Return-Path: X-Original-To: apmail-trafficserver-users-archive@www.apache.org Delivered-To: apmail-trafficserver-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C6B39CF94 for ; Fri, 9 Jan 2015 16:22:07 +0000 (UTC) Received: (qmail 20501 invoked by uid 500); 9 Jan 2015 16:22:09 -0000 Delivered-To: apmail-trafficserver-users-archive@trafficserver.apache.org Received: (qmail 20442 invoked by uid 500); 9 Jan 2015 16:22:08 -0000 Mailing-List: contact users-help@trafficserver.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@trafficserver.apache.org Delivered-To: mailing list users@trafficserver.apache.org Received: (qmail 20433 invoked by uid 99); 9 Jan 2015 16:22:08 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Jan 2015 16:22:08 +0000 Received: from [17.198.37.252] (unknown [17.198.37.252]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 452C11A012A for ; Fri, 9 Jan 2015 16:22:01 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: forward proxy - Restricting domains. From: James Peach In-Reply-To: Date: Fri, 9 Jan 2015 08:22:02 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: <7C85D88C-A69C-4C11-943D-52746AA1BF59@apache.org> To: users@trafficserver.apache.org X-Mailer: Apple Mail (2.1993) > On Jan 9, 2015, at 8:00 AM, Paul Tader wrote: >=20 > Hmm, I didn=E2=80=99t think about a DNS blackhole. For now I=E2=80=99m = looking into additional remap files using the =E2=80=9C.include=E2=80=9D = directive in remap.config but I get these errors after running = traffic_line -x >=20 > [Jan 9 15:57:04.270] Server {47752783210240} WARNING: Could not add = rule at line #126; Aborting! > [Jan 9 15:57:04.270] Server {47752783210240} WARNING: [ReverseProxy] = Unknown directive ".include" at line 126 > [Jan 9 15:57:04.270] Server {47752783210240} WARNING: something = failed during BuildTable() -- check your remap plugins! > [Jan 9 15:57:04.270] Server {47752783210240} WARNING: failed to = reload remap.config, not replacing! >=20 > My remap.conf has these two lines: >=20 > .include /etc/trafficserver/filters.config > .include /etc/trafficserver/set1.remap.config >=20 > =E2=80=A6which is odd because the documentation states: >=20 > "The .include directive allows mapping rules to be spread across = multiple files. The argument to the .include directive is a list of file = names to be parsed for additional mapping rules. " >=20 > = http://trafficserver.readthedocs.org/en/latest/reference/configuration/rem= ap.config.en.html Does your version of ATS match the version of the docs? >=20 >=20 >=20 >=20 >> On Jan 8, 2015, at 8:56 PM, Leif Hedstrom wrote: >>=20 >>=20 >>> On Jan 8, 2015, at 10:53 AM, Paul Tader = wrote: >>>=20 >>> We have a forward only proxy server configured. How can I restrict a = internal IP address or IP address range to only be able to proxy certain = top level domains (ie google.com, yahoo.com, etc)? I=E2=80=99ve read a = lot on remapping, but I don=E2=80=99t think that is the correct = approach. >>=20 >>=20 >> DNS blackholing as suggested seems like a reasonable solution. If = your list of domains is smallish, then something in remap.config might = work as well. I=E2=80=99ve done this in the past, blocking all but a few = HTTPS sites (via setting remap.required to 1 in records.config). The = other option is to allow all sites, but list the ones that you intend to = block (map them to some nonexistent domain or IP, e.g. 10.0.0.0). >>=20 >> Fwiw, remap rules like this with CONNECT methods only works in 5.0.0 = and later. >>=20 >> =E2=80=94 Leif >>=20 >=20