> On Jan 9, 2015, at 3:51 PM, Paul Tader <[email protected]> wrote: > >> >> On Jan 9, 2015, at 3:38 PM, Leif Hedstrom <[email protected]> wrote: >> >> >>> On Jan 9, 2015, at 2:29 PM, Paul Tader <[email protected]> wrote: >>> >>> Doesn’t this break the forward proxy then? >>> >>> # To enable forward proxy, you must turn off remap_required >>> CONFIG proxy.config.url_remap.remap_required INT 1 >> >> That’s somewhat confusing. remap_required disables “open forward proxying”. >> ATS actually doesn’t know / care about forward vs reverse proxy, it’s just a >> matter of what requests you allow through. What this setting is saying >> “Without an explicit rule matching in remap.config, deny the request”. >> There’s a similar one for reverse proxy. >> >> — Leif >> > > Ok, thanks for clearing that up. What that said, I kept the setting at “1” > and changed the remap.config file to what’s listed below. Unfortunately I > was still able to to connect to sites not listed in remap.config. > > .defflt internal_only @action=allow @src_ip=10.0.0.0-255.255.255.255 > > .useflt internal_only > map https://www.facebook.com https://www.facebook.com > map https://www.yahoo.com https://www.yahoo.com > map http://finance.yahoo.com http://finance.yahoo.com > > > 1420840183.867 126 10.1.2.3 TCP_MISS/200 38458 GET > http://www.oracle.com/index.html - DIRECT/www.oracle.com text/html - > > Not sure it matters, but I also have our networks IP’s listed in > ip_allow.config. >
Is there an equivilent to .deactivatefilter in ATS 3? Paul > > > > >>> >>> >>>> On Jan 9, 2015, at 2:47 PM, Sudheer Vinukonda <[email protected]> >>>> wrote: >>>> >>>> You will also need to enable the config >>>> proxy.config.url_remap.remap_required (like Leif suggested earlier). >>>> >>>> >>>> >>>> On Friday, January 9, 2015 12:30 PM, Paul Tader <[email protected]> >>>> wrote: >>>> >>>> >>>> I think this would work, and I think I’m close but I tried this (ver 3 >>>> uses .useflt and .defflt instead of .activatefilter and .deactivatefilter): >>>> >>>> >>>> .defflt disable_all @action=deny >>>> .defflt internal_only @action=allow @src_ip=10.0.0.0-255.255.255.255 >>>> >>>> .useflt internal_only >>>> map https://www.facebook.com https://www.facebook.com >>>> map https://www.yahoo.com https://www.yahoo.com >>>> map http://finance.yahoo.com http://finance.yahoo.com >>>> .unuseflt internal_only >>>> >>>> .useflt disable_all >>>> >>>> >>>> But going to a site not listed (www.oracle.com) is still allowed. ? >>>> 1420835169.093 134 10.1.2.3 TCP_MISS/200 38458 GET >>>> http://www.oracle.com/index.html - DIRECT/www.oracle.com text/html - >>>> >>>> I’ve also tried placing ".useflt disable_all” before the “.useflt >>>> internal_only” filter with no luck, sites not on the list are still >>>> allowed out. >>>> >>>> >>>>> On Jan 9, 2015, at 12:02 PM, Sudheer Vinukonda <[email protected]> >>>>> wrote: >>>>> >>>>> I think you would need to use named_filters to specify ranges in >>>>> remap.config. >>>>> >>>>> >>>>> remap.config — Apache Traffic Server 5.3.0 documentation >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> remap.config — Apache Traffic Server 5.3.0 documentation >>>>> remap.config The remap.config file (by default, located in >>>>> /opt/trafficserver/etc/trafficserver/) contains mapping rules that >>>>> Traffic Server uses to perform the following actions: >>>>> View on docs.trafficserver.apache.org >>>>> Preview by Yahoo >>>>> >>>>> >>>>> >>>>> >>>>> On Friday, January 9, 2015 9:50 AM, Paul Tader <[email protected]> >>>>> wrote: >>>>> >>>>> >>>>> >>>>>> On Jan 9, 2015, at 10:33 AM, Paul Tader <[email protected]> wrote: >>>>>> >>>>>>> >>>>>>> On Jan 9, 2015, at 10:22 AM, James Peach <[email protected]> wrote: >>>>>>> >>>>>>> >>>>>>>> On Jan 9, 2015, at 8:00 AM, Paul Tader <[email protected]> wrote: >>>>>>>> >>>>>>>> Hmm, I didn’t think about a DNS blackhole. For now I’m looking into >>>>>>>> additional remap files using the “.include” directive in remap.config >>>>>>>> but I get these errors after running traffic_line -x >>>>>>>> >>>>>>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: Could not add >>>>>>>> rule at line #126; Aborting! >>>>>>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: [ReverseProxy] >>>>>>>> Unknown directive ".include" at line 126 >>>>>>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: something >>>>>>>> failed during BuildTable() -- check your remap plugins! >>>>>>>> [Jan 9 15:57:04.270] Server {47752783210240} WARNING: failed to >>>>>>>> reload remap.config, not replacing! >>>>>>>> >>>>>>>> My remap.conf has these two lines: >>>>>>>> >>>>>>>> .include /etc/trafficserver/filters.config >>>>>>>> .include /etc/trafficserver/set1.remap.config >>>>>>>> >>>>>>>> …which is odd because the documentation states: >>>>>>>> >>>>>>>> "The .include directive allows mapping rules to be spread across >>>>>>>> multiple files. The argument to the .include directive is a list of >>>>>>>> file names to be parsed for additional mapping rules. " >>>>>>>> >>>>>>>> http://trafficserver.readthedocs.org/en/latest/reference/configuration/remap.config.en.html >>>>>>> >>>>>>> Does your version of ATS match the version of the docs? >>>>>> >>>>>> >>>>>> Nope and I apologize for that. Time to upgrade. >>>>>> >>>>>> Thanks everyone. >>>>>> >>>>> >>>>> Before I upgrade, I’ve tried a “deny all” map as the last line in >>>>> remap.conf and listing all the allowed sites before this deny line, but >>>>> it doesn’t take. Can something like this be done? (ATS version 3.04) >>>>> >>>>> ... >>>>> map http://apache.org/ http://apache.org @action=allow >>>>> @src_ip=12.34.56.123 >>>>> map / http://127.0.0.1 @action=deny >>>>> @src_ip=0.0.0.1-254.254.254.254 >>>>> >>>>> >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Jan 8, 2015, at 8:56 PM, Leif Hedstrom <[email protected]> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>>> On Jan 8, 2015, at 10:53 AM, Paul Tader <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> We have a forward only proxy server configured. How can I restrict a >>>>>>>>>> internal IP address or IP address range to only be able to proxy >>>>>>>>>> certain top level domains (ie google.com, yahoo.com, etc)? I’ve >>>>>>>>>> read a lot on remapping, but I don’t think that is the correct >>>>>>>>>> approach. >>>>>>>>> >>>>>>>>> >>>>>>>>> DNS blackholing as suggested seems like a reasonable solution. If >>>>>>>>> your list of domains is smallish, then something in remap.config >>>>>>>>> might work as well. I’ve done this in the past, blocking all but a >>>>>>>>> few HTTPS sites (via setting remap.required to 1 in records.config). >>>>>>>>> The other option is to allow all sites, but list the ones that you >>>>>>>>> intend to block (map them to some nonexistent domain or IP, e.g. >>>>>>>>> 10.0.0.0). >>>>>>>>> >>>>>>>>> Fwiw, remap rules like this with CONNECT methods only works in 5.0.0 >>>>>>>>> and later. >>>>>>>>> >>>>>>>>> — Leif
