trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Tader <pta...@collectivei.com>
Subject Re: forward proxy - Restricting domains.
Date Fri, 09 Jan 2015 20:30:31 GMT
I think this would work, and I think I’m close but I tried this (ver 3 uses .useflt and .defflt
instead of .activatefilter and .deactivatefilter):


.defflt  disable_all @action=deny
.defflt  internal_only @action=allow  @src_ip=10.0.0.0-255.255.255.255

.useflt internal_only
map https://www.facebook.com    https://www.facebook.com
map https://www.yahoo.com       https://www.yahoo.com
map http://finance.yahoo.com    http://finance.yahoo.com
.unuseflt internal_only

.useflt disable_all


But going to a site not listed (www.oracle.com) is still allowed.  ?
1420835169.093 134 10.1.2.3 TCP_MISS/200 38458 GET http://www.oracle.com/index.html - DIRECT/www.oracle.com
text/html -

I’ve also tried placing ".useflt disable_all” before the “.useflt internal_only” filter
with no luck, sites not on the list are still allowed out.


> On Jan 9, 2015, at 12:02 PM, Sudheer Vinukonda <sudheerv@yahoo-inc.com> wrote:
> 
> I think you would need to use named_filters to specify ranges in remap.config.
> 
> 
> remap.config — Apache Traffic Server 5.3.0 documentation <https://docs.trafficserver.apache.org/en/latest/reference/configuration/remap.config.en.html#named-filters>
>  
>  
>  
>  
>  
>  
> remap.config — Apache Traffic Server 5.3.0 documentation
>  <https://docs.trafficserver.apache.org/en/latest/reference/configuration/remap.config.en.html#named-filters>remap.config
The remap.config file (by default, located in /opt/trafficserver/etc/trafficserver/) contains
mapping rules that Traffic Server uses to perform the following actions:
> View on docs.trafficserver.apache.org <https://docs.trafficserver.apache.org/en/latest/reference/configuration/remap.config.en.html#named-filters>

> Preview by Yahoo
>  
>  
> 
> 
> On Friday, January 9, 2015 9:50 AM, Paul Tader <ptader@collectivei.com> wrote:
> 
> 
> 
>> On Jan 9, 2015, at 10:33 AM, Paul Tader <ptader@collectivei.com <mailto:ptader@collectivei.com>>
wrote:
>> 
>>> 
>>> On Jan 9, 2015, at 10:22 AM, James Peach <jpeach@apache.org <mailto:jpeach@apache.org>>
wrote:
>>> 
>>> 
>>>> On Jan 9, 2015, at 8:00 AM, Paul Tader <ptader@collectivei.com <mailto:ptader@collectivei.com>>
wrote:
>>>> 
>>>> Hmm, I didn’t think about a DNS blackhole.  For now I’m looking into
additional remap files using the “.include” directive in remap.config but I get these
errors after running traffic_line -x
>>>> 
>>>> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: Could not add rule
at line #126; Aborting!
>>>> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: [ReverseProxy] Unknown
directive ".include" at line 126
>>>> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: something failed during
BuildTable() -- check your remap plugins!
>>>> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: failed to reload remap.config,
not replacing!
>>>> 
>>>> My remap.conf has these two lines:
>>>> 
>>>> .include /etc/trafficserver/filters.config
>>>> .include /etc/trafficserver/set1.remap.config
>>>> 
>>>> …which is odd because the documentation states:
>>>> 
>>>> "The .include directive allows mapping rules to be spread across multiple
files. The argument to the .include directive is a list of file names to be parsed for additional
mapping rules. "
>>>> 
>>>> http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html
<http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html>
>>> 
>>> Does your version of ATS match the version of the docs?
>> 
>> 
>> Nope and I apologize for that. Time to upgrade.
>> 
>> Thanks everyone.
>> 
> 
> Before I upgrade, I’ve tried a “deny all” map as the last line in remap.conf and
listing all the allowed sites before this deny line, but it doesn’t take.  Can something
like this be done?  (ATS version 3.04)
> 
> ...
> map http://apache.org/ <http://apache.org/>   http://apache <http://apache/>.org
  @action=allow   @src_ip=12.34.56.123
> map /                    http://127.0.0.1 <http://127.0.0.1/>    @action=deny @src_ip=0.0.0.1-254.254.254.254
> 
> 
>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> On Jan 8, 2015, at 8:56 PM, Leif Hedstrom <zwoop@apache.org <mailto:zwoop@apache.org>>
wrote:
>>>>> 
>>>>> 
>>>>>> On Jan 8, 2015, at 10:53 AM, Paul Tader <ptader@collectivei.com
<mailto:ptader@collectivei.com>> wrote:
>>>>>> 
>>>>>> We have a forward only proxy server configured. How can I restrict
a internal IP address or IP address range to only be able to proxy certain top level domains
(ie google.com <http://google.com/>, yahoo.com <http://yahoo.com/>, etc)?  I’ve
read a lot on remapping, but I don’t think that is the correct approach.
>>>>> 
>>>>> 
>>>>> DNS blackholing as suggested seems like a reasonable solution. If your
list of domains is smallish, then something in remap.config might work as well. I’ve done
this in the past, blocking all but a few HTTPS sites (via setting remap.required to 1 in records.config).
The other option is to allow all sites, but list the ones that you intend to block (map them
to some nonexistent domain or IP, e.g. 10.0.0.0).
>>>>> 
>>>>> Fwiw, remap rules like this with CONNECT methods only works in 5.0.0
and later.
>>>>> 
>>>>> — Leif
> 
> 
> 


Mime
View raw message