I am not sure if there's any such "built-in" solution to control the IP ranges
that ats communicates to, on the origin side. You may need to write a plugin to
be able to do that (a somewhat similar plugin that can perform ACLs for the
client connections is available at GeoIP ACLs Plugin — Apache Traffic Server
5.3.0 documentation).
| |
| | | | | |
| GeoIP ACLs Plugin — Apache Traffic Server 5.3.0 documentationConfiguration
Once installed, there are three primary use cases, which we will discussin
details. |
| |
| View on docs.trafficserver.apache.org | Preview by Yahoo |
| |
| |
The closest thing I can find that can control origin communication is via
congestion.config — Apache Traffic Server 5.3.0 documentation, but, that only
allows to configure a single destination (and not a range).
| |
| | | | | |
| congestion.config — Apache Traffic Server 5.3.0
documentationcongestion.config |
| |
| View on docs.trafficserver.apache.org | Preview by Yahoo |
| |
| |
Thanks,
Sudheer
On Monday, January 12, 2015 11:29 AM, Mark Moseley <[email protected]>
wrote:
On Sun, Jan 11, 2015 at 11:31 PM, Shu Kit Chan <[email protected]> wrote:
Hi,
I think what you need is currently missing from the ts_lua plugin.We can
provide something like this
ts.server_request.server_addr.get_addr()
similar to
ts.client_request.client_addr.get_addr()
as mentioned here -
https://docs.trafficserver.apache.org/en/latest/reference/plugins/ts_lua.en.html
It should be using the ts api TSHttpTxnServerAddrGet() behind the scene.
I have already filed a new Jira ticket for it -
https://issues.apache.org/jira/browse/TS-3290
I can work on it by Wednesday or Thursday after i am done with my other errands.
Thanks.
Kit
On Sun, Jan 11, 2015 at 7:40 PM, Mark Moseley <[email protected]> wrote:
Hi. I'm looking at the TS_LUA_HOOK_OS_DNS hook or TS_LUA_HOOK_SEND_REQUEST_HDR
as a way to do a fail-safe way of filtering *origin* IPs. Obviously this could
be done at the onboard firewall level, but I thought it'd be neat to be able to
do something a bit more in-line (and it's fun to play with Lua).
But despite the aforementioned hooks, there doesn't seem to be anywhere in the
'ts' table that holds what the origin's DNS hostname was resolved to. Does that
get stored anywhere that ts_lua has access to? ts.server_request seemed most
promising but none of the functions in there seem to return anything like the
origin IP.
If there were something accessible with the origin IP, then I could do a sanity
check like, pseudo-code-wise: for ip in goodips, does origin IP match ip, and
if none match, then return a 403 or 400 or something.
I'm coming up blank looking through the API and source code, but I may be
missing something obvious (or more likely, just looking for the wrong thing).
Even better (and I've had no luck finding this either) would be something
built-in that contains a list of permitted origin IP blocks, like
ip_allow.config but for the backend request (and again, there might be but I'm
grepping+googling for the wrong thing).
Thanks!
That'd be tremendous, thanks!
Though off-hand, is there a more "built-in" solution to what I'm trying to do?
I.e. limit what IP blocks ATS will talk to on the *origin* side? (Even if there
is, having access to the origin IP in Lua is still highly desirable)
