Hier eine schnelle zusammenfassung meiner Konfiguration des Apache Traffic Server.
records.config:
# enable Reverse-Proxy CONFIG proxy.config.reverse_proxy.enabled INT 1 # prefer ipv4 than ipv6 for dns-resolve CONFIG proxy.config.hostdb.ip_resolve STRING ipv4;ipv6 ############################################################################### # 0 = no headers required to make document cacheable # 1 = either the Last-Modified header, or an explicit lifetime header, Expires or Cache-Control: max-age,is required # 2 = explicit lifetime is required, Expires or Cache-Control: max-age # default = 2 ############################################################################### CONFIG proxy.config.http.cache.required_headers INT 1 #Enables (1) or disables (0) caching of HTTP requests CONFIG proxy.config.http.cache.http INT 1 # https://docs.trafficserver.apache.org/records.config#proxy-config-url-remap-pristine-host-hdr CONFIG proxy.config.url_remap.pristine_host_hdr INT 1 # https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.config.en.html#proxy-config-cache-ram-cache-algorithm 0 => CLFUS, 1 => LRU(simple) CONFIG proxy.config.cache.ram_cache.algorithm INT 0 # RAM Cache Compression 0 -> disabled, 1 -> fastlz, 2 -> libz, 3 -> liblzma CONFIG proxy.config.cache.ram_cache.compress INT 1 # enable pinning in cache CONFIG proxy.config.cache.permit.pinning INT 1 # by default 0, cache dynamic content(url wit .asp ? ; .cgi) CONFIG proxy.config.http.cache.cache_urls_that_look_dynamic INT 1 ############################################################################## # Specify server addresses and ports to bind for HTTP and HTTPS. Docs: # https://docs.trafficserver.apache.org/records.config#proxy-config-http-server-ports ############################################################################## CONFIG proxy.config.http.server_ports STRING 80 443:ssl ############################################################################## # Via: headers. Docs: # https://docs.trafficserver.apache.org/records.config#proxy-config-http-insert-response-via-str ############################################################################## CONFIG proxy.config.http.insert_request_via_str INT 2 ############################################################################## # These settings control remapping, and if the proxy allows (open) forward proxy or not. Docs: # https://docs.trafficserver.apache.org/records.config#url-remap-rules # https://docs.trafficserver.apache.org/en/latest/reference/configuration/remap.config.en.html ############################################################################## CONFIG proxy.config.url_remap.remap_required INT 1 CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1 ############################################################################## # Logging Config. Docs: # https://docs.trafficserver.apache.org/en/latest/admin-guide/files/logging.config.en.html ############################################################################## CONFIG proxy.config.log.logging_enabled INT 3 ############################################################################## # SSL Termination. Docs: # https://docs.trafficserver.apache.org/records.config#client-related-configuration # https://docs.trafficserver.apache.org/en/latest/reference/configuration/ssl_multicert.config.en.html ############################################################################## CONFIG proxy.config.ssl.TLSv1 INT 0 CONFIG proxy.config.ssl.TLSv1_1 INT 1 CONFIG proxy.config.ssl.TLSv1_2 INT 1 CONFIG proxy.config.ssl.server.multicert.filename STRING ssl_multicert.config CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl # only enable if private key not in cert CONFIG proxy.config.ssl.server.private_key.path STRING /etc/trafficserver/ssl CONFIG proxy.config.ssl.client.CA.cert.filename STRING /etc/trafficserver/ssl # use only the "good" ciphers CONFIG proxy.config.ssl.server.cipher_suite STRING ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!RC4:!eNULL:!SSLv2:!SSLv3
logging.config (siehe https://docs.trafficserver.apache.org/en/latest/admin-guide/files/logging.config.en.html) :
extended = format {
Format = "%<chi> - %<caun> [%<cqtn>] \"%<cqtx>\" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts>"
}
extended2 = format {
Format = "%<chi> - %<caun> [%<cqtn>] \"%<cqtx>\" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts> %<phr> %<cfsc> %<pfsc> %<crc>"
}
combined = format {
Format = "%<chi> - - [%<cqtn>] \"%<cqhm> %<cquup>\" %<pssc> %<psql> \"%<{Referer}cqh>\" \"%<{User-Agent}cqh>\"",
Interval = 1
}
log.ascii {
Format = combined,
Filename = "access"
}
plugin.config:
header_rewrite.so rewrite.conf gzip.so gzip.conf
rewrite.conf:
cond %{READ_REQUEST_HDR_HOOK}
rm-header PROXY
cond %{READ_REQUEST_HDR_HOOK}
add-header X-Forwarded-Proto "%<proto>"
cond %{READ_REQUEST_HDR_HOOK}
add-header X-Forwarded-for "%<chi>"
cond %{READ_REQUEST_HDR_HOOK}
add-header X-REAL-IP "%<chi>"
cond %{READ_RESPONSE_HDR_HOOK}
add-header X-42 "DON'T PANIC"
cond %{READ_RESPONSE_HDR_HOOK}
add-header X-Frame-Options "SAMEORIGIN"
cond %{READ_RESPONSE_HDR_HOOK}
add-header X-Content-Type-Options "nosniff"
cond %{READ_RESPONSE_HDR_HOOK}
add-header X-Xss-Protection "1; mode=block"
cond %{SEND_RESPONSE_HDR_HOOK}
set-header server "ATS"
cond %{SEND_RESPONSE_HDR_HOOK}
add-header Referrer-Policy "strict-origin"
cond %{READ_RESPONSE_HDR_HOOK}
add-header X-Clacks-Overhead "GNU Terry Pratchett" [L]
gzip.config (https://docs.trafficserver.apache.org/en/7.1.x/admin-guide/plugins/gzip.en.html):
enabled true flush true supported-algorithms gzip,deflate remove-accept-encoding true compressible-content-type text/* #[domain1] #enabled false #[domain2] #enabled true #flush false #supported-algorithms deflate,gzip #compressible-content-type text/*
Die remap.config, ssl_multicert.config und cache.conf sind sehr gut in der jeweiligen Datei beschrieben.