On Sun, Jan 11, 2015 at 11:31 PM, Shu Kit Chan <[email protected]> wrote:
> Hi, > > I think what you need is currently missing from the ts_lua plugin. > We can provide something like this > > ts.server_request.server_addr.get_addr() > > similar to > > ts.client_request.client_addr.get_addr() > > as mentioned here - > https://docs.trafficserver.apache.org/en/latest/reference/plugins/ts_lua.en.html > > > It should be using the ts api TSHttpTxnServerAddrGet() behind the scene. > > I have already filed a new Jira ticket for it - > https://issues.apache.org/jira/browse/TS-3290 > > I can work on it by Wednesday or Thursday after i am done with my other > errands. > > Thanks. > > Kit > > > On Sun, Jan 11, 2015 at 7:40 PM, Mark Moseley <[email protected]> > wrote: > >> Hi. I'm looking at the TS_LUA_HOOK_OS_DNS hook or >> TS_LUA_HOOK_SEND_REQUEST_HDR as a way to do a fail-safe way of filtering >> *origin* IPs. Obviously this could be done at the onboard firewall level, >> but I thought it'd be neat to be able to do something a bit more in-line >> (and it's fun to play with Lua). >> >> But despite the aforementioned hooks, there doesn't seem to be anywhere >> in the 'ts' table that holds what the origin's DNS hostname was resolved >> to. Does that get stored anywhere that ts_lua has access to? >> ts.server_request seemed most promising but none of the functions in there >> seem to return anything like the origin IP. >> >> If there were something accessible with the origin IP, then I could do a >> sanity check like, pseudo-code-wise: for ip in goodips, does origin IP >> match ip, and if none match, then return a 403 or 400 or something. >> >> I'm coming up blank looking through the API and source code, but I may be >> missing something obvious (or more likely, just looking for the wrong >> thing). >> >> Even better (and I've had no luck finding this either) would be something >> built-in that contains a list of permitted origin IP blocks, like >> ip_allow.config but for the backend request (and again, there might be but >> I'm grepping+googling for the wrong thing). >> >> Thanks! >> > > That'd be tremendous, thanks! Though off-hand, is there a more "built-in" solution to what I'm trying to do? I.e. limit what IP blocks ATS will talk to on the *origin* side? (Even if there is, having access to the origin IP in Lua is still highly desirable)
