trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Tader <pta...@collectivei.com>
Subject Re: forward proxy - Restricting domains.
Date Mon, 12 Jan 2015 17:23:49 GMT

> On Jan 9, 2015, at 3:51 PM, Paul Tader <ptader@collectivei.com> wrote:
> 
>> 
>> On Jan 9, 2015, at 3:38 PM, Leif Hedstrom <zwoop@apache.org> wrote:
>> 
>> 
>>> On Jan 9, 2015, at 2:29 PM, Paul Tader <ptader@collectivei.com> wrote:
>>> 
>>> Doesn’t this break the forward proxy then?
>>> 
>>>   # To enable forward proxy, you must turn off remap_required
>>> CONFIG proxy.config.url_remap.remap_required INT 1
>> 
>> That’s somewhat confusing. remap_required disables “open forward proxying”.
ATS actually doesn’t know / care about forward vs reverse proxy, it’s just a matter of
what requests you allow through. What this setting is saying “Without an explicit rule matching
in remap.config, deny the request”. There’s a similar one for reverse proxy.
>> 
>> — Leif
>> 
> 
> Ok, thanks for clearing that up.  What that said, I kept the setting at “1” and changed
the remap.config file to what’s listed below.  Unfortunately I was still able to to connect
to sites not listed in remap.config.  
> 
> .defflt  internal_only @action=allow  @src_ip=10.0.0.0-255.255.255.255
> 
> .useflt internal_only
> map https://www.facebook.com    https://www.facebook.com
> map https://www.yahoo.com       https://www.yahoo.com
> map http://finance.yahoo.com    http://finance.yahoo.com
> 
> 
> 1420840183.867 126 10.1.2.3 TCP_MISS/200 38458 GET http://www.oracle.com/index.html -
DIRECT/www.oracle.com text/html -
> 
> Not sure it matters, but I also have our networks IP’s listed in ip_allow.config. 

> 

Is there an equivilent to .deactivatefilter in ATS 3?

Paul


> 
> 
> 
> 
>>> 
>>> 
>>>> On Jan 9, 2015, at 2:47 PM, Sudheer Vinukonda <sudheerv@yahoo-inc.com>
wrote:
>>>> 
>>>> You will also need to enable the config proxy.config.url_remap.remap_required
(like Leif suggested earlier).
>>>> 
>>>> 
>>>> 
>>>> On Friday, January 9, 2015 12:30 PM, Paul Tader <ptader@collectivei.com>
wrote:
>>>> 
>>>> 
>>>> I think this would work, and I think I’m close but I tried this (ver 3
uses .useflt and .defflt instead of .activatefilter and .deactivatefilter):
>>>> 
>>>> 
>>>> .defflt  disable_all @action=deny
>>>> .defflt  internal_only @action=allow  @src_ip=10.0.0.0-255.255.255.255
>>>> 
>>>> .useflt internal_only
>>>> map https://www.facebook.com    https://www.facebook.com
>>>> map https://www.yahoo.com       https://www.yahoo.com
>>>> map http://finance.yahoo.com    http://finance.yahoo.com
>>>> .unuseflt internal_only
>>>> 
>>>> .useflt disable_all
>>>> 
>>>> 
>>>> But going to a site not listed (www.oracle.com) is still allowed.  ?
>>>> 1420835169.093 134 10.1.2.3 TCP_MISS/200 38458 GET http://www.oracle.com/index.html
- DIRECT/www.oracle.com text/html -
>>>> 
>>>> I’ve also tried placing ".useflt disable_all” before the “.useflt internal_only”
filter with no luck, sites not on the list are still allowed out.
>>>> 
>>>> 
>>>>> On Jan 9, 2015, at 12:02 PM, Sudheer Vinukonda <sudheerv@yahoo-inc.com>
wrote:
>>>>> 
>>>>> I think you would need to use named_filters to specify ranges in remap.config.
>>>>> 
>>>>> 
>>>>> remap.config — Apache Traffic Server 5.3.0 documentation
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> remap.config — Apache Traffic Server 5.3.0 documentation
>>>>> remap.config The remap.config file (by default, located in /opt/trafficserver/etc/trafficserver/)
contains mapping rules that Traffic Server uses to perform the following actions:
>>>>> View on docs.trafficserver.apache.org
>>>>> Preview by Yahoo
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On Friday, January 9, 2015 9:50 AM, Paul Tader <ptader@collectivei.com>
wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>>> On Jan 9, 2015, at 10:33 AM, Paul Tader <ptader@collectivei.com>
wrote:
>>>>>> 
>>>>>>> 
>>>>>>> On Jan 9, 2015, at 10:22 AM, James Peach <jpeach@apache.org>
wrote:
>>>>>>> 
>>>>>>> 
>>>>>>>> On Jan 9, 2015, at 8:00 AM, Paul Tader <ptader@collectivei.com>
wrote:
>>>>>>>> 
>>>>>>>> Hmm, I didn’t think about a DNS blackhole.  For now I’m
looking into additional remap files using the “.include” directive in remap.config but
I get these errors after running traffic_line -x
>>>>>>>> 
>>>>>>>> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: Could
not add rule at line #126; Aborting!
>>>>>>>> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: [ReverseProxy]
Unknown directive ".include" at line 126
>>>>>>>> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: something
failed during BuildTable() -- check your remap plugins!
>>>>>>>> [Jan  9 15:57:04.270] Server {47752783210240} WARNING: failed
to reload remap.config, not replacing!
>>>>>>>> 
>>>>>>>> My remap.conf has these two lines:
>>>>>>>> 
>>>>>>>> .include /etc/trafficserver/filters.config
>>>>>>>> .include /etc/trafficserver/set1.remap.config
>>>>>>>> 
>>>>>>>> …which is odd because the documentation states:
>>>>>>>> 
>>>>>>>> "The .include directive allows mapping rules to be spread
across multiple files. The argument to the .include directive is a list of file names to be
parsed for additional mapping rules. "
>>>>>>>> 
>>>>>>>> http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html
>>>>>>> 
>>>>>>> Does your version of ATS match the version of the docs?
>>>>>> 
>>>>>> 
>>>>>> Nope and I apologize for that. Time to upgrade.
>>>>>> 
>>>>>> Thanks everyone.
>>>>>> 
>>>>> 
>>>>> Before I upgrade, I’ve tried a “deny all” map as the last line
in remap.conf and listing all the allowed sites before this deny line, but it doesn’t take.
 Can something like this be done?  (ATS version 3.04)
>>>>> 
>>>>> ...
>>>>> map http://apache.org/   http://apache.org   @action=allow   @src_ip=12.34.56.123
>>>>> map /                    http://127.0.0.1    @action=deny @src_ip=0.0.0.1-254.254.254.254
>>>>> 
>>>>> 
>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>>> On Jan 8, 2015, at 8:56 PM, Leif Hedstrom <zwoop@apache.org>
wrote:
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>>> On Jan 8, 2015, at 10:53 AM, Paul Tader <ptader@collectivei.com>
wrote:
>>>>>>>>>> 
>>>>>>>>>> We have a forward only proxy server configured. How
can I restrict a internal IP address or IP address range to only be able to proxy certain
top level domains (ie google.com, yahoo.com, etc)?  I’ve read a lot on remapping, but I
don’t think that is the correct approach.
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> DNS blackholing as suggested seems like a reasonable
solution. If your list of domains is smallish, then something in remap.config might work as
well. I’ve done this in the past, blocking all but a few HTTPS sites (via setting remap.required
to 1 in records.config). The other option is to allow all sites, but list the ones that you
intend to block (map them to some nonexistent domain or IP, e.g. 10.0.0.0).
>>>>>>>>> 
>>>>>>>>> Fwiw, remap rules like this with CONNECT methods only
works in 5.0.0 and later.
>>>>>>>>> 
>>>>>>>>> — Leif


Mime
View raw message