This is an automated email from the ASF dual-hosted git repository. ocket8888 pushed a commit to branch 5.1.x in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
commit 03999e6ec7eca00186efc5862c25abede9b47faf Author: Dylan Souza <[email protected]> AuthorDate: Thu Mar 11 10:22:31 2021 -0700 Allow PURGE over localhost in atscfg (#5619) Add rules to ip_allow in atscfg to allow for PURGE requests over localhost. Currently there is a parameter called purge_allow_ip that specifies specific IPs where purge requests can come from. This parameter DOES NOT WORK on Mids because PURGE/PUSH request denials are prepended to the very beginning of ip_allow. This does not fix that parameter, but opens up PURGE requests specifically over localhost. Co-authored-by: dsouza550 <[email protected]> (cherry picked from commit 878b157cfae70116cfa08d10913bc359827ea0f9) --- CHANGELOG.md | 10 ++++++++-- lib/go-atscfg/ipallowdotconfig.go | 11 +++++++++++ lib/go-atscfg/ipallowdotconfig_test.go | 4 ++-- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8776d18..0aa9949 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,14 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). +## [5.1.1] - 2021-03-19 +### Added +- Atscfg: Added a rule to ip_allow such that PURGE requests are allowed over localhost + +### Fixed +- [#5565](https://github.com/apache/trafficcontrol/issues/5565) - TO GET /caches/stats panic converting string to uint64 +- [#5558](https://github.com/apache/trafficcontrol/issues/5558) - Fixed `TM UI` and `/api/cache-statuses` to report aggregate `bandwidth_kbps` correctly. + ## [5.1.0] - 2021-02-21 ### Added - Traffic Portal: [#5394](https://github.com/apache/trafficcontrol/issues/5394) - Converts the tenant table to a tenant tree for usability @@ -19,8 +27,6 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). - Added license files to the RPMs ### Fixed -- [#5565](https://github.com/apache/trafficcontrol/issues/5565) - TO GET /caches/stats panic converting string to uint64 -- [#5558](https://github.com/apache/trafficcontrol/issues/5558) - Fixed `TM UI` and `/api/cache-statuses` to report aggregate `bandwidth_kbps` correctly. - [#5445](https://github.com/apache/trafficcontrol/issues/5445) - When updating a registered user, ignore updates on registration_sent field. - [#5335](https://github.com/apache/trafficcontrol/issues/5335) - Don't create a change log entry if the delivery service primary origin hasn't changed - [#5333](https://github.com/apache/trafficcontrol/issues/5333) - Don't create a change log entry for any delivery service consistent hash query params updates diff --git a/lib/go-atscfg/ipallowdotconfig.go b/lib/go-atscfg/ipallowdotconfig.go index 9313b97..827b793 100644 --- a/lib/go-atscfg/ipallowdotconfig.go +++ b/lib/go-atscfg/ipallowdotconfig.go @@ -271,9 +271,20 @@ func MakeIPAllowDotConfig( sort.Sort(ipAllowDatas(ipAllowDat)) // start with a deny for PUSH and PURGE - TODO CDL: parameterize + // but leave purge open through localhost if isMid { // Edges already deny PUSH and PURGE ipAllowDat = append([]ipAllowData{ { + Src: `127.0.0.1`, + Action: ActionAllow, + Method: `PURGE`, + }, + { + Src: `::1`, + Action: ActionAllow, + Method: `PURGE`, + }, + { Src: `0.0.0.0-255.255.255.255`, Action: ActionDeny, Method: `PUSH|PURGE`, diff --git a/lib/go-atscfg/ipallowdotconfig_test.go b/lib/go-atscfg/ipallowdotconfig_test.go index 64880e5..c69e5e1 100644 --- a/lib/go-atscfg/ipallowdotconfig_test.go +++ b/lib/go-atscfg/ipallowdotconfig_test.go @@ -112,7 +112,7 @@ func TestMakeIPAllowDotConfig(t *testing.T) { ip4deny = true case strings.Contains(line, `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`) && strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`): ip6deny = true - case strings.Contains(line, `ip_allow`): + case strings.Contains(line, `ip_allow`) && !(strings.Contains(line, `127.0.0.1`) || strings.Contains(line, `::1`)): if !(ip4deny && ip6deny) { t.Errorf("Expected denies for PUSH and PURGE before any ips are allowed; pre-denial allowance on line %d.", i+1) } @@ -402,7 +402,7 @@ func TestMakeIPAllowDotConfigTopologies(t *testing.T) { ip4deny = true case strings.Contains(line, `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`) && strings.Contains(line, `ip_deny`) && strings.Contains(line, `PUSH`) && strings.Contains(line, `PURGE`): ip6deny = true - case strings.Contains(line, `ip_allow`): + case strings.Contains(line, `ip_allow`) && !(strings.Contains(line, `127.0.0.1`) || strings.Contains(line, `::1`)): if !(ip4deny && ip6deny) { t.Errorf("Expected denies for PUSH and PURGE before any ips are allowed; pre-denial allowance on line %d.", i+1) }
