This is a brief document describing some new features, and gotchas, when upgrading to ATS v3.2.
Table of Contents |
---|
SSL certificate configuration
TS-1147 removed the use of records.config
to specify SSL certificates. All certificate file names must now be specified in ssl_multicert.config
. The proxy.config.ssl.server.cert.filename
and proxy.config.ssl.server.private_key.filename
configuration parameters have been removed. The ssl_multicert.config
has examples of a typical configuration, but here's a typical example:
Code Block |
---|
dest_ip=10.10.20.20 ssl_cert_name=example.pem ssl_key_name=example-key-nopass.pem
|
...
TS-1140 removed proxy.config.http.quick_filter.mask
from records.config
- this functionality has been moved to ip_allow.config . This also means that ip_allow.config can not be empty, or nothing will be allowed. The default configuration for ip_allow is
Code Block |
---|
# Allow anything on localhost (this is the default configuration based on the
# deprecated CONFIG proxy.config.http.quick_filter.mask INT 0x482)
src_ip=127.0.0.1 action=ip_allow method=ALL
src_ip=::1 action=ip_allow method=ALL
# Deny PURGE, DELETE, and PUSH for all (this implies allow other methods for all)
src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE
src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE
|
...
The addition of full IPv6 support caused the on-disk format of the HostDB to change. You will need to remove the HostDB file before deploying 3.2. For example:
Code Block |
---|
% sudo rm /usr/local/var/trafficserver/host.db
|
This should of course be done when the server is not running. Alternatively, it's also a good idea to clear the cache(s) before starting up 3.2.0 after the upgrade. E.g.
Code Block |
---|
% sudo traffic_server -Cclear_hostdb # Clears the hostdb
% sudo traffic_server -Cclear # Clears *all* caches, including the HTTP cache
|
...
Since some statistics are persistent across restarts, it's also a good idea to remove the stats and configuration snapshots. For example:
Code Block |
---|
% sudo rm /usr/local/var/trafficserver/*.snap
|
...
TS-1077 changed the way ports are configured for HTTP. The following configuration values are now deprecated
Code Block |
---|
proxy.config.http.server_port
proxy.config.http.server_port_attr
proxy.config.http.server_other_ports
proxy.config.http.ssl_ports
|
All of these are replaced by a single new configuration value
Code Block |
---|
proxy.config.http.server_ports
|
...
number | IP port. Required. |
ipv6 | Use IPv6. |
ipv4 | Use IPv4. Default. |
tr-in | Use inbound transparency (to client). |
tr-out | Use outbound transparency (to server). |
tr-full | Full transparency, both inbound and outbound. |
ssl | Use SSL termination. |
blind | Use as a blind tunnel (for |
ip-in | Use the keyword value as the local inbound (listening) address. This will also set the address family if not explicitly specified. If the IP address family is specified by |
ip-out | Use the value as the local address when connecting to a server. This may be specified twice, once for IPv4 and once for IPv6. The actual address used will be determined by the family of the origin server address. |
Examples -
Code Block |
---|
80 80:ipv6
|
Listen on port 80 on any address for IPv4 and IPv6.
Code Block |
---|
8080:ipv6:tr-full 443:ssl 80:ip-in=192.168.17.1:ip-out=[fc01:10:10:1::1]:ip-out=10.10.10.1
|
...