This is edited from a proposal I made on the dev mailing list March 19, 2023.
I would like to propose another port descriptor, allow-plain. The current list is recorded in the documentation link below.
https://docs.trafficserver.apache.org/admin-guide/files/records.config.en.html#proxy-config-http-server-ports
With this port descriptor, if the TLS client hello does not work for a TLS connection, this descriptor indicates that ATS should attempt to process the connection as a non-TLS HTTP connection.
This is useful for our dynamic transparent case. If our policy has traffic on a random port, e.g. 5555, we cannot know whether that traffic should be TLS or or non-TLS. If the SSL port is decorated with allow-plain, we can start with TLS processing and then attempt non-TLS. While our use case is for the transparent mode, allow-plain will function on non-transparent connections as well.
This is edited from a proposal I made on the dev mailing list March 19, 2023.
I would like to propose another port descriptor, allow-plain. The current list is recorded in the documentation link below.
https://docs.trafficserver.apache.org/admin-guide/files/records.config.en.html#proxy-config-http-server-ports
With this port descriptor, if the TLS client hello does not work for a TLS connection, this descriptor indicates that ATS should attempt to process the connection as a non-TLS HTTP connection.
This is useful for our dynamic transparent case. If our policy has traffic on a random port, e.g. 5555, we cannot know whether that traffic should be TLS or or non-TLS. If the SSL port is decorated with allow-plain, we can start with TLS processing and then attempt non-TLS. While our use case is for the transparent mode, allow-plain will function on non-transparent connections as well.