I think this would work, and I think I’m close but I tried this (ver 3 uses .useflt and .defflt instead of .activatefilter and .deactivatefilter):
.defflt disable_all @action=deny .defflt internal_only @action=allow @src_ip=10.0.0.0-255.255.255.255 .useflt internal_only map https://www.facebook.com https://www.facebook.com map https://www.yahoo.com https://www.yahoo.com map http://finance.yahoo.com http://finance.yahoo.com .unuseflt internal_only .useflt disable_all But going to a site not listed (www.oracle.com) is still allowed. ? 1420835169.093 134 10.1.2.3 TCP_MISS/200 38458 GET http://www.oracle.com/index.html - DIRECT/www.oracle.com text/html - I’ve also tried placing ".useflt disable_all” before the “.useflt internal_only” filter with no luck, sites not on the list are still allowed out. > On Jan 9, 2015, at 12:02 PM, Sudheer Vinukonda <[email protected]> wrote: > > I think you would need to use named_filters to specify ranges in remap.config. > > > remap.config — Apache Traffic Server 5.3.0 documentation > <https://docs.trafficserver.apache.org/en/latest/reference/configuration/remap.config.en.html#named-filters> > > > > > > > remap.config — Apache Traffic Server 5.3.0 documentation > > <https://docs.trafficserver.apache.org/en/latest/reference/configuration/remap.config.en.html#named-filters>remap.config > The remap.config file (by default, located in > /opt/trafficserver/etc/trafficserver/) contains mapping rules that Traffic > Server uses to perform the following actions: > View on docs.trafficserver.apache.org > <https://docs.trafficserver.apache.org/en/latest/reference/configuration/remap.config.en.html#named-filters> > > Preview by Yahoo > > > > > On Friday, January 9, 2015 9:50 AM, Paul Tader <[email protected]> wrote: > > > >> On Jan 9, 2015, at 10:33 AM, Paul Tader <[email protected] >> <mailto:[email protected]>> wrote: >> >>> >>> On Jan 9, 2015, at 10:22 AM, James Peach <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> >>>> On Jan 9, 2015, at 8:00 AM, Paul Tader <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Hmm, I didn’t think about a DNS blackhole. For now I’m looking into >>>> additional remap files using the “.include” directive in remap.config but >>>> I get these errors after running traffic_line -x >>>> >>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: Could not add rule >>>> at line #126; Aborting! >>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: [ReverseProxy] >>>> Unknown directive ".include" at line 126 >>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: something failed >>>> during BuildTable() -- check your remap plugins! >>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: failed to reload >>>> remap.config, not replacing! >>>> >>>> My remap.conf has these two lines: >>>> >>>> .include /etc/trafficserver/filters.config >>>> .include /etc/trafficserver/set1.remap.config >>>> >>>> …which is odd because the documentation states: >>>> >>>> "The .include directive allows mapping rules to be spread across multiple >>>> files. The argument to the .include directive is a list of file names to >>>> be parsed for additional mapping rules. " >>>> >>>> http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html >>>> >>>> <http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html> >>> >>> Does your version of ATS match the version of the docs? >> >> >> Nope and I apologize for that. Time to upgrade. >> >> Thanks everyone. >> > > Before I upgrade, I’ve tried a “deny all” map as the last line in remap.conf > and listing all the allowed sites before this deny line, but it doesn’t take. > Can something like this be done? (ATS version 3.04) > > ... > map http://apache.org/ <http://apache.org/> http://apache > <http://apache/>.org @action=allow @src_ip=12.34.56.123 > map / http://127.0.0.1 <http://127.0.0.1/> @action=deny > @src_ip=0.0.0.1-254.254.254.254 > > >>> >>>> >>>> >>>> >>>> >>>>> On Jan 8, 2015, at 8:56 PM, Leif Hedstrom <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> >>>>>> On Jan 8, 2015, at 10:53 AM, Paul Tader <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>> We have a forward only proxy server configured. How can I restrict a >>>>>> internal IP address or IP address range to only be able to proxy certain >>>>>> top level domains (ie google.com <http://google.com/>, yahoo.com >>>>>> <http://yahoo.com/>, etc)? I’ve read a lot on remapping, but I don’t >>>>>> think that is the correct approach. >>>>> >>>>> >>>>> DNS blackholing as suggested seems like a reasonable solution. If your >>>>> list of domains is smallish, then something in remap.config might work as >>>>> well. I’ve done this in the past, blocking all but a few HTTPS sites (via >>>>> setting remap.required to 1 in records.config). The other option is to >>>>> allow all sites, but list the ones that you intend to block (map them to >>>>> some nonexistent domain or IP, e.g. 10.0.0.0). >>>>> >>>>> Fwiw, remap rules like this with CONNECT methods only works in 5.0.0 and >>>>> later. >>>>> >>>>> — Leif > > >
