Hmm, I didn’t think about a DNS blackhole. For now I’m looking into additional
remap files using the “.include” directive in remap.config but I get these
errors after running traffic_line -x
[Jan 9 15:57:04.270] Server {47752783210240} WARNING: Could not add rule at
line #126; Aborting!
[Jan 9 15:57:04.270] Server {47752783210240} WARNING: [ReverseProxy] Unknown
directive ".include" at line 126
[Jan 9 15:57:04.270] Server {47752783210240} WARNING: something failed during
BuildTable() -- check your remap plugins!
[Jan 9 15:57:04.270] Server {47752783210240} WARNING: failed to reload
remap.config, not replacing!
My remap.conf has these two lines:
.include /etc/trafficserver/filters.config
.include /etc/trafficserver/set1.remap.config
…which is odd because the documentation states:
"The .include directive allows mapping rules to be spread across multiple
files. The argument to the .include directive is a list of file names to be
parsed for additional mapping rules. "
http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html
> On Jan 8, 2015, at 8:56 PM, Leif Hedstrom <[email protected]> wrote:
>
>
>> On Jan 8, 2015, at 10:53 AM, Paul Tader <[email protected]> wrote:
>>
>> We have a forward only proxy server configured. How can I restrict a
>> internal IP address or IP address range to only be able to proxy certain top
>> level domains (ie google.com, yahoo.com, etc)? I’ve read a lot on
>> remapping, but I don’t think that is the correct approach.
>
>
> DNS blackholing as suggested seems like a reasonable solution. If your list
> of domains is smallish, then something in remap.config might work as well.
> I’ve done this in the past, blocking all but a few HTTPS sites (via setting
> remap.required to 1 in records.config). The other option is to allow all
> sites, but list the ones that you intend to block (map them to some
> nonexistent domain or IP, e.g. 10.0.0.0).
>
> Fwiw, remap rules like this with CONNECT methods only works in 5.0.0 and
> later.
>
> — Leif
>
