This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.0.x by this push: new 59d5e13 Document ip_allow in sni.yaml (#6723) 59d5e13 is described below commit 59d5e1373b19f1441353d139517bb143b40ec1aa Author: Susan Hinrichs <shinr...@yahoo-inc.com> AuthorDate: Fri May 1 09:31:23 2020 -0500 Document ip_allow in sni.yaml (#6723) Co-authored-by: Susan Hinrichs <shinr...@verizonmedia.com> (cherry picked from commit 11041d9368de4e68a6447d23d1fa9d04c7bbc7c7) --- doc/admin-guide/files/sni.yaml.en.rst | 43 +++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/doc/admin-guide/files/sni.yaml.en.rst b/doc/admin-guide/files/sni.yaml.en.rst index 76f5aa9..b6e3780 100644 --- a/doc/admin-guide/files/sni.yaml.en.rst +++ b/doc/admin-guide/files/sni.yaml.en.rst @@ -47,11 +47,16 @@ the user needs to enter the fqdn in the configuration with a ``*.`` followed by .. _override-verify-server-properties: .. _override-host-sni-policy: -========================= ============================================================================== +========================= ======================================================================================== Key Meaning -========================= ============================================================================== +========================= ======================================================================================== fqdn Fully Qualified Domain Name. This item is used if the SNI value matches this. +ip_allow Specify a list of client IP address, subnets, or ranges what are allowed to complete + the connection. This list is comma separated. IPv4 and IPv6 addresses can be specified. + Here is an example list: 192.168.1.0/24,192.168.10.1-4. This would allow connections + from clients in the 19.168.1.0 network or in the range from 192.168.10.1 to 192.168.1.4. + verify_server_policy One of the values :code:`DISABLED`, :code:`PERMISSIVE`, or :code:`ENFORCED`. By default this is :ts:cv:`proxy.config.ssl.client.verify.server.policy`. @@ -76,18 +81,18 @@ verify_client One of the values :code:`NONE`, :code:`MODERATE`, or : host_sni_policy One of the values :code:`DISABLED`, :code:`PERMISSIVE`, or :code:`ENFORCED`. - If not specified, the value of :ts:cv:`proxy.config.http.host_sni_policy` is used. This controls - how policy impacting mismatches between host header and SNI values are dealt with. + If not specified, the value of :ts:cv:`proxy.config.http.host_sni_policy` is used. + This controls how policy impacting mismatches between host header and SNI values are + dealt with. valid_tls_versions_in This specifies the list of TLS protocols that will be offered to user agents during - the TLS negotiation. This replaces the global settings in :ts:cv:`proxy.config.ssl.TLSv1`, - :ts:cv:`proxy.config.ssl.TLSv1_1`, :ts:cv:`proxy.config.ssl.TLSv1_2`, - and :ts:cv:`proxy.config.ssl.TLSv1_3`. The potential values are TLSv1, TLSv1_1, TLSv1_2, and - TLSv1_3. You must list all protocols that |TS| should offer to the client when using - this key. This key is only valid for openssl 1.1.0 and later. Older versions of openssl do not - provide a hook early enough to update the SSL object. It is a syntax error for |TS| built - against earlier versions. - + the TLS negotiation. This replaces the global settings in + :ts:cv:`proxy.config.ssl.TLSv1`, :ts:cv:`proxy.config.ssl.TLSv1_1`, + :ts:cv:`proxy.config.ssl.TLSv1_2`, and :ts:cv:`proxy.config.ssl.TLSv1_3`. The potential + values are TLSv1, TLSv1_1, TLSv1_2, and TLSv1_3. You must list all protocols that |TS| + should offer to the client when using this key. This key is only valid for openssl + 1.1.0 and later. Older versions of openssl do not provide a hook early enough to update + the SSL object. It is a syntax error for |TS| built against earlier versions. client_cert The file containing the client certificate to use for the outbound connection. @@ -110,8 +115,8 @@ disable_h2 Deprecated for the more general h2 setting. Setting d to :code:`true` is the same as setting http2 to :code:`on`. tunnel_route Destination as an FQDN and port, separated by a colon ``:``. - Match group number can be specified by ``$N`` where N should refer to a specified group in - the FQDN, ``tunnel_route: $1.domain``. + Match group number can be specified by ``$N`` where N should refer to a specified group + in the FQDN, ``tunnel_route: $1.domain``. This will forward all traffic to the specified destination without first terminating the incoming TLS connection. @@ -124,11 +129,11 @@ forward_route Destination as an FQDN and port, separated by a colon partial_blind_route Destination as an FQDN and port, separated by a colon ``:``. - This is similar to forward_route in that |TS| terminates the incoming TLS connection. In - addition partial_blind_route creates a new TLS connection to the specified origin. It does - not interpret the decrypted data before passing it to the origin TLS connection, so - the contents do not need to be HTTP. -========================= ============================================================================== + This is similar to forward_route in that |TS| terminates the incoming TLS connection. + In addition partial_blind_route creates a new TLS connection to the specified origin. + It does not interpret the decrypted data before passing it to the origin TLS + connection, so the contents do not need to be HTTP. +========================= ======================================================================================== Client verification, via ``verify_client``, corresponds to setting :ts:cv:`proxy.config.ssl.client.certification_level` for this connection as noted below.