trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shu Kit Chan <chanshu...@gmail.com>
Subject Re: Get Origin IP in Lua
Date Mon, 12 Jan 2015 07:31:25 GMT
Hi,

I think what you need is currently missing from the ts_lua plugin.
We can provide something like this

ts.server_request.server_addr.get_addr()

similar to

ts.client_request.client_addr.get_addr()

as mentioned here -
https://docs.trafficserver.apache.org/en/latest/reference/plugins/ts_lua.en.html


It should be using the ts api TSHttpTxnServerAddrGet() behind the scene.

I have already filed a new Jira ticket for it -
https://issues.apache.org/jira/browse/TS-3290

I can work on it by Wednesday or Thursday after i am done with my other
errands.

Thanks.

Kit


On Sun, Jan 11, 2015 at 7:40 PM, Mark Moseley <moseleymark@gmail.com> wrote:

> Hi. I'm looking at the TS_LUA_HOOK_OS_DNS hook or
> TS_LUA_HOOK_SEND_REQUEST_HDR as a way to do a fail-safe way of filtering
> *origin* IPs. Obviously this could be done at the onboard firewall level,
> but I thought it'd be neat to be able to do something a bit more in-line
> (and it's fun to play with Lua).
>
> But despite the aforementioned hooks, there doesn't seem to be anywhere in
> the 'ts' table that holds what the origin's DNS hostname was resolved to.
> Does that get stored anywhere that ts_lua has access to? ts.server_request
> seemed most promising but none of the functions in there seem to return
> anything like the origin IP.
>
> If there were something accessible with the origin IP, then I could do a
> sanity check like, pseudo-code-wise: for ip in goodips, does origin IP
> match ip, and if none match, then return a 403 or 400 or something.
>
> I'm coming up blank looking through the API and source code, but I may be
> missing something obvious (or more likely, just looking for the wrong
> thing).
>
> Even better (and I've had no luck finding this either) would be something
> built-in that contains a list of permitted origin IP blocks, like
> ip_allow.config but for the backend request (and again, there might be but
> I'm grepping+googling for the wrong thing).
>
> Thanks!
>

Mime
View raw message