You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by "Eagen, Dave" <Da...@biworldwide.com> on 2016/05/10 18:04:58 UTC
Limit access based on source and destination
We have TrafficServer 6.1.1 running as a forward proxy and would like to restrict access to some destination IPs. Those IPs should be reachable through the proxy only for a different set of source IPs. I can see in ip_allow.config that I can control whether a given set of source IPs are able to use the proxy server at all but not how I can allow them to use the proxy for everything except the restricted destination IPs.
How can we implement this kind of access control?
This e-mail message is being sent solely for use by the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by phone or reply by e-mail, delete the original message and destroy all copies. Thank you.
Re: Limit access based on source and destination
Posted by Reindl Harald <h....@thelounge.net>.
Am 10.05.2016 um 20:04 schrieb Eagen, Dave:
> If you are not the intended recipient
P.S.: this disclaimers are braindead in general - if i am not the
intended recipient i would not receive the mail and even if i could not
smell that it's not for me
but in context of a public mailing list with list archives it's just
laughable
RE: Limit access based on source and destination
Posted by "Eagen, Dave" <Da...@biworldwide.com>.
Thanks Sudheer, that might work for us.
-----Original Message-----
From: Sudheer Vinukonda [mailto:sudheerv@yahoo-inc.com]
Sent: Tuesday, May 10, 2016 1:16 PM
To: users@trafficserver.apache.org
Subject: Re: Limit access based on source and destination
You can restrict access based on source ip to certain domains using remap rules (see below for examples).
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/remap.config.en.html?highlight=remap.config#id4
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/remap.config.en.html?highlight=remap.config#id5
If you need to do more fancier stuff, you may need to write a custom plugin.
Thanks,
Sudheer
On Tuesday, May 10, 2016 11:06 AM, "Eagen, Dave" <Da...@biworldwide.com> wrote:
We have TrafficServer 6.1.1 running as a forward proxy and would like to restrict access to some destination IPs. Those IPs should be reachable through the proxy only for a different set of source IPs. I can see in ip_allow.config that I can control whether a given set of source IPs are able to use the proxy server at all but not how I can allow them to use the proxy for everything except the restricted destination IPs.
How can we implement this kind of access control?
This e-mail message is being sent solely for use by the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by phone or reply by e-mail, delete the original message and destroy all copies. Thank you.
This e-mail message is being sent solely for use by the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by phone or reply by e-mail, delete the original message and destroy all copies. Thank you.
Re: Limit access based on source and destination
Posted by Sudheer Vinukonda <su...@yahoo-inc.com>.
You can restrict access based on source ip to certain domains using remap rules (see below for examples).
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/remap.config.en.html?highlight=remap.config#id4
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/remap.config.en.html?highlight=remap.config#id5
If you need to do more fancier stuff, you may need to write a custom plugin.
Thanks,
Sudheer
On Tuesday, May 10, 2016 11:06 AM, "Eagen, Dave" <Da...@biworldwide.com> wrote:
We have TrafficServer 6.1.1 running as a forward proxy and would like to restrict access to some destination IPs. Those IPs should be reachable through the proxy only for a different set of source IPs. I can see in ip_allow.config that I can control whether a given set of source IPs are able to use the proxy server at all but not how I can allow them to use the proxy for everything except the restricted destination IPs.
How can we implement this kind of access control?
This e-mail message is being sent solely for use by the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by phone or reply by e-mail, delete the original message and destroy all copies. Thank you.
RE: Limit access based on source and destination
Posted by "Eagen, Dave" <Da...@biworldwide.com>.
Thanks, that's a great point.
-----Original Message-----
From: Reindl Harald [mailto:h.reindl@thelounge.net]
Sent: Tuesday, May 10, 2016 1:11 PM
To: users@trafficserver.apache.org
Subject: Re: Limit access based on source and destination
Am 10.05.2016 um 20:04 schrieb Eagen, Dave:
> We have TrafficServer 6.1.1 running as a forward proxy and would like
> to restrict access to some destination IPs. Those IPs should be
> reachable through the proxy only for a different set of source IPs. I
> can see in ip_allow.config that I can control whether a given set of
> source IPs are able to use the proxy server at all but not how I can
> allow them to use the proxy for everything except the restricted destination IPs.
>
> How can we implement this kind of access control?
such restrictions really don't belong to the proxy but on the backend server, running a reverse proxy without translate source ip addresses is in general unwise and so if you setup is done right you make your restrictions on the backend server as if there would be no proxy at all (directly on the backend server or inside the application sicne REMOTE_ADDR for scripts is also transprant translated)
or in other words: your backend config and application should not need to be aware that there is a proxy at all in front
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
for leagy servers running apache in outdated versions there is a "mod_rafp" 3rd party module available
This e-mail message is being sent solely for use by the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by phone or reply by e-mail, delete the original message and destroy all copies. Thank you.
Re: Limit access based on source and destination
Posted by Reindl Harald <h....@thelounge.net>.
Am 10.05.2016 um 20:04 schrieb Eagen, Dave:
> We have TrafficServer 6.1.1 running as a forward proxy and would like to
> restrict access to some destination IPs. Those IPs should be reachable
> through the proxy only for a different set of source IPs. I can see in
> ip_allow.config that I can control whether a given set of source IPs are
> able to use the proxy server at all but not how I can allow them to use
> the proxy for everything except the restricted destination IPs.
>
> How can we implement this kind of access control?
such restrictions really don't belong to the proxy but on the backend
server, running a reverse proxy without translate source ip addresses is
in general unwise and so if you setup is done right you make your
restrictions on the backend server as if there would be no proxy at all
(directly on the backend server or inside the application sicne
REMOTE_ADDR for scripts is also transprant translated)
or in other words: your backend config and application should not need
to be aware that there is a proxy at all in front
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
for leagy servers running apache in outdated versions there is a
"mod_rafp" 3rd party module available