This is a brief document describing some new features, and gotchas, when upgrading to ATS v3.2.
| Table of Contents |
|---|
SSL certificate configuration
TS-1147 removed the use of records.config to specify SSL certificates. All certificate file names must now be specified in ssl_multicert.config. The proxy.config.ssl.server.cert.filename and proxy.config.ssl.server.private_key.filename configuration parameters have been removed. The ssl_multicert.config has examples of a typical configuration, but here's a typical example:
| Code Block |
|---|
dest_ip=10.10.20.20 ssl_cert_name=example.pem ssl_key_name=example-key-nopass.pem |
HTTP Quick filtering configuration
TS-1140 removed proxy.config.http.quick_filter.mask from records.config - this functionality has been moved to ip_allow.config . This also means that ip_allow.config can not be empty, or nothing will be allowed. The default configuration for ip_allow is
| Code Block |
|---|
# Allow anything on localhost (this is the default configuration based on the # deprecated CONFIG proxy.config.http.quick_filter.mask INT 0x482) src_ip=127.0.0.1 action=ip_allow method=ALL src_ip=::1 action=ip_allow method=ALL # Deny PURGE, DELETE, and PUSH for all (this implies allow other methods for all) src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE |
HostDB format change
The addition of full IPv6 support caused the on-disk format of the HostDB to change. You will need to remove the HostDB file before deploying 3.2. For example:
| Code Block |
|---|
% sudo rm /usr/local/var/trafficserver/host.db |
This should of course be done when the server is not running. Alternatively, it's also a good idea to clear the cache(s) before starting up 3.2.0 after the upgrade. E.g.
| Code Block |
|---|
% sudo traffic_server -Cclear_hostdb # Clears the hostdb % sudo traffic_server -Cclear # Clears *all* caches, including the HTTP cache |
Stat snapshots
Since some statistics are persistent across restarts, it's also a good idea to remove the stats and configuration snapshots. For example:
| Code Block |
|---|
% sudo rm /usr/local/var/trafficserver/*.snap |
This again must be done when the server is not running.
Port Configuration
TS-1077 changed the way ports are configured for HTTP. The following configuration values are now deprecated
| Code Block |
|---|
proxy.config.http.server_port proxy.config.http.server_port_attr proxy.config.http.server_other_ports proxy.config.http.ssl_ports |
All of these are replaced by a single new configuration value
| Code Block |
|---|
proxy.config.http.server_ports |
This value is a STRING consisting of a sequence of port specificiations separated by spaces or commas. Each specification configures a listening port for ATS. Each specification is a set of keywords separated by colons. Some keywords can also have values which may be separated from the keyword by an optional '=' character. The case of keywords is ignored. The keyword order is irrelevant unless keywords conflict (e.g. tr-full and ssl) in which case the right most keyword dominates.
number | IP port. Required. |
ipv6 | Use IPv6. |
ipv4 | Use IPv4. Default. |
tr-in | Use inbound transparency (to client). |
tr-out | Use outbound transparency (to server). |
tr-full | Full transparency, both inbound and outbound. |
ssl | Use SSL termination. |
blind | Use as a blind tunnel (for |
ip-in | Use the keyword value as the local inbound (listening) address. This will also set the address family if not explicitly specified. If the IP address family is specified by |
ip-out | Use the value as the local address when connecting to a server. This may be specified twice, once for IPv4 and once for IPv6. The actual address used will be determined by the family of the origin server address. |
Examples -
| Code Block |
|---|
80 80:ipv6 |
Listen on port 80 on any address for IPv4 and IPv6.
| Code Block |
|---|
8080:ipv6:tr-full 443:ssl 80:ip-in=192.168.17.1:ip-out=[fc01:10:10:1::1]:ip-out=10.10.10.1 |
Listen on port 8080 any address for IPv6, fully transparent. Set up an SSL port on 443. Listen on IP address 192.168.17.1, port 80, IPv4, and connect to origin servers using the local address 10.10.10.1 for IPv4 and fc01:10:10:1::1 for IPv6.
Note: For SSL you must still configure the certificates, this option handles only the port configuration.
Note: old style configuration of ports should still work but support for that will be removed at some point in the future.