Doesn’t this break the forward proxy then? # To enable forward proxy, you must turn off remap_required CONFIG proxy.config.url_remap.remap_required INT 1
> On Jan 9, 2015, at 2:47 PM, Sudheer Vinukonda <[email protected]> wrote: > > You will also need to enable the config proxy.config.url_remap.remap_required > (like Leif suggested earlier). > > > > On Friday, January 9, 2015 12:30 PM, Paul Tader <[email protected]> > wrote: > > > I think this would work, and I think I’m close but I tried this (ver 3 uses > .useflt and .defflt instead of .activatefilter and .deactivatefilter): > > > .defflt disable_all @action=deny > .defflt internal_only @action=allow @src_ip=10.0.0.0-255.255.255.255 > > .useflt internal_only > map https://www.facebook.com <https://www.facebook.com/> > https://www.facebook.com <https://www.facebook.com/> > map https://www.yahoo.com <https://www.yahoo.com/> > https://www.yahoo.com <https://www.yahoo.com/> > map http://finance.yahoo.com <http://finance.yahoo.com/> > http://finance.yahoo.com <http://finance.yahoo.com/> > .unuseflt internal_only > > .useflt disable_all > > > But going to a site not listed (www.oracle.com <http://www.oracle.com/>) is > still allowed. ? > 1420835169.093 134 10.1.2.3 TCP_MISS/200 38458 GET > http://www.oracle.com/index.html <http://www.oracle.com/index.html> - > DIRECT/www.oracle.com <http://www.oracle.com/> text/html - > > I’ve also tried placing ".useflt disable_all” before the “.useflt > internal_only” filter with no luck, sites not on the list are still allowed > out. > > >> On Jan 9, 2015, at 12:02 PM, Sudheer Vinukonda <[email protected] >> <mailto:[email protected]>> wrote: >> >> I think you would need to use named_filters to specify ranges in >> remap.config. >> >> >> remap.config — Apache Traffic Server 5.3.0 documentation >> <https://docs.trafficserver.apache.org/en/latest/reference/configuration/remap.config.en.html#named-filters> >> >> >> >> >> >> >> remap.config — Apache Traffic Server 5.3.0 documentation >> >> <https://docs.trafficserver.apache.org/en/latest/reference/configuration/remap.config.en.html#named-filters>remap.config >> The remap.config file (by default, located in >> /opt/trafficserver/etc/trafficserver/) contains mapping rules that Traffic >> Server uses to perform the following actions: >> View on docs.trafficserver.apache.org >> <https://docs.trafficserver.apache.org/en/latest/reference/configuration/remap.config.en.html#named-filters> >> >> Preview by Yahoo >> >> >> >> >> On Friday, January 9, 2015 9:50 AM, Paul Tader <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> >>> On Jan 9, 2015, at 10:33 AM, Paul Tader <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>>> >>>> On Jan 9, 2015, at 10:22 AM, James Peach <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> >>>>> On Jan 9, 2015, at 8:00 AM, Paul Tader <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> Hmm, I didn’t think about a DNS blackhole. For now I’m looking into >>>>> additional remap files using the “.include” directive in remap.config but >>>>> I get these errors after running traffic_line -x >>>>> >>>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: Could not add rule >>>>> at line #126; Aborting! >>>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: [ReverseProxy] >>>>> Unknown directive ".include" at line 126 >>>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: something failed >>>>> during BuildTable() -- check your remap plugins! >>>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: failed to reload >>>>> remap.config, not replacing! >>>>> >>>>> My remap.conf has these two lines: >>>>> >>>>> .include /etc/trafficserver/filters.config >>>>> .include /etc/trafficserver/set1.remap.config >>>>> >>>>> …which is odd because the documentation states: >>>>> >>>>> "The .include directive allows mapping rules to be spread across multiple >>>>> files. The argument to the .include directive is a list of file names to >>>>> be parsed for additional mapping rules. " >>>>> >>>>> http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html >>>>> >>>>> <http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html> >>>> >>>> Does your version of ATS match the version of the docs? >>> >>> >>> Nope and I apologize for that. Time to upgrade. >>> >>> Thanks everyone. >>> >> >> Before I upgrade, I’ve tried a “deny all” map as the last line in remap.conf >> and listing all the allowed sites before this deny line, but it doesn’t >> take. Can something like this be done? (ATS version 3.04) >> >> ... >> map http://apache.org/ <http://apache.org/> http://apache >> <http://apache/>.org @action=allow @src_ip=12.34.56.123 >> map / http://127.0.0.1 <http://127.0.0.1/> >> @action=deny @src_ip=0.0.0.1-254.254.254.254 >> >> >>>> >>>>> >>>>> >>>>> >>>>> >>>>>> On Jan 8, 2015, at 8:56 PM, Leif Hedstrom <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>> >>>>>>> On Jan 8, 2015, at 10:53 AM, Paul Tader <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> >>>>>>> We have a forward only proxy server configured. How can I restrict a >>>>>>> internal IP address or IP address range to only be able to proxy >>>>>>> certain top level domains (ie google.com <http://google.com/>, >>>>>>> yahoo.com <http://yahoo.com/>, etc)? I’ve read a lot on remapping, but >>>>>>> I don’t think that is the correct approach. >>>>>> >>>>>> >>>>>> DNS blackholing as suggested seems like a reasonable solution. If your >>>>>> list of domains is smallish, then something in remap.config might work >>>>>> as well. I’ve done this in the past, blocking all but a few HTTPS sites >>>>>> (via setting remap.required to 1 in records.config). The other option is >>>>>> to allow all sites, but list the ones that you intend to block (map them >>>>>> to some nonexistent domain or IP, e.g. 10.0.0.0). >>>>>> >>>>>> Fwiw, remap rules like this with CONNECT methods only works in 5.0.0 and >>>>>> later. >>>>>> >>>>>> — Leif >> >> >> > > >
