trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: forward proxy - Restricting domains.
Date Fri, 09 Jan 2015 16:22:02 GMT

> On Jan 9, 2015, at 8:00 AM, Paul Tader <ptader@collectivei.com> wrote:
> 
> Hmm, I didn’t think about a DNS blackhole.  For now I’m looking into additional remap
files using the “.include” directive in remap.config but I get these errors after running
traffic_line -x
> 
> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: Could not add rule at line #126;
Aborting!
> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: [ReverseProxy] Unknown directive
".include" at line 126
> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: something failed during BuildTable()
-- check your remap plugins!
> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: failed to reload remap.config,
not replacing!
> 
> My remap.conf has these two lines:
> 
> .include /etc/trafficserver/filters.config
> .include /etc/trafficserver/set1.remap.config
> 
> …which is odd because the documentation states:
> 
> "The .include directive allows mapping rules to be spread across multiple files. The
argument to the .include directive is a list of file names to be parsed for additional mapping
rules. "
> 
> http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html

Does your version of ATS match the version of the docs?

> 
> 
> 
> 
>> On Jan 8, 2015, at 8:56 PM, Leif Hedstrom <zwoop@apache.org> wrote:
>> 
>> 
>>> On Jan 8, 2015, at 10:53 AM, Paul Tader <ptader@collectivei.com> wrote:
>>> 
>>> We have a forward only proxy server configured. How can I restrict a internal
IP address or IP address range to only be able to proxy certain top level domains (ie google.com,
yahoo.com, etc)?  I’ve read a lot on remapping, but I don’t think that is the correct
approach.
>> 
>> 
>> DNS blackholing as suggested seems like a reasonable solution. If your list of domains
is smallish, then something in remap.config might work as well. I’ve done this in the past,
blocking all but a few HTTPS sites (via setting remap.required to 1 in records.config). The
other option is to allow all sites, but list the ones that you intend to block (map them to
some nonexistent domain or IP, e.g. 10.0.0.0).
>> 
>> Fwiw, remap rules like this with CONNECT methods only works in 5.0.0 and later.
>> 
>> — Leif
>> 
> 


Mime
View raw message