This is a brief document describing some new features, and gotchas, when upgrading to ATS v3.2.
SSL certificate configuration
TS-1147 removed the use of records.config
to specify SSL certificates. All certificate file names must now be specified in ssl_multicert.config
. The proxy.config.ssl.server.cert.filename
and proxy.config.ssl.server.private_key.filename
configuration parameters have been removed. The ssl_multicert.config
has examples of a typical configuration, but here's a typical example:
dest_ip=10.10.20.20 ssl_cert_name=example.pem ssl_key_name=example-key-nopass.pem
HTTP Quick filtering configuration
TS-1140 removed proxy.config.http.quick_filter.mask
from records.config
- this functionality has been moved to ip_allow.config . This also means that ip_allow.config can not be empty, or nothing will be allowed. The default configuration for ip_allow is
# Allow anything on localhost (this is the default configuration based on the # deprecated CONFIG proxy.config.http.quick_filter.mask INT 0x482) src_ip=127.0.0.1 action=ip_allow method=ALL src_ip=::1 action=ip_allow method=ALL # Deny PURGE, DELETE, and PUSH for all (this implies allow other methods for all) src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE
HostDB format change
The addition of full IPv6 support caused the on-disk format of the HostDB to change. You will need to remove the HostDB file before deploying 3.2. For example:
% sudo rm /usr/local/var/trafficserver/host.db
This should of course be done when the server is not running. Alternatively, it's also a good idea to clear the cache(s) before starting up 3.2.0 after the upgrade. E.g.
% sudo traffic_server -Cclear_hostdb # Clears the hostdb % sudo traffic_server -Cclear # Clears *all* caches, including the HTTP cache
Stat snapshots
Since some statistics are persistent across restarts, it's also a good idea to remove the stats and configuration snapshots. For example:
% sudo rm /usr/local/var/trafficserver/*.snap
This again must be done when the server is not running.
Port Configuration
TS-1077 changed the way ports are configured for HTTP. The following configuration values are now deprecated
proxy.config.http.server_port proxy.config.http.server_port_attr proxy.config.http.server_other_ports proxy.config.http.ssl_ports
All of these are replaced by a single new configuration value
proxy.config.http.server_ports
This value is a STRING
consisting of a sequence of port specificiations separated by spaces or commas. Each specification configures a listening port for ATS. Each specification is a set of keywords separated by colons. Some keywords can also have values which may be separated from the keyword by an optional '=' character. The case of keywords is ignored. The keyword order is irrelevant unless keywords conflict (e.g. tr-full
and ssl
) in which case the right most keyword dominates.
number | IP port. Required. |
ipv6 | Use IPv6. |
ipv4 | Use IPv4. Default. |
tr-in | Use inbound transparency (to client). |
tr-out | Use outbound transparency (to server). |
tr-full | Full transparency, both inbound and outbound. |
ssl | Use SSL termination. |
blind | Use as a blind tunnel (for |
ip-in | Use the keyword value as the local inbound (listening) address. This will also set the address family if not explicitly specified. If the IP address family is specified by |
ip-out | Use the value as the local address when connecting to a server. This may be specified twice, once for IPv4 and once for IPv6. The actual address used will be determined by the family of the origin server address. |
Examples -
80 80:ipv6
Listen on port 80 on any address for IPv4 and IPv6.
8080:ipv6:tr-full 443:ssl 80:ip-in=192.168.17.1:ip-out=[fc01:10:10:1::1]:ip-out=10.10.10.1
Listen on port 8080 any address for IPv6, fully transparent. Set up an SSL port on 443. Listen on IP address 192.168.17.1, port 80, IPv4, and connect to origin servers using the local address 10.10.10.1 for IPv4 and fc01:10:10:1::1 for IPv6.
Note: For SSL you must still configure the certificates, this option handles only the port configuration.
Note: old style configuration of ports should still work but support for that will be removed at some point in the future.