You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2021/03/10 01:53:50 UTC

[GitHub] [trafficcontrol] alficles commented on a change in pull request #5619: Fix Ordering of PURGE Deny for atscfg

alficles commented on a change in pull request #5619:
URL: https://github.com/apache/trafficcontrol/pull/5619#discussion_r590918731



##########
File path: lib/go-atscfg/ipallowdotconfig.go
##########
@@ -270,20 +270,32 @@ func MakeIPAllowDotConfig(
 		// order matters, so sort before adding the denys
 		sort.Sort(ipAllowDatas(ipAllowDat))
 
-		// start with a deny for PUSH and PURGE - TODO CDL: parameterize
+		// add deny for PUSH and PURGE - TODO CDL: parameterize
 		if isMid { // Edges already deny PUSH and PURGE
+			// Push gets placed at the start of the file
 			ipAllowDat = append([]ipAllowData{
 				{
 					Src:    `0.0.0.0-255.255.255.255`,
 					Action: ActionDeny,
-					Method: `PUSH|PURGE`,
+					Method: `PUSH`,
 				},
 				{
 					Src:    `::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`,
 					Action: ActionDeny,
-					Method: `PUSH|PURGE`,
+					Method: `PUSH`,
 				},
 			}, ipAllowDat...)
+			// PURGE gets placed at the end of the file

Review comment:
       Unfortunately, this effectively opens PURGE up to every host that can request any data at all from the mid. This isn't likely to be what folks want. Ideally, we parameterize it, but it might work reasonably well to allow it from localhost in the simplest case so folks can use local system access controls to flexibly limit access.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org