Details
Description
In the presence of multiple A(AA) records from DNS, most consumer browsers will choose an alternate record if their current selected record is unreachable. This allows the browser to successfully mitigate downed servers and stale/erroneous DNS entries.
However, an intercepting proxy will establish a connection for a given endpoint regardless of the state of the upstream endpoint. As a result, the browsers ability to detect downed origin servers is completely neutralized.
When enabling proxy.config.http.use_client_target_addr this situation creates a localized service outage. ATS will skip DNS checks in favor of using the endpoint address that the client was attempting to connect to during interception. If this endpoint is unreachable, ATS will send an error response (50x) to the user browser. Since the browser assumes this is from the Origin Server, it makes no attempt to move to the next DNS record.
In the event that a DNS record is erroneous or the most selected record (aka first?) points to a down server, this can deny access to a destination for users behind the transparent proxy, while users that are not intercepted merely see increased latency as their browser cycles through bad DNS entries looking for a good address.
Attachments
Issue Links
- contains
-
TS-1307 Enable using client IP family for server connection
-
- Closed
-