Yes, ip_allow takes a list of IP's. I think it takes ranges as well. You may also need a fqdn value.
No, sni.yaml does not make an appearance until 8.x as ssl_server_name.yaml. The file becomes sni.yaml in 9.0.x. Susan On Tue, Dec 3, 2019 at 8:23 AM supraja sridhar <[email protected]> wrote: > Also, does sni.yaml exist in ATS 7.1.1? > > Thanks > Supraja > > On Tue, Dec 3, 2019 at 9:32 AM supraja sridhar <[email protected]> > wrote: > >> Thanks. Will ip_allow take IPs as input. Is the following a valid example >> ? >> sni >> ip_allow: x.y.z.a >> verify_client: MODERATE >> >> >> On Mon, Nov 25, 2019 at 11:59 PM Susan Hinrichs < >> [email protected]> wrote: >> >>> You can specialize the client certificate requirements using sni.yaml. >>> So only request it for specific domain names. There is also an ip_allow >>> action in sni.yaml (which I see is not documented) which would allow to >>> control requiring client certificate based on the peer's IP. >>> >>> >>> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/sni.yaml.en.html?highlight=sni%20yaml#std:configfile-sni.yaml >>> >>> I'll work on putting up a PR with some documentation on the ip_allow >>> action. >>> >>> Susan >>> >>> On Sun, Nov 24, 2019 at 11:09 PM supraja sridhar < >>> [email protected]> wrote: >>> >>>> Hello, >>>> >>>> I understand that - >>>> proxy.config.ssl.client.certification_level provides the option to >>>> enable/disable client certificate verification across all connections. Is >>>> it possible to skip client certificate verification based on source IP? >>>> >>>> >>>> Thanks, >>>> Supraja >>>> >>> >> >> -- >> Regards, >> S.SUPRAJA >> MIT >> > > > -- > Regards, > S.SUPRAJA > MIT >
