> On Jan 9, 2015, at 2:29 PM, Paul Tader <[email protected]> wrote: > > Doesn’t this break the forward proxy then? > > # To enable forward proxy, you must turn off remap_required > CONFIG proxy.config.url_remap.remap_required INT 1
That’s somewhat confusing. remap_required disables “open forward proxying”. ATS actually doesn’t know / care about forward vs reverse proxy, it’s just a matter of what requests you allow through. What this setting is saying “Without an explicit rule matching in remap.config, deny the request”. There’s a similar one for reverse proxy. — Leif > > >> On Jan 9, 2015, at 2:47 PM, Sudheer Vinukonda <[email protected] >> <mailto:[email protected]>> wrote: >> >> You will also need to enable the config >> proxy.config.url_remap.remap_required (like Leif suggested earlier). >> >> >> >> On Friday, January 9, 2015 12:30 PM, Paul Tader <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> I think this would work, and I think I’m close but I tried this (ver 3 uses >> .useflt and .defflt instead of .activatefilter and .deactivatefilter): >> >> >> .defflt disable_all @action=deny >> .defflt internal_only @action=allow @src_ip=10.0.0.0-255.255.255.255 >> >> .useflt internal_only >> map https://www.facebook.com <https://www.facebook.com/> >> https://www.facebook.com <https://www.facebook.com/> >> map https://www.yahoo.com <https://www.yahoo.com/> >> https://www.yahoo.com <https://www.yahoo.com/> >> map http://finance.yahoo.com <http://finance.yahoo.com/> >> http://finance.yahoo.com <http://finance.yahoo.com/> >> .unuseflt internal_only >> >> .useflt disable_all >> >> >> But going to a site not listed (www.oracle.com <http://www.oracle.com/>) is >> still allowed. ? >> 1420835169.093 134 10.1.2.3 TCP_MISS/200 38458 GET >> http://www.oracle.com/index.html <http://www.oracle.com/index.html> - >> DIRECT/www.oracle.com <http://www.oracle.com/> text/html - >> >> I’ve also tried placing ".useflt disable_all” before the “.useflt >> internal_only” filter with no luck, sites not on the list are still allowed >> out. >> >> >>> On Jan 9, 2015, at 12:02 PM, Sudheer Vinukonda <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> I think you would need to use named_filters to specify ranges in >>> remap.config. >>> >>> >>> remap.config — Apache Traffic Server 5.3.0 documentation >>> <https://docs.trafficserver.apache.org/en/latest/reference/configuration/remap.config.en.html#named-filters> >>> >>> >>> >>> >>> >>> >>> remap.config — Apache Traffic Server 5.3.0 documentation >>> >>> <https://docs.trafficserver.apache.org/en/latest/reference/configuration/remap.config.en.html#named-filters>remap.config >>> The remap.config file (by default, located in >>> /opt/trafficserver/etc/trafficserver/) contains mapping rules that Traffic >>> Server uses to perform the following actions: >>> View on docs.trafficserver.apache.org >>> <https://docs.trafficserver.apache.org/en/latest/reference/configuration/remap.config.en.html#named-filters> >>> >>> Preview by Yahoo >>> >>> >>> >>> >>> On Friday, January 9, 2015 9:50 AM, Paul Tader <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> >>> >>>> On Jan 9, 2015, at 10:33 AM, Paul Tader <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>>> >>>>> On Jan 9, 2015, at 10:22 AM, James Peach <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> >>>>>> On Jan 9, 2015, at 8:00 AM, Paul Tader <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>> Hmm, I didn’t think about a DNS blackhole. For now I’m looking into >>>>>> additional remap files using the “.include” directive in remap.config >>>>>> but I get these errors after running traffic_line -x >>>>>> >>>>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: Could not add >>>>>> rule at line #126; Aborting! >>>>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: [ReverseProxy] >>>>>> Unknown directive ".include" at line 126 >>>>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: something failed >>>>>> during BuildTable() -- check your remap plugins! >>>>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: failed to reload >>>>>> remap.config, not replacing! >>>>>> >>>>>> My remap.conf has these two lines: >>>>>> >>>>>> .include /etc/trafficserver/filters.config >>>>>> .include /etc/trafficserver/set1.remap.config >>>>>> >>>>>> …which is odd because the documentation states: >>>>>> >>>>>> "The .include directive allows mapping rules to be spread across >>>>>> multiple files. The argument to the .include directive is a list of file >>>>>> names to be parsed for additional mapping rules. " >>>>>> >>>>>> http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html >>>>>> >>>>>> <http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html> >>>>> >>>>> Does your version of ATS match the version of the docs? >>>> >>>> >>>> Nope and I apologize for that. Time to upgrade. >>>> >>>> Thanks everyone. >>>> >>> >>> Before I upgrade, I’ve tried a “deny all” map as the last line in >>> remap.conf and listing all the allowed sites before this deny line, but it >>> doesn’t take. Can something like this be done? (ATS version 3.04) >>> >>> ... >>> map http://apache.org/ <http://apache.org/> http://apache >>> <http://apache/>.org @action=allow @src_ip=12.34.56.123 >>> map / http://127.0.0.1 <http://127.0.0.1/> >>> @action=deny @src_ip=0.0.0.1-254.254.254.254 >>> >>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On Jan 8, 2015, at 8:56 PM, Leif Hedstrom <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> >>>>>>> >>>>>>>> On Jan 8, 2015, at 10:53 AM, Paul Tader <[email protected] >>>>>>>> <mailto:[email protected]>> wrote: >>>>>>>> >>>>>>>> We have a forward only proxy server configured. How can I restrict a >>>>>>>> internal IP address or IP address range to only be able to proxy >>>>>>>> certain top level domains (ie google.com <http://google.com/>, >>>>>>>> yahoo.com <http://yahoo.com/>, etc)? I’ve read a lot on remapping, >>>>>>>> but I don’t think that is the correct approach. >>>>>>> >>>>>>> >>>>>>> DNS blackholing as suggested seems like a reasonable solution. If your >>>>>>> list of domains is smallish, then something in remap.config might work >>>>>>> as well. I’ve done this in the past, blocking all but a few HTTPS sites >>>>>>> (via setting remap.required to 1 in records.config). The other option >>>>>>> is to allow all sites, but list the ones that you intend to block (map >>>>>>> them to some nonexistent domain or IP, e.g. 10.0.0.0). >>>>>>> >>>>>>> Fwiw, remap rules like this with CONNECT methods only works in 5.0.0 >>>>>>> and later. >>>>>>> >>>>>>> — Leif >>> >>> >>> >> >> >> >
