trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sudheer Vinukonda <>
Subject Re: Get Origin IP in Lua
Date Mon, 12 Jan 2015 22:29:24 GMT
I am not sure if there's any such "built-in" solution to control the IP ranges that ats communicates
to, on the origin side. You may need to write a plugin to be able to do that (a somewhat similar
plugin that can perform ACLs for the client connections is available at GeoIP ACLs Plugin
— Apache Traffic Server 5.3.0 documentation). 
|   |
|   |   |   |   |   |
| GeoIP ACLs Plugin — Apache Traffic Server 5.3.0 documentationConfiguration Once installed,
there are three primary use cases, which we will discussin details.  |
|  |
| View on | Preview by Yahoo |
|  |
|   |

The closest thing I can find that can control origin communication is via congestion.config
— Apache Traffic Server 5.3.0 documentation, but, that only allows to configure a single
destination (and not a range).
|   |
|   |   |   |   |   |
| congestion.config — Apache Traffic Server 5.3.0 documentationcongestion.config  |
|  |
| View on | Preview by Yahoo |
|  |
|   |


     On Monday, January 12, 2015 11:29 AM, Mark Moseley <> wrote:

 On Sun, Jan 11, 2015 at 11:31 PM, Shu Kit Chan <> wrote:

I think what you need is currently missing from the ts_lua plugin.We can provide something
like this 

similar to 
as mentioned here - 
It should be using the ts api TSHttpTxnServerAddrGet() behind the scene. 
I have already filed a new Jira ticket for it -
I can work on it by Wednesday or Thursday after i am done with my other errands.

On Sun, Jan 11, 2015 at 7:40 PM, Mark Moseley <> wrote:

Hi. I'm looking at the TS_LUA_HOOK_OS_DNS hook or TS_LUA_HOOK_SEND_REQUEST_HDR as a way to
do a fail-safe way of filtering *origin* IPs. Obviously this could be done at the onboard
firewall level, but I thought it'd be neat to be able to do something a bit more in-line (and
it's fun to play with Lua).
But despite the aforementioned hooks, there doesn't seem to be anywhere in the 'ts' table
that holds what the origin's DNS hostname was resolved to. Does that get stored anywhere that
ts_lua has access to? ts.server_request seemed most promising but none of the functions in
there seem to return anything like the origin IP.
If there were something accessible with the origin IP, then I could do a sanity check like,
pseudo-code-wise: for ip in goodips, does origin IP match ip, and if none match, then return
a 403 or 400 or something.

I'm coming up blank looking through the API and source code, but I may be missing something
obvious (or more likely, just looking for the wrong thing).
Even better (and I've had no luck finding this either) would be something built-in that contains
a list of permitted origin IP blocks, like ip_allow.config but for the backend request (and
again, there might be but I'm grepping+googling for the wrong thing).

That'd be tremendous, thanks!
Though off-hand, is there a more "built-in" solution to what I'm trying to do? I.e. limit
what IP blocks ATS will talk to on the *origin* side? (Even if there is, having access to
the origin IP in Lua is still highly desirable)

View raw message