Page MenuHomePhabricator

ATS lacks the possibility of reporting SSL stats to an origin server via HTTP Headers
Open, NormalPublic

Description

Our current nginx setup as TLS terminator reports several SSL stats to varnish using the HTTP Header X-Connection-Properties:

proxy_set_header X-Connection-Properties "H2=$h2; SSR=$session_reused; SSL=$ssl_protocol; C=$ssl_cipher; EC=$ssl_ecdhe_curve;";

ATS currently doesn't support this feature but it should be easily implementable because they already track several stats:

the SSL stats should be exposed via the API to the Lua plugin and the Elliptic Curve stat must be implemented

Event Timeline

Vgutierrez triaged this task as Normal priority.Jul 16 2019, 5:32 AM
Vgutierrez created this task.
ayounsi removed a subscriber: ayounsi.Jul 16 2019, 5:32 AM

Two PRs have been submitted to upstream:

Implement logging of SSL Elliptic Curve used: https://github.com/apache/trafficserver/pull/5724 has been already merged into master. The API proposal part of https://github.com/apache/trafficserver/pull/5726 is being currently discussed in dev@trafficserver.apache.org

ema moved this task from Triage to TLS on the Traffic board.Jul 17 2019, 9:36 AM

Change 528984 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/debs/trafficserver@master] Backport commits required to report SSL stats to an origin server

https://gerrit.wikimedia.org/r/528984

Change 528984 merged by Vgutierrez:
[operations/debs/trafficserver@master] Backport commits required to report SSL stats to an origin server

https://gerrit.wikimedia.org/r/528984

Mentioned in SAL (#wikimedia-operations) [2019-08-09T07:31:45Z] <vgutierrez> uploaded trafficserver-8.0.3wm3 to apt.wikimedia.org (stretch) - T220383 T228135