alemagvs opened a new issue #8176: URL: https://github.com/apache/trafficserver/issues/8176
Hi! I'm running ATS 9.0.2 in docker built from source and while trying to setup stats_over_http plugin and blocking the calls in remap.config I ran into some problems where it just wouldn't block it. I set it up as described with plugin.config: `stats_over_http.so` and it works. Then to protect my resource I followed the instructions at https://docs.trafficserver.apache.org/en/9.0.x/admin-guide/monitoring/statistics/accessing.en.html#statistics-security-and-privacy but couldnt get it to work at all. All other resources I had mapped were 403'd correctly except the stats endpoint. It seems like the stats plugin is not filtered by remap.config at all! These are just a few of the mappings that i tried, each one of them being the only one in the remap.config to have as simple config as possible: - `map /_stats http://localhost:8080/_stats @action=deny @src_ip=0.0.0.0-255.255.255.255` expected this one to block /_stats, it did not - `map / http://127.0.0.1/ats @action=deny` expected this one to block everything, it did with a 403, except /_stats - `map /atsstats http://127.0.0.1/atsstats @action=deny` changed endpoint by loading the plugin like `stats_over_http.so atsstats`, /_stats gave a 403 as expected but /atsstats still gives a reply, even if it should be denied The only thing that seems to have worked was using the plugin with a config file: ``` path=atsstats allow_ip=127.0.0.1 ``` ``` ip_allow: - apply: in ip_addrs: 127.0.0.1 action: allow methods: ALL - apply: in ip_addrs: ::1 action: allow methods: ALL - apply: in ip_addrs: 0/0 action: deny methods: - PURGE - PUSH - apply: in ip_addrs: ::/0 action: deny methods: - PURGE - PUSH ``` Changes that differ from a default records.config: ``` CONFIG proxy.config.dns.search_default_domains INT 1 CONFIG proxy.config.http.response_server_enabled INT 1 CONFIG proxy.config.body_factory.template_base STRING tmpl CONFIG proxy.config.http.server_ports STRING 8080 CONFIG proxy.config.http.cache.http INT 0 CONFIG proxy.config.url_remap.pristine_host_hdr INT 1 ``` Is there anyway i can enable some debug flags to find why it doesnt filter correctly? I presume this is not working as intended -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
