The config file I’m proposing is separate from the CRConfig. CrConfig will just contain an http link where the TR can get it, like you said.
RGB does not have to be enabled, I just mentioned specifically in case there are thoughts in which order the checks should be done. As it stands right now, it would check CZF first, then Geo and finally anonymous blocking. -Peter On 6/1/17, 2:23 PM, "Dave Neuman" <[email protected]> wrote: Hey Peter, Thanks for the write up. It sounds like you want to embed this new config file in the CrConfig? Is there a reason we can't keep it standalone and have Traffic Router fetch it like we do with Federations, Steering, etc? Also, you say "Anonymous Blocking will occur after RGB check" does that mean you have to have RGB enabled to have Anonymous IP blocking enabled? Thanks, Dave On Thu, Jun 1, 2017 at 11:13 AM, Peter Ryder (peryder) <[email protected]> wrote: > Hi All, > > I am working with Eric to implement anonymous IP blocking into the Traffic > Router, and am looking to contribute it back to open source. > > It will be structured similarly to RGB. > > I am looking to get any feedback on the design before going ahead with > this feature. > > Feature Requirements > > * Traffic Ops > * Add new TR parameter for path to AnonymousIP database > * Add new TR parameter for path to AnonymousIP Policy Configuration > File > * Add new TR parameter for polling interval for combined database > and configuration file > * Add new API and GUI screens to enable/disable this feature per-DS > * Include new DS configuration and both new config file parameters > in CRConfig > * Traffic Router > * Download new anonymous IP database > * Configuration > * Parse new config in CRConfig file > * Download+Parse new AnonymousIP Policy config file > * > * Evaluate incoming requests against configuration > * Allow any requests matching IP whitelist > * Block any request which appears in AnonymousIP database > matching a configured type > * Allow all other requests > * TR Access logs indicate if request was blocked due to anonymous > IP related policy > > Feature Design > > Maxmind SDK: https://maxmind.github.io/GeoIP2-java/doc/v2.8.0/com/ > maxmind/geoip2/model/AnonymousIpResponse.html > > GeoIP2 Java API: https://maxmind.github.io/GeoIP2-java/ > > Config File > > { > "customer": "<customerName>", > "version": "<versionString>", > "date" : "<timestamp string>", > "name": <Identifying Name>", > > "anonymousIp": { "blockAnonymousVPN": true, > "blockHostingProvider": true, > "blockPublicProxy": true, > "blockTorExitNode": true}, > > "ip4Whitelist": [<subnet1>, <subnet2>], //optional > "ip6Whitelist": [] //optional > } > > > > Implementation Notes > > Anonymous Blocking will occur after RGB check > > If an IP is whitelisted in the RGB config, and is present in the Anonymous > IP database, the IP will be blocked > > Anonymous Blocking is per delivery service > > Config file is global > > > > Thanks, > > -Peter > >
