e1bddfa2e2e0914c5d872c3623fc7dfccb.png" alt="@startuml
scale max 720 width
actor Client
box "Ingress ATS" #DDFFDD
entity "Client\nNetVConn" as uanet
participant "Ingress\nATS" as ingress
entity "Client\nVConn" as uavc
entity "TLS Bridge" as plugin
entity "Peer\nVConn" as peervc
end box
box "Peer ATS" #DDDDFF
participant "Peer\nATS" as peer
end box
participant Service
Client <-[#green]> ingress : <font color="green">//TCP//</font> Handshake
activate uanet
Client -[#blue]-> uanet : <font color="blue">""CONNECT"" Service</font>
uanet -> ingress : //Parse request//
ingress -[#black]> plugin : ""READ_REQUEST_HDR_HOOK""
plugin -> ingress : //TSHttpTxnIntercept()//
ingress -> uavc : //Create//
activate uavc
uanet -[#blue]-> ingress : <font color="blue">""CONNECT"" Service</font>
ingress -[#blue]-> uavc : <font color="blue">""CONNECT"" Service</font>
ingress -[#black]> plugin : ""TS_EVENT_NET_ACCEPT""
note right : Client VConn is passed in event data.
plugin -\ ingress : //TSHttpConnect()//
ingress -> peervc : //create//
activate peervc
ingress -/ plugin : //return Peer VConn//
plugin -[#blue]-> peervc : <font color="blue">""CONNECT"" Peer</font>
peervc -> ingress : //parse request//
ingress <-[#green]> peer : <font color="green">//TCP//</font> Handshake
ingress <-[#green]> peer : <font color="green">//TLS//</font> Handshake
ingress -[#blue]-> peervc : <font color="blue">""200 OK""</font>
peervc -[#blue]-> plugin : <font color="blue">""200 OK""</font>
note left
This signals a raw TLS connection
nto the Peer ATS. The response is
parsed and consumed by Plugin.
end note
note over plugin : Plugin switches to byte forwarding.
uavc -[#blue]-> plugin : <font color="blue">""CONNECT"" Service</font>
note left: Original Client Request.
plugin -[#blue]-> peervc : <font color="blue">""CONNECT"" Service</font>
peervc -[#blue]-> peer : <font color="blue">""CONNECT"" Service</font>
peer <-[#green]> Service : <font color="green">//TCP//</font> Handshake
peer <-[#green]> Service : <font color="green">//TLS//</font> Handshake
note left : Optional, based on 'Service'
peer -[#blue]-> peervc : <font color="blue">""200 OK""</font>
peervc -[#blue]-> plugin : <font color="blue">""200 OK""</font>
plugin -[#blue]-> uavc : <font color="blue">""200 OK""</font>
uavc -[#blue]-> ingress : <font color="blue">""200 OK""</font>
note left
ATS updates the incoming response based on
local configuration. This means what goes out
to the Client may be different than what the
plugin wrote (forwarded from Peer ATS).
end note
ingress -[#black]> plugin : ""SEND_RESPONSE_HDR_HOOK""
note right : Plugin cleans up response here.
ingress -[#blue]-> uanet : <font color="blue">""200 OK""</font>
uanet -[#blue]-> Client : <font color="blue">""200 OK""</font>
Client <-[#green]> Service : //TCP/TLS Connect//
@enduml
" />
</object></p>
</div>
<p>A restartable state machine is used to recognize the end of the Peer Traffic Server response. The initial part
of the response is easy because all that is needed is to wait until there is sufficient data for a
minimal parse. The end can be an arbitrary distance in to the stream and may not all be in the same
socket read.</p>
<div class="figure align-center">
<p class="plantuml">
<object data="_images/plantuml-103de8d97260ab437f05de350ef7f2de2e8e1113.svg" type="image/svg+xml" style="width:223px;height:450px;">
<img src="_images/plantuml-103de8d97260ab437f05de350ef7f2de2e8e1113.png" alt="@startuml
[*] -r> State_0
State_0 --> State_1 : CR
State_1 --> State_0 : *
State_1 --> State_1 : CR
State_1 --> State_2 : LF
State_2 --> State_3 : CR
State_2 --> State_0 : *
State_3 -r> [*] : LF
State_3 --> State_1 : CR
State_3 --> State_0 : *
@enduml" />
</object></p>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="vconn-args.en.html" title="TSVConn Arguments"
>next</a> |</li>
<li class="right" >
<a href="body-factory.en.html" title="Body Factory Refactoring"
>previous</a> |</li>
<li class="nav-item nav-item-0"><a href="index.html">SWOC Docs</a> »</li>
<li class="nav-item nav-item-1"><a href="ats-projects.en.html" >Traffic Server Projects</a> »</li>
</ul>
</div>
<div class="footer" role="contentinfo">
© Copyright 2017, [email protected].
Created using <a href="http://sphinx-doc.org/">Sphinx</a> 1.5.5.
</div>
</body>
</html>