The config file defines the properties of the fqdns. ATS reads from the config during initialization and populates its own internal data structure. Hence the configuration is not dynamic that way yet unfortunately. The config is reloadable by the way.

Syeda Persia Aziz
Software DeveloperYahoo! (Oath).Champaign, Illinois

On Tuesday, March 27, 2018, 3:53:18 PM CDT, Jeremy Payne <***@gmail.com> wrote:

Will lua code run from these lua 'config' files? Or is the main purpose of the 'config' file is to define a set of dictionaries ?Since this config is read during the client handshake, would seem the best time to dynamically set upstream servers(based on whatever conditions) for tunneled connections..

On Tue, Mar 27, 2018 at 2:15 PM, Persia Aziz <***@yahoo.com> wrote:

ATS 8 includes ssl_servername.config to do such SNI based tasks.
ssl_server_name.config — Apache Traffic Server 8.0.0 documentation

|
|
| |
ssl_server_name.config — Apache Traffic Server 8.0.0 documentation


|

|

|




Example:
server_config = {
{ fqdn="example.com", verify_client=MODERATE },
{ fqdn="*.yahoo.com", verify_client=STRICT }
}
Syeda Persia Aziz
Software DeveloperYahoo! Inc.Champaign, Illinois

On Tuesday, March 27, 2018, 2:08:18 PM CDT, Jeremy Payne <***@gmail.com> wrote:

Context:
ATS server terminating multiple secure sites

Question:
Is there an out-the-box configuration that allows me to
require client certificates if the client hello/handshake matches a
specific SNI value?


Something like:

+++
if

SNI matches foor.bar

then

proxy.config.ssl.client. certification_level INT 3
+++


I can't simply set 'proxy.config.ssl.client. certification_level' to 3
on a global basis as this would impact other secure sites that dont
require a client certificate.

Thanks!