> On Jan 9, 2015, at 10:22 AM, James Peach <[email protected]> wrote: > > >> On Jan 9, 2015, at 8:00 AM, Paul Tader <[email protected]> wrote: >> >> Hmm, I didn’t think about a DNS blackhole. For now I’m looking into >> additional remap files using the “.include” directive in remap.config but I >> get these errors after running traffic_line -x >> >> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: Could not add rule at >> line #126; Aborting! >> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: [ReverseProxy] >> Unknown directive ".include" at line 126 >> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: something failed >> during BuildTable() -- check your remap plugins! >> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: failed to reload >> remap.config, not replacing! >> >> My remap.conf has these two lines: >> >> .include /etc/trafficserver/filters.config >> .include /etc/trafficserver/set1.remap.config >> >> …which is odd because the documentation states: >> >> "The .include directive allows mapping rules to be spread across multiple >> files. The argument to the .include directive is a list of file names to be >> parsed for additional mapping rules. " >> >> http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html > > Does your version of ATS match the version of the docs?
Nope and I apologize for that. Time to upgrade. Thanks everyone. > >> >> >> >> >>> On Jan 8, 2015, at 8:56 PM, Leif Hedstrom <[email protected]> wrote: >>> >>> >>>> On Jan 8, 2015, at 10:53 AM, Paul Tader <[email protected]> wrote: >>>> >>>> We have a forward only proxy server configured. How can I restrict a >>>> internal IP address or IP address range to only be able to proxy certain >>>> top level domains (ie google.com, yahoo.com, etc)? I’ve read a lot on >>>> remapping, but I don’t think that is the correct approach. >>> >>> >>> DNS blackholing as suggested seems like a reasonable solution. If your list >>> of domains is smallish, then something in remap.config might work as well. >>> I’ve done this in the past, blocking all but a few HTTPS sites (via setting >>> remap.required to 1 in records.config). The other option is to allow all >>> sites, but list the ones that you intend to block (map them to some >>> nonexistent domain or IP, e.g. 10.0.0.0). >>> >>> Fwiw, remap rules like this with CONNECT methods only works in 5.0.0 and >>> later. >>> >>> — Leif >>> >> >
