This is a brief document describing some new features, and gotchas, when upgrading to ATS v3.2.

 

SSL certificate configuration

TS-1147 removed the use of records.config to specify SSL certificates. All certificate file names must now be specified in ssl_multicert.config. The proxy.config.ssl.server.cert.filename and proxy.config.ssl.server.private_key.filename configuration parameters have been removed. The ssl_multicert.config has examples of a typical configuration, but here's a typical example:

dest_ip=10.10.20.20 ssl_cert_name=example.pem ssl_key_name=example-key-nopass.pem

HTTP Quick filtering configuration

TS-1140 removed proxy.config.http.quick_filter.mask from records.config - this functionality has been moved to ip_allow.config . This also means that ip_allow.config can not be empty, or nothing will be allowed. The default configuration for ip_allow is

# Allow anything on localhost (this is the default configuration based on the
# deprecated CONFIG proxy.config.http.quick_filter.mask INT 0x482)
src_ip=127.0.0.1                                  action=ip_allow method=ALL
src_ip=::1                                        action=ip_allow method=ALL
# Deny PURGE, DELETE, and PUSH for all (this implies allow other methods for all)
src_ip=0.0.0.0-255.255.255.255                    action=ip_deny  method=PUSH|PURGE|DELETE
src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny  method=PUSH|PURGE|DELETE

HostDB format change

The addition of full IPv6 support caused the on-disk format of the HostDB to change. You will need to remove the HostDB file before deploying 3.2. For example:

% sudo rm /usr/local/var/trafficserver/host.db

This should of course be done when the server is not running. Alternatively, it's also a good idea to clear the cache(s) before starting up 3.2.0 after the upgrade. E.g.

% sudo traffic_server -Cclear_hostdb  # Clears the hostdb

% sudo traffic_server -Cclear # Clears *all* caches, including the HTTP cache

Stat snapshots

Since some statistics are persistent across restarts, it's also a good idea to remove the stats and configuration snapshots. For example:

% sudo rm /usr/local/var/trafficserver/*.snap

This again must be done when the server is not running.

Port Configuration

TS-1077 changed the way ports are configured for HTTP. The following configuration values are now deprecated

proxy.config.http.server_port
proxy.config.http.server_port_attr
proxy.config.http.server_other_ports
proxy.config.http.ssl_ports

All of these are replaced by a single new configuration value

proxy.config.http.server_ports

This value is a STRING consisting of a sequence of port specificiations separated by spaces or commas. Each specification configures a listening port for ATS. Each specification is a set of keywords separated by colons. Some keywords can also have values which may be separated from the keyword by an optional '=' character. The case of keywords is ignored. The keyword order is irrelevant unless keywords conflict (e.g. tr-full and ssl) in which case the right most keyword dominates.

number

IP port. Required.

ipv6

Use IPv6.

ipv4

Use IPv4. Default.

tr-in

Use inbound transparency (to client).

tr-out

Use outbound transparency (to server).

tr-full

Full transparency, both inbound and outbound.

ssl

Use SSL termination.

blind

Use as a blind tunnel (for CONNECT).

ip-in

Use the keyword value as the local inbound (listening) address. This will also set the address family if not explicitly specified. If the IP address family is specified by ipv4 or ipv6 it must agree with this address.

ip-out

Use the value as the local address when connecting to a server. This may be specified twice, once for IPv4 and once for IPv6. The actual address used will be determined by the family of the origin server address.

Examples -

80 80:ipv6

Listen on port 80 on any address for IPv4 and IPv6.

8080:ipv6:tr-full 443:ssl 80:ip-in=192.168.17.1:ip-out=[fc01:10:10:1::1]:ip-out=10.10.10.1

Listen on port 8080 any address for IPv6, fully transparent. Set up an SSL port on 443. Listen on IP address 192.168.17.1, port 80, IPv4, and connect to origin servers using the local address 10.10.10.1 for IPv4 and fc01:10:10:1::1 for IPv6.

Note: For SSL you must still configure the certificates, this option handles only the port configuration.

Note: old style configuration of ports should still work but support for that will be removed at some point in the future.

  • No labels