I think you would need to use named_filters to specify ranges in remap.config.
remap.config — Apache Traffic Server 5.3.0 documentation
| |
| | | | | |
| remap.config — Apache Traffic Server 5.3.0 documentationremap.config The
remap.config file (by default, located in/opt/trafficserver/etc/trafficserver/)
contains mapping rules that Traffic Serveruses to perform the following
actions: |
| |
| View on docs.trafficserver.apache.org | Preview by Yahoo |
| |
| |
On Friday, January 9, 2015 9:50 AM, Paul Tader <[email protected]>
wrote:
On Jan 9, 2015, at 10:33 AM, Paul Tader <[email protected]> wrote:
On Jan 9, 2015, at 10:22 AM, James Peach <[email protected]> wrote:
On Jan 9, 2015, at 8:00 AM, Paul Tader <[email protected]> wrote:
Hmm, I didn’t think about a DNS blackhole. For now I’m looking into additional
remap files using the “.include” directive in remap.config but I get these
errors after running traffic_line -x
[Jan 9 15:57:04.270] Server {47752783210240} WARNING: Could not add rule at
line #126; Aborting!
[Jan 9 15:57:04.270] Server {47752783210240} WARNING: [ReverseProxy] Unknown
directive ".include" at line 126
[Jan 9 15:57:04.270] Server {47752783210240} WARNING: something failed during
BuildTable() -- check your remap plugins!
[Jan 9 15:57:04.270] Server {47752783210240} WARNING: failed to reload
remap.config, not replacing!
My remap.conf has these two lines:
.include /etc/trafficserver/filters.config
.include /etc/trafficserver/set1.remap.config
…which is odd because the documentation states:
"The .include directive allows mapping rules to be spread across multiple
files. The argument to the .include directive is a list of file names to be
parsed for additional mapping rules. "
http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html
Does your version of ATS match the version of the docs?
Nope and I apologize for that. Time to upgrade.
Thanks everyone.
Before I upgrade, I’ve tried a “deny all” map as the last line in remap.conf
and listing all the allowed sites before this deny line, but it doesn’t take.
Can something like this be done? (ATS version 3.04)
...map http://apache.org/ http://apache.org @action=allow
@src_ip=12.34.56.123map / http://127.0.0.1 @action=deny
@src_ip=0.0.0.1-254.254.254.254
On Jan 8, 2015, at 8:56 PM, Leif Hedstrom <[email protected]> wrote:
On Jan 8, 2015, at 10:53 AM, Paul Tader <[email protected]> wrote:
We have a forward only proxy server configured. How can I restrict a internal
IP address or IP address range to only be able to proxy certain top level
domains (ie google.com, yahoo.com, etc)? I’ve read a lot on remapping, but I
don’t think that is the correct approach.
DNS blackholing as suggested seems like a reasonable solution. If your list of
domains is smallish, then something in remap.config might work as well. I’ve
done this in the past, blocking all but a few HTTPS sites (via setting
remap.required to 1 in records.config). The other option is to allow all sites,
but list the ones that you intend to block (map them to some nonexistent domain
or IP, e.g. 10.0.0.0).
Fwiw, remap rules like this with CONNECT methods only works in 5.0.0 and later.
— Leif
