You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@trafficserver.apache.org by Alexander Rabenstein <Al...@mail.schwarz> on 2019/03/20 07:41:54 UTC

IP Allow depending on source IP and destIP?

Hi,

I am trying to figure out if its possible to do something like this in ip_allow.config:

src_ip=192.168.1.1 dest_ip=mydomain.local action=ip_allow method=all
Src_ip=192.168.1.2 dest_ip=mydomain.local action=ip_deny method=all

So allowing access to certain origins depending on the source IP.

Is this possible with traffic server?

Kind regards

Alexander Rabenstein
Professional
Application Management - Retail
--

Schwarz IT KG
Stiftsbergstraße 1 · D-74172 Neckarsulm
Büro: D-74074 Heilbronn · Ferdinand-Braun-Straße

Telefon: +49 (0) 7132 30 455 077<tel:%20+49713230455077>
Alexander.Rabenstein@mail.schwarz<ma...@mail.schwarz>

Kommanditgesellschaft · Sitz: Neckarsulm
Registergericht Stuttgart · HRA 730995

Re: IP Allow depending on source IP and destIP?

Posted by Alan Carroll <so...@verizonmedia.com>.

That's not possible via ip_allow.config. There is some limited support for
IP address based control of remap rules, which is mostly broken but should
work well enough to handle your use case. The basic idea is to set up remap
rules for the destinations (e.g. mydomain.local), even if it's an identity
remap. You can then disable that rule based on the IP address of the user
agent (enable doesn't work as expected - see issue #1971). Something like

map http://mydomain.local http://mydomain.local
 @action=deny @src_ip=~192.168.1.2

This will cause the remap rule to not trigger for address that are not
192.168.1.2 (because of the tilde). Such a request can either (1) get a 404
"Not found on accelerator" error or (2) be sent by another remap rule to an
error page. Note the address can be specified as a range of two IP
addresses separated by a dash '-'.

See
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/remap.config.en.html#acl-filters

On Wed, Mar 20, 2019 at 2:42 AM Alexander Rabenstein
<Al...@mail.schwarz> wrote:

> Hi,
>
>
>
> I am trying to figure out if its possible to do something like this in
> ip_allow.config:
>
>
>
> src_ip=192.168.1.1 dest_ip=mydomain.local action=ip_allow method=all
>
> Src_ip=192.168.1.2 dest_ip=mydomain.local action=ip_deny method=all
>
>
>
> So allowing access to certain origins depending on the source IP.
>
>
>
> Is this possible with traffic server?
>
>
>
> Kind regards
>
>
>
> Alexander Rabenstein
>
> Professional
>
> Application Management - Retail
>
> --
>
>
>
> Schwarz IT KG
>
> Stiftsbergstraße 1 · D-74172 Neckarsulm
>
> Büro: D-74074 Heilbronn · Ferdinand-Braun-Straße
>
>
>
> Telefon: +49 (0) 7132 30 455 077 <%20+49713230455077>
>
> Alexander.Rabenstein@mail.schwarz
>
>
>
> Kommanditgesellschaft · Sitz: Neckarsulm
>
> Registergericht Stuttgart · HRA 730995
>
>
>