> On Jan 9, 2015, at 8:00 AM, Paul Tader <[email protected]> wrote: > > Hmm, I didn’t think about a DNS blackhole. For now I’m looking into > additional remap files using the “.include” directive in remap.config but I > get these errors after running traffic_line -x > > [Jan 9 15:57:04.270] Server {47752783210240} WARNING: Could not add rule at > line #126; Aborting! > [Jan 9 15:57:04.270] Server {47752783210240} WARNING: [ReverseProxy] Unknown > directive ".include" at line 126 > [Jan 9 15:57:04.270] Server {47752783210240} WARNING: something failed > during BuildTable() -- check your remap plugins! > [Jan 9 15:57:04.270] Server {47752783210240} WARNING: failed to reload > remap.config, not replacing! > > My remap.conf has these two lines: > > .include /etc/trafficserver/filters.config > .include /etc/trafficserver/set1.remap.config > > …which is odd because the documentation states: > > "The .include directive allows mapping rules to be spread across multiple > files. The argument to the .include directive is a list of file names to be > parsed for additional mapping rules. " > > http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html
Does your version of ATS match the version of the docs? > > > > >> On Jan 8, 2015, at 8:56 PM, Leif Hedstrom <[email protected]> wrote: >> >> >>> On Jan 8, 2015, at 10:53 AM, Paul Tader <[email protected]> wrote: >>> >>> We have a forward only proxy server configured. How can I restrict a >>> internal IP address or IP address range to only be able to proxy certain >>> top level domains (ie google.com, yahoo.com, etc)? I’ve read a lot on >>> remapping, but I don’t think that is the correct approach. >> >> >> DNS blackholing as suggested seems like a reasonable solution. If your list >> of domains is smallish, then something in remap.config might work as well. >> I’ve done this in the past, blocking all but a few HTTPS sites (via setting >> remap.required to 1 in records.config). The other option is to allow all >> sites, but list the ones that you intend to block (map them to some >> nonexistent domain or IP, e.g. 10.0.0.0). >> >> Fwiw, remap rules like this with CONNECT methods only works in 5.0.0 and >> later. >> >> — Leif >> >
