trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Tader <pta...@collectivei.com>
Subject Re: forward proxy - Restricting domains.
Date Mon, 12 Jan 2015 20:28:35 GMT

> On Jan 12, 2015, at 11:42 AM, James Peach <jpeach@apache.org> wrote:
> 
> 
>> On Jan 12, 2015, at 9:23 AM, Paul Tader <ptader@collectivei.com> wrote:
>> 
>>> 
>>> On Jan 9, 2015, at 3:51 PM, Paul Tader <ptader@collectivei.com> wrote:
>>> 
>>>> 
>>>> On Jan 9, 2015, at 3:38 PM, Leif Hedstrom <zwoop@apache.org> wrote:
>>>> 
>>>> 
>>>>> On Jan 9, 2015, at 2:29 PM, Paul Tader <ptader@collectivei.com>
wrote:
>>>>> 
>>>>> Doesn’t this break the forward proxy then?
>>>>> 
>>>>> # To enable forward proxy, you must turn off remap_required
>>>>> CONFIG proxy.config.url_remap.remap_required INT 1
>>>> 
>>>> That’s somewhat confusing. remap_required disables “open forward proxying”.
ATS actually doesn’t know / care about forward vs reverse proxy, it’s just a matter of
what requests you allow through. What this setting is saying “Without an explicit rule matching
in remap.config, deny the request”. There’s a similar one for reverse proxy.
>>>> 
>>>> — Leif
>>>> 
>>> 
>>> Ok, thanks for clearing that up.  What that said, I kept the setting at “1”
and changed the remap.config file to what’s listed below.  Unfortunately I was still able
to to connect to sites not listed in remap.config.  
>>> 
>>> .defflt  internal_only @action=allow  @src_ip=10.0.0.0-255.255.255.255
>>> 
>>> .useflt internal_only
>>> map https://www.facebook.com    https://www.facebook.com
>>> map https://www.yahoo.com       https://www.yahoo.com
>>> map http://finance.yahoo.com    http://finance.yahoo.com
>>> 
>>> 
>>> 1420840183.867 126 10.1.2.3 TCP_MISS/200 38458 GET http://www.oracle.com/index.html
- DIRECT/www.oracle.com text/html -
>>> 
>>> Not sure it matters, but I also have our networks IP’s listed in ip_allow.config.
 
>>> 
>> 
>> Is there an equivilent to .deactivatefilter in ATS 3?
> 
> "unusefilter", "deactivatefilter", "unactivefilter", deuseflt", and "unuseflt" are all
synonyms. I thought that they had all been there forever, but maybe some synonyms were not
present in 3 ...
> 
> J

I was hoping, but I don’t see those directives in the documentation and when adding that
text I’m met with an error:
[Jan 12 18:23:54.607] Server {47752783210240} WARNING: Could not add rule at line #151; Aborting!

I was hoping to replicate what is in later ATS versions, for example:

[remap.config]
.defflt  disable_all @action=deny
.defflt  internal_only @action=allow

.useflt disable_all
.useflt internal_only
map http://url.com <http://url.com/>  http://url.com <http://url.com/>
map http://url2.com <http://url2.com/>  http://url2.com <http://url2.com/>
map http://url3.com <http://url3.com/>  http://url3.com <http://url3.com/>
.disableflt internal_only

(all other sites should be blocked).
[remap.config end]

…kind of replicating what iptables does, fall through until you match a rule.  



Mime
View raw message