trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sudheer Vinukonda <sudhe...@yahoo-inc.com>
Subject Re: forward proxy - Restricting domains.
Date Fri, 09 Jan 2015 18:02:57 GMT
I think you would need to use named_filters to specify ranges in remap.config.

remap.config — Apache Traffic Server 5.3.0 documentation

|   |
|   |   |   |   |   |
| remap.config — Apache Traffic Server 5.3.0 documentationremap.config The remap.config
file (by default, located in/opt/trafficserver/etc/trafficserver/) contains mapping rules
that Traffic Serveruses to perform the following actions:  |
|  |
| View on docs.trafficserver.apache.org | Preview by Yahoo |
|  |
|   |

   

     On Friday, January 9, 2015 9:50 AM, Paul Tader <ptader@collectivei.com> wrote:
   

 

On Jan 9, 2015, at 10:33 AM, Paul Tader <ptader@collectivei.com> wrote:


On Jan 9, 2015, at 10:22 AM, James Peach <jpeach@apache.org> wrote:



On Jan 9, 2015, at 8:00 AM, Paul Tader <ptader@collectivei.com> wrote:

Hmm, I didn’t think about a DNS blackhole.  For now I’m looking into additional remap
files using the “.include” directive in remap.config but I get these errors after running
traffic_line -x

[Jan  9 15:57:04.270] Server {47752783210240} WARNING: Could not add rule at line #126; Aborting!
[Jan  9 15:57:04.270] Server {47752783210240} WARNING: [ReverseProxy] Unknown directive ".include"
at line 126
[Jan  9 15:57:04.270] Server {47752783210240} WARNING: something failed during BuildTable()
-- check your remap plugins!
[Jan  9 15:57:04.270] Server {47752783210240} WARNING: failed to reload remap.config, not
replacing!

My remap.conf has these two lines:

.include /etc/trafficserver/filters.config
.include /etc/trafficserver/set1.remap.config

…which is odd because the documentation states:

"The .include directive allows mapping rules to be spread across multiple files. The argument
to the .include directive is a list of file names to be parsed for additional mapping rules.
"

http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html


Does your version of ATS match the version of the docs?



Nope and I apologize for that. Time to upgrade.

Thanks everyone.



Before I upgrade, I’ve tried a “deny all” map as the last line in remap.conf and listing
all the allowed sites before this deny line, but it doesn’t take.  Can something like this
be done?  (ATS version 3.04)
...map http://apache.org/   http://apache.org   @action=allow   @src_ip=12.34.56.123map
/                    http://127.0.0.1    @action=deny @src_ip=0.0.0.1-254.254.254.254










On Jan 8, 2015, at 8:56 PM, Leif Hedstrom <zwoop@apache.org> wrote:



On Jan 8, 2015, at 10:53 AM, Paul Tader <ptader@collectivei.com> wrote:

We have a forward only proxy server configured. How can I restrict a internal IP address or
IP address range to only be able to proxy certain top level domains (ie google.com, yahoo.com,
etc)?  I’ve read a lot on remapping, but I don’t think that is the correct approach.



DNS blackholing as suggested seems like a reasonable solution. If your list of domains is
smallish, then something in remap.config might work as well. I’ve done this in the past,
blocking all but a few HTTPS sites (via setting remap.required to 1 in records.config). The
other option is to allow all sites, but list the ones that you intend to block (map them to
some nonexistent domain or IP, e.g. 10.0.0.0).

Fwiw, remap rules like this with CONNECT methods only works in 5.0.0 and later.

— Leif






   
Mime
View raw message