configs/sni.yaml.default

# sni.yaml
#
# Documentation:
#    https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html
#
#
# This configuration file
#     - sets the SSL actions to be performed based on the servername provided during SSL handshake phase (SNI extension)
#     - sets the SSL properties required to make SSL connection with the next hop or origin server.
#
# YAML-based Configuration file
#  Format :
#  Actions available:
#    ip_allow                 - lists or range of client IP addresses, subnets that are allowed for this connection. This accepts CIDR format
#                               for subnet specification.
#    verify_server_policy     - sets the verification flag for verifying the server certificate; parameters = one of 'DISABLED', 'PERMISSIVE', 'ENFORCED'
#    verify_server_properties - sets the flag to control what Traffic Server checks when evaluating the origin certificate;
#                               parameters = one of 'NONE', 'SIGNATURE', 'NAME', and 'ALL'
#    verify_client            - sets the verification flag for verifying the client certificate; parameters = one of 'NONE', 'MODERATE' or 'STRICT'
#    verify_client_ca_certs   - specifies an alternate set of certificate authority certs to use to verify the client cert.
#    host_sni_policy          - sets the flag to control how policy impacting mismatches between host header and SNI values are dealt with;
#                               parameters = one of 'DISABLED', 'PERMISSIVE', or 'ENFORCED'
#    valid_tls_versions_in    - sets the list of TLS protocols that will be offered to user agents during the TLS negotiation;
#                               parameters = one of 'TLSv1', 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3'.
#    client_cert              - sets the client certificate to present to the server specified in dest_host; parameters = certificate file .
#                               The location of the certificate file is relative to proxy.config.ssl.server.cert.path directory.
#    client_key               - sets the file containing the client private key that corresponds to the certificate for the outbound connection.
#    client_sni_policy        - policy of SNI on outbound connection.
#    http2                    - adds or removes HTTP/2 (H2) from the protocol list advertised by ATS; parameter required = None, parameters = on or off
#    tunnel_route             - sets the e2e tunnel route
#    forward_route            - destination as an FQDN and port, separated by a colon :.
#                               this is similar to tunnel_route, but it terminates the TLS connection and forwards the decrypted traffic.
#    partial_blind_route      - destination as an FQDN and port, separated by a colon :.
#                               this is similar to forward_route in that Traffic Server terminates the incoming TLS connection.
#                               in addition partial_blind_route creates a new TLS connection to the specified origin.
#    tunnel_alpn              - list of ALPN Protocol Ids for Partial Blind Tunnel.
#
#  Example:
# sni:
#   - fqdn: one.com
#     http2: off
#     verify_server_policy: ENFORCED
#     client_cert: somepem.pem
#     verify_client: MODERATE
#   - fqdn: two.com
#     tunnel_route: two.com
#     ip_allow: '10.0.0.1-10.0.0.255'