{"id":508,"date":"2017-11-21T20:35:57","date_gmt":"2017-11-21T19:35:57","guid":{"rendered":"http:\/\/grenzdebiel.no-ip.biz\/?p=508"},"modified":"2018-05-07T11:50:42","modified_gmt":"2018-05-07T10:50:42","slug":"apache-traffic-server-konfiguration","status":"publish","type":"post","link":"https:\/\/blog.grenzdebiel.dynv6.net\/?p=508","title":{"rendered":"Apache Traffic Server – Konfiguration"},"content":{"rendered":"

Hier eine schnelle zusammenfassung meiner Konfiguration des Apache Traffic Server<\/a>.
\n
\nrecords.config:<\/p>\n

# enable Reverse-Proxy\r\nCONFIG proxy.config.reverse_proxy.enabled INT 1\r\n# prefer ipv4 than ipv6 for dns-resolve\r\nCONFIG proxy.config.hostdb.ip_resolve STRING ipv4;ipv6\r\n###############################################################################\r\n#    0 = no headers required to make document cacheable\r\n#    1 = either the Last-Modified header, or an explicit lifetime header, Expires or Cache-Control: max-age,is required\r\n#    2 = explicit lifetime is required, Expires or Cache-Control: max-age\r\n# default = 2\r\n###############################################################################\r\nCONFIG proxy.config.http.cache.required_headers INT 1\r\n#Enables (1) or disables (0) caching of HTTP requests\r\nCONFIG proxy.config.http.cache.http INT 1\r\n# https:\/\/docs.trafficserver.apache.org\/records.config#proxy-config-url-remap-pristine-host-hdr\r\nCONFIG proxy.config.url_remap.pristine_host_hdr INT 1\r\n# https:\/\/docs.trafficserver.apache.org\/en\/latest\/admin-guide\/files\/records.config.en.html#proxy-config-cache-ram-cache-algorithm 0 => CLFUS, 1 => LRU(simple)\r\nCONFIG proxy.config.cache.ram_cache.algorithm INT 0\r\n# RAM Cache Compression 0 -> disabled, 1 -> fastlz, 2 -> libz, 3 -> liblzma\r\nCONFIG proxy.config.cache.ram_cache.compress INT 1\r\n# enable pinning in cache\r\nCONFIG proxy.config.cache.permit.pinning INT 1\r\n# by default 0, cache dynamic content(url wit .asp ? ; .cgi)\r\nCONFIG proxy.config.http.cache.cache_urls_that_look_dynamic INT 1\r\n##############################################################################\r\n# Specify server addresses and ports to bind for HTTP and HTTPS. Docs:\r\n#    https:\/\/docs.trafficserver.apache.org\/records.config#proxy-config-http-server-ports\r\n##############################################################################\r\nCONFIG proxy.config.http.server_ports STRING 80 443:ssl\r\n##############################################################################\r\n# Via: headers. Docs:\r\n#     https:\/\/docs.trafficserver.apache.org\/records.config#proxy-config-http-insert-response-via-str\r\n##############################################################################\r\nCONFIG proxy.config.http.insert_request_via_str INT 2\r\n##############################################################################\r\n# These settings control remapping, and if the proxy allows (open) forward proxy or not. Docs:\r\n#    https:\/\/docs.trafficserver.apache.org\/records.config#url-remap-rules\r\n#    https:\/\/docs.trafficserver.apache.org\/en\/latest\/reference\/configuration\/remap.config.en.html\r\n##############################################################################\r\nCONFIG proxy.config.url_remap.remap_required INT 1\r\nCONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1\r\n##############################################################################\r\n# Logging Config. Docs:\r\n# https:\/\/docs.trafficserver.apache.org\/en\/latest\/admin-guide\/files\/logging.config.en.html\r\n##############################################################################\r\nCONFIG proxy.config.log.logging_enabled INT 3\r\n##############################################################################\r\n# SSL Termination. Docs:\r\n#    https:\/\/docs.trafficserver.apache.org\/records.config#client-related-configuration\r\n#    https:\/\/docs.trafficserver.apache.org\/en\/latest\/reference\/configuration\/ssl_multicert.config.en.html\r\n##############################################################################\r\nCONFIG proxy.config.ssl.TLSv1 INT 0\r\nCONFIG proxy.config.ssl.TLSv1_1 INT 1\r\nCONFIG proxy.config.ssl.TLSv1_2 INT 1\r\nCONFIG proxy.config.ssl.server.multicert.filename STRING ssl_multicert.config\r\nCONFIG proxy.config.ssl.server.cert.path STRING \/etc\/trafficserver\/ssl\r\n# only enable if private key not in cert\r\nCONFIG proxy.config.ssl.server.private_key.path STRING \/etc\/trafficserver\/ssl\r\nCONFIG proxy.config.ssl.client.CA.cert.filename STRING \/etc\/trafficserver\/ssl\r\n# use only the \"good\" ciphers\r\nCONFIG proxy.config.ssl.server.cipher_suite STRING ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!RC4:!eNULL:!SSLv2:!SSLv3\r\n<\/pre>\n
logging.config (siehe https:\/\/docs.trafficserver.apache.org\/en\/latest\/admin-guide\/files\/logging.config.en.html<\/a>) :<\/p>\n
extended = format {\r\n        Format = \"%<chi> - %<caun> [%<cqtn>] \\\"%<cqtx>\\\" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts>\"\r\n}\r\n\r\nextended2 = format {\r\n        Format = \"%<chi> - %<caun> [%<cqtn>] \\\"%<cqtx>\\\" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts> %<phr> %<cfsc> %<pfsc> %<crc>\"\r\n}\r\n\r\ncombined = format {\r\n        Format = \"%<chi> - - [%<cqtn>] \\\"%<cqhm> %<cquup>\\\" %<pssc> %<psql> \\\"%<{Referer}cqh>\\\" \\\"%<{User-Agent}cqh>\\\"\",\r\n        Interval = 1\r\n}\r\n\r\nlog.ascii {\r\n        Format = combined,\r\n        Filename = \"access\"\r\n}\r\n<\/pre>\n
plugin.config:<\/p>\n
header_rewrite.so rewrite.conf\r\ngzip.so gzip.conf<\/pre>\n
rewrite.conf:<\/p>\n
cond %{READ_REQUEST_HDR_HOOK}\r\nrm-header PROXY\r\ncond %{READ_REQUEST_HDR_HOOK}\r\nadd-header X-Forwarded-Proto \"%<proto>\"\r\ncond %{READ_REQUEST_HDR_HOOK}\r\nadd-header X-Forwarded-for \"%<chi>\"\r\ncond %{READ_REQUEST_HDR_HOOK}\r\nadd-header X-REAL-IP \"%<chi>\"\r\ncond %{READ_RESPONSE_HDR_HOOK}\r\nadd-header X-42 \"DON'T PANIC\"\r\ncond %{READ_RESPONSE_HDR_HOOK}\r\nadd-header X-Frame-Options \"SAMEORIGIN\"\r\ncond %{READ_RESPONSE_HDR_HOOK}\r\nadd-header X-Content-Type-Options \"nosniff\"\r\ncond %{READ_RESPONSE_HDR_HOOK}\r\nadd-header X-Xss-Protection \"1; mode=block\"\r\ncond %{SEND_RESPONSE_HDR_HOOK}\r\nset-header server \"ATS\"\r\ncond %{SEND_RESPONSE_HDR_HOOK}\r\nadd-header Referrer-Policy \"strict-origin\"\r\ncond %{READ_RESPONSE_HDR_HOOK}\r\nadd-header X-Clacks-Overhead \"GNU Terry Pratchett\" [L]<\/pre>\n
gzip.config (https:\/\/docs.trafficserver.apache.org\/en\/7.1.x\/admin-guide\/plugins\/gzip.en.html<\/a>):<\/p>\n
enabled true\r\nflush true\r\nsupported-algorithms gzip,deflate\r\nremove-accept-encoding true\r\ncompressible-content-type text\/*\r\n\r\n#[domain1]\r\n#enabled false\r\n\r\n#[domain2]\r\n#enabled true\r\n#flush false\r\n#supported-algorithms deflate,gzip\r\n#compressible-content-type text\/*<\/pre>\n
 <\/p>\n
Die remap.config, ssl_multicert.config und cache.conf sind sehr gut in der jeweiligen Datei beschrieben.<\/p>\n","protected":false},"excerpt":{"rendered":"
Hier eine schnelle zusammenfassung meiner Konfiguration des Apache Traffic Server.<\/p>\n","protected":false},"author":1,"featured_media":308,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,43,27,9,12],"tags":[136,134,124,135],"class_list":["post-508","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-allgemein","category-cubietruck","category-linux","category-raspberry-pi","category-software-pi","tag-apache-traffic-server","tag-ats","tag-reverse-proxy","tag-trafficserver"],"_links":{"self":[{"href":"https:\/\/blog.grenzdebiel.dynv6.net\/index.php?rest_route=\/wp\/v2\/posts\/508","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.grenzdebiel.dynv6.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.grenzdebiel.dynv6.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.grenzdebiel.dynv6.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.grenzdebiel.dynv6.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=508"}],"version-history":[{"count":1,"href":"https:\/\/blog.grenzdebiel.dynv6.net\/index.php?rest_route=\/wp\/v2\/posts\/508\/revisions"}],"predecessor-version":[{"id":511,"href":"https:\/\/blog.grenzdebiel.dynv6.net\/index.php?rest_route=\/wp\/v2\/posts\/508\/revisions\/511"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.grenzdebiel.dynv6.net\/index.php?rest_route=\/wp\/v2\/media\/308"}],"wp:attachment":[{"href":"https:\/\/blog.grenzdebiel.dynv6.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.grenzdebiel.dynv6.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.grenzdebiel.dynv6.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}