Return-Path: X-Original-To: apmail-trafficserver-users-archive@www.apache.org Delivered-To: apmail-trafficserver-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4000717CF6 for ; Mon, 12 Jan 2015 20:29:01 +0000 (UTC) Received: (qmail 39450 invoked by uid 500); 12 Jan 2015 20:29:02 -0000 Delivered-To: apmail-trafficserver-users-archive@trafficserver.apache.org Received: (qmail 39376 invoked by uid 500); 12 Jan 2015 20:29:02 -0000 Mailing-List: contact users-help@trafficserver.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@trafficserver.apache.org Delivered-To: mailing list users@trafficserver.apache.org Received: (qmail 39366 invoked by uid 99); 12 Jan 2015 20:29:02 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 12 Jan 2015 20:29:02 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ptader@collectivei.com designates 192.198.85.109 as permitted sender) Received: from [192.198.85.109] (HELO zmcc-1.zmailcloud.com) (192.198.85.109) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 12 Jan 2015 20:28:58 +0000 Received: from localhost (localhost [127.0.0.1]) by zmcc-1-mta-1.zmailcloud.com (Postfix) with ESMTP id 28E10160F9F for ; Mon, 12 Jan 2015 14:28:37 -0600 (CST) X-Virus-Scanned: amavisd-new at zmcc-1-mta-1.zmailcloud.com Received: from zmcc-1.zmailcloud.com ([127.0.0.1]) by localhost (zmcc-1-mta-1.zmailcloud.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x0cSKa_cgoSY for ; Mon, 12 Jan 2015 14:28:37 -0600 (CST) Received: from zmcc-1.zmailcloud.com (localhost [127.0.0.1]) by zmcc-1-mta-1.zmailcloud.com (Postfix) with ESMTP id 07732160F9E for ; Mon, 12 Jan 2015 14:28:37 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by zmcc-1-mta-1.zmailcloud.com (Postfix) with ESMTP id DD235160F9F for ; Mon, 12 Jan 2015 14:28:36 -0600 (CST) X-Virus-Scanned: amavisd-new at zmcc-1-mta-1.zmailcloud.com Received: from zmcc-1.zmailcloud.com ([127.0.0.1]) by localhost (zmcc-1-mta-1.zmailcloud.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id DN6Nf-nRSY83 for ; Mon, 12 Jan 2015 14:28:36 -0600 (CST) Received: from [192.168.202.239] (unknown [24.15.243.202]) by zmcc-1-mta-1.zmailcloud.com (Postfix) with ESMTPSA id 96227160F9E for ; Mon, 12 Jan 2015 14:28:36 -0600 (CST) From: Paul Tader Content-Type: multipart/alternative; boundary="Apple-Mail=_1A5E0C69-6B70-4EC7-8F8C-C1F910E26F77" Message-Id: <1B2EB0DE-08B3-4309-A409-CF4C50D6D7C1@collectivei.com> Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: forward proxy - Restricting domains. Date: Mon, 12 Jan 2015 14:28:35 -0600 References: <2116454793.1211049.1420836439863.JavaMail.yahoo@jws100130.mail.ne1.yahoo.com> <020F6313-BC97-4C0B-8A15-F525BF215F64@apache.org> <27A119AB-F067-4F3D-B84B-10627F517E14@collectivei.com> <2F6C0BA9-FBF1-40AC-934C-5D7255E883B7@apache.org> To: users@trafficserver.apache.org In-Reply-To: X-Mailer: Apple Mail (2.1993) X-Virus-Checked: Checked by ClamAV on apache.org --Apple-Mail=_1A5E0C69-6B70-4EC7-8F8C-C1F910E26F77 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Jan 12, 2015, at 11:42 AM, James Peach wrote: >=20 >=20 >> On Jan 12, 2015, at 9:23 AM, Paul Tader = wrote: >>=20 >>>=20 >>> On Jan 9, 2015, at 3:51 PM, Paul Tader = wrote: >>>=20 >>>>=20 >>>> On Jan 9, 2015, at 3:38 PM, Leif Hedstrom wrote: >>>>=20 >>>>=20 >>>>> On Jan 9, 2015, at 2:29 PM, Paul Tader = wrote: >>>>>=20 >>>>> Doesn=E2=80=99t this break the forward proxy then? >>>>>=20 >>>>> # To enable forward proxy, you must turn off remap_required >>>>> CONFIG proxy.config.url_remap.remap_required INT 1 >>>>=20 >>>> That=E2=80=99s somewhat confusing. remap_required disables =E2=80=9Co= pen forward proxying=E2=80=9D. ATS actually doesn=E2=80=99t know / care = about forward vs reverse proxy, it=E2=80=99s just a matter of what = requests you allow through. What this setting is saying =E2=80=9CWithout = an explicit rule matching in remap.config, deny the request=E2=80=9D. = There=E2=80=99s a similar one for reverse proxy. >>>>=20 >>>> =E2=80=94 Leif >>>>=20 >>>=20 >>> Ok, thanks for clearing that up. What that said, I kept the setting = at =E2=80=9C1=E2=80=9D and changed the remap.config file to what=E2=80=99s= listed below. Unfortunately I was still able to to connect to sites = not listed in remap.config. =20 >>>=20 >>> .defflt internal_only @action=3Dallow = @src_ip=3D10.0.0.0-255.255.255.255 >>>=20 >>> .useflt internal_only >>> map https://www.facebook.com https://www.facebook.com >>> map https://www.yahoo.com https://www.yahoo.com >>> map http://finance.yahoo.com http://finance.yahoo.com >>>=20 >>>=20 >>> 1420840183.867 126 10.1.2.3 TCP_MISS/200 38458 GET = http://www.oracle.com/index.html - DIRECT/www.oracle.com text/html - >>>=20 >>> Not sure it matters, but I also have our networks IP=E2=80=99s = listed in ip_allow.config. =20 >>>=20 >>=20 >> Is there an equivilent to .deactivatefilter in ATS 3? >=20 > "unusefilter", "deactivatefilter", "unactivefilter", deuseflt", and = "unuseflt" are all synonyms. I thought that they had all been there = forever, but maybe some synonyms were not present in 3 ... >=20 > J I was hoping, but I don=E2=80=99t see those directives in the = documentation and when adding that text I=E2=80=99m met with an error: [Jan 12 18:23:54.607] Server {47752783210240} WARNING: Could not add = rule at line #151; Aborting! I was hoping to replicate what is in later ATS versions, for example: [remap.config] .defflt disable_all @action=3Ddeny .defflt internal_only @action=3Dallow .useflt disable_all .useflt internal_only map http://url.com http://url.com map http://url2.com http://url2.com = map http://url3.com http://url3.com = .disableflt internal_only (all other sites should be blocked). [remap.config end] =E2=80=A6kind of replicating what iptables does, fall through until you = match a rule. =20 --Apple-Mail=_1A5E0C69-6B70-4EC7-8F8C-C1F910E26F77 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
On Jan 12, 2015, at 11:42 AM, James Peach <jpeach@apache.org> = wrote:


On Jan 12, 2015, at 9:23 = AM, Paul Tader <ptader@collectivei.com> wrote:


On Jan 9, = 2015, at 3:51 PM, Paul Tader <ptader@collectivei.com> wrote:


On Jan 9, = 2015, at 3:38 PM, Leif Hedstrom <zwoop@apache.org> wrote:


On Jan 9, = 2015, at 2:29 PM, Paul Tader <ptader@collectivei.com> wrote:

Doesn=E2=80=99t this break the forward proxy then?

# To enable forward proxy, you must turn off = remap_required
CONFIG = proxy.config.url_remap.remap_required INT 1
That=E2=80=99s somewhat confusing. remap_required disables = =E2=80=9Copen forward proxying=E2=80=9D. ATS actually doesn=E2=80=99t = know / care about forward vs reverse proxy, it=E2=80=99s just a matter = of what requests you allow through. What this setting is saying = =E2=80=9CWithout an explicit rule matching in remap.config, deny the = request=E2=80=9D. There=E2=80=99s a similar one for reverse proxy.

=E2=80=94 Leif


Ok, thanks for clearing that up. =  What that said, I kept the setting at =E2=80=9C1=E2=80=9D and = changed the remap.config file to what=E2=80=99s listed below. =  Unfortunately I was still able to to connect to sites not listed = in remap.config.  

.defflt =  internal_only @action=3Dallow =  @src_ip=3D10.0.0.0-255.255.255.255

.useflt internal_only
map https://www.facebook.com =    https://www.facebook.com
map https://www.yahoo.com =       https://www.yahoo.com
map http://finance.yahoo.com =    http://finance.yahoo.com


1420840183.867 126 10.1.2.3 TCP_MISS/200 38458 GET http://www.oracle.com/index.html - DIRECT/www.oracle.com text/html = -

Not sure it matters, but I also have our = networks IP=E2=80=99s listed in ip_allow.config.  


Is there an equivilent to = .deactivatefilter in ATS 3?

"unusefilter", "deactivatefilter", "unactivefilter", = deuseflt", and "unuseflt" are all synonyms. I thought that they had all = been there forever, but maybe some synonyms were not present in 3 ...

J

I was hoping, but I don=E2=80=99t see those directives in the = documentation and when adding that text I=E2=80=99m met with an = error:
[Jan 12 18:23:54.607] Server = {47752783210240} WARNING: Could not add rule at line #151; = Aborting!

I = was hoping to replicate what is in later ATS versions, for = example:

[remap.config]
.defflt =  disable_all @action=3Ddeny
.defflt =  internal_only @action=3Dallow

.useflt disable_all
.useflt internal_only
map http://url.com  http://url.com
map http://url2.com  http://url2.com
map http://url3.com  http://url3.com
.disableflt = internal_only

(all other sites should be blocked).
[remap.config end]

=E2=80=A6kind of replicating what = iptables does, fall through until you match a rule.  


= --Apple-Mail=_1A5E0C69-6B70-4EC7-8F8C-C1F910E26F77--