Cool, thanks for the clarification. On Thu, Jun 1, 2017 at 12:29 PM, Peter Ryder (peryder) <[email protected]> wrote:
> The config file I’m proposing is separate from the CRConfig. CrConfig will > just contain an http link where the TR can get it, like you said. > > RGB does not have to be enabled, I just mentioned specifically in case > there are thoughts in which order the checks should be done. As it stands > right now, it would check CZF first, then Geo and finally anonymous > blocking. > > -Peter > > On 6/1/17, 2:23 PM, "Dave Neuman" <[email protected]> wrote: > > Hey Peter, > Thanks for the write up. It sounds like you want to embed this new > config > file in the CrConfig? Is there a reason we can't keep it standalone > and > have Traffic Router fetch it like we do with Federations, Steering, > etc? > Also, you say "Anonymous Blocking will occur after RGB check" does that > mean you have to have RGB enabled to have Anonymous IP blocking > enabled? > Thanks, > Dave > > On Thu, Jun 1, 2017 at 11:13 AM, Peter Ryder (peryder) < > [email protected]> > wrote: > > > Hi All, > > > > I am working with Eric to implement anonymous IP blocking into the > Traffic > > Router, and am looking to contribute it back to open source. > > > > It will be structured similarly to RGB. > > > > I am looking to get any feedback on the design before going ahead > with > > this feature. > > > > Feature Requirements > > > > * Traffic Ops > > * Add new TR parameter for path to AnonymousIP database > > * Add new TR parameter for path to AnonymousIP Policy > Configuration > > File > > * Add new TR parameter for polling interval for combined > database > > and configuration file > > * Add new API and GUI screens to enable/disable this feature > per-DS > > * Include new DS configuration and both new config file > parameters > > in CRConfig > > * Traffic Router > > * Download new anonymous IP database > > * Configuration > > * Parse new config in CRConfig file > > * Download+Parse new AnonymousIP Policy config file > > * > > * Evaluate incoming requests against configuration > > * Allow any requests matching IP whitelist > > * Block any request which appears in AnonymousIP database > > matching a configured type > > * Allow all other requests > > * TR Access logs indicate if request was blocked due to > anonymous > > IP related policy > > > > Feature Design > > > > Maxmind SDK: https://maxmind.github.io/GeoIP2-java/doc/v2.8.0/com/ > > maxmind/geoip2/model/AnonymousIpResponse.html > > > > GeoIP2 Java API: https://maxmind.github.io/GeoIP2-java/ > > > > Config File > > > > { > > "customer": "<customerName>", > > "version": "<versionString>", > > "date" : "<timestamp string>", > > "name": <Identifying Name>", > > > > "anonymousIp": { "blockAnonymousVPN": true, > > "blockHostingProvider": true, > > "blockPublicProxy": true, > > "blockTorExitNode": true}, > > > > "ip4Whitelist": [<subnet1>, <subnet2>], //optional > > "ip6Whitelist": [] //optional > > } > > > > > > > > Implementation Notes > > > > Anonymous Blocking will occur after RGB check > > > > If an IP is whitelisted in the RGB config, and is present in the > Anonymous > > IP database, the IP will be blocked > > > > Anonymous Blocking is per delivery service > > > > Config file is global > > > > > > > > Thanks, > > > > -Peter > > > > > > >
