trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Tader <pta...@collectivei.com>
Subject Re: forward proxy - Restricting domains.
Date Fri, 09 Jan 2015 16:33:24 GMT

> On Jan 9, 2015, at 10:22 AM, James Peach <jpeach@apache.org> wrote:
> 
> 
>> On Jan 9, 2015, at 8:00 AM, Paul Tader <ptader@collectivei.com> wrote:
>> 
>> Hmm, I didn’t think about a DNS blackhole.  For now I’m looking into additional
remap files using the “.include” directive in remap.config but I get these errors after
running traffic_line -x
>> 
>> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: Could not add rule at line
#126; Aborting!
>> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: [ReverseProxy] Unknown directive
".include" at line 126
>> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: something failed during BuildTable()
-- check your remap plugins!
>> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: failed to reload remap.config,
not replacing!
>> 
>> My remap.conf has these two lines:
>> 
>> .include /etc/trafficserver/filters.config
>> .include /etc/trafficserver/set1.remap.config
>> 
>> …which is odd because the documentation states:
>> 
>> "The .include directive allows mapping rules to be spread across multiple files.
The argument to the .include directive is a list of file names to be parsed for additional
mapping rules. "
>> 
>> http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html
> 
> Does your version of ATS match the version of the docs?


Nope and I apologize for that. Time to upgrade.

Thanks everyone.

> 
>> 
>> 
>> 
>> 
>>> On Jan 8, 2015, at 8:56 PM, Leif Hedstrom <zwoop@apache.org> wrote:
>>> 
>>> 
>>>> On Jan 8, 2015, at 10:53 AM, Paul Tader <ptader@collectivei.com> wrote:
>>>> 
>>>> We have a forward only proxy server configured. How can I restrict a internal
IP address or IP address range to only be able to proxy certain top level domains (ie google.com,
yahoo.com, etc)?  I’ve read a lot on remapping, but I don’t think that is the correct
approach.
>>> 
>>> 
>>> DNS blackholing as suggested seems like a reasonable solution. If your list of
domains is smallish, then something in remap.config might work as well. I’ve done this in
the past, blocking all but a few HTTPS sites (via setting remap.required to 1 in records.config).
The other option is to allow all sites, but list the ones that you intend to block (map them
to some nonexistent domain or IP, e.g. 10.0.0.0).
>>> 
>>> Fwiw, remap rules like this with CONNECT methods only works in 5.0.0 and later.
>>> 
>>> — Leif
>>> 
>> 
> 


Mime
View raw message