You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Mark Moseley <mo...@gmail.com> on 2015/01/12 04:40:46 UTC
Get Origin IP in Lua
Hi. I'm looking at the TS_LUA_HOOK_OS_DNS hook or
TS_LUA_HOOK_SEND_REQUEST_HDR as a way to do a fail-safe way of filtering
*origin* IPs. Obviously this could be done at the onboard firewall level,
but I thought it'd be neat to be able to do something a bit more in-line
(and it's fun to play with Lua).
But despite the aforementioned hooks, there doesn't seem to be anywhere in
the 'ts' table that holds what the origin's DNS hostname was resolved to.
Does that get stored anywhere that ts_lua has access to? ts.server_request
seemed most promising but none of the functions in there seem to return
anything like the origin IP.
If there were something accessible with the origin IP, then I could do a
sanity check like, pseudo-code-wise: for ip in goodips, does origin IP
match ip, and if none match, then return a 403 or 400 or something.
I'm coming up blank looking through the API and source code, but I may be
missing something obvious (or more likely, just looking for the wrong
thing).
Even better (and I've had no luck finding this either) would be something
built-in that contains a list of permitted origin IP blocks, like
ip_allow.config but for the backend request (and again, there might be but
I'm grepping+googling for the wrong thing).
Thanks!
Re: Get Origin IP in Lua
Posted by Mark Moseley <mo...@gmail.com>.
The ts.server_request.server_addr.get_addr() patch patches just fine
against 5.2.0 (or at least the .c files do; I didn't try the CHANGES
or ts_lua.en.rst files) and is *exactly* what I was looking for.
Now with a hook into TS_LUA_HOOK_OS_DNS, I can check the backend IP and
return a 403 via ts.server_intercept (though I'll take any advice on the
most efficient hook and most efficient way of doing the 403 -- I was also
setting the status manually and returning 1 from the hook previously, but I
don't think that gets cached).
Thanks!
On Tue, Jan 13, 2015 at 1:09 AM, Luca Rea <lu...@contactlab.com> wrote:
> Hi,
> I’ve compiled ATS to run as “ats” user (uid: 501) and configured iptables
> to filter origin IPs:
>
>
> -A OUTPUT -m tcp -p tcp ! --sport 8080 -m owner --uid-owner 501 -d
> 172.16.0.0/12 -j REJECT
>
RE: Get Origin IP in Lua
Posted by Luca Rea <lu...@contactlab.com>.
Hi,
I’ve compiled ATS to run as “ats” user (uid: 501) and configured iptables to filter origin IPs:
-A OUTPUT -m tcp -p tcp ! --sport 8080 -m owner --uid-owner 501 -d 172.16.0.0/12 -j REJECT
Re: Get Origin IP in Lua
Posted by Sudheer Vinukonda <su...@yahoo-inc.com>.
I am not sure if there's any such "built-in" solution to control the IP ranges that ats communicates to, on the origin side. You may need to write a plugin to be able to do that (a somewhat similar plugin that can perform ACLs for the client connections is available at GeoIP ACLs Plugin — Apache Traffic Server 5.3.0 documentation).
| |
| | | | | |
| GeoIP ACLs Plugin — Apache Traffic Server 5.3.0 documentationConfiguration Once installed, there are three primary use cases, which we will discussin details. |
| |
| View on docs.trafficserver.apache.org | Preview by Yahoo |
| |
| |
The closest thing I can find that can control origin communication is via congestion.config — Apache Traffic Server 5.3.0 documentation, but, that only allows to configure a single destination (and not a range).
| |
| | | | | |
| congestion.config — Apache Traffic Server 5.3.0 documentationcongestion.config |
| |
| View on docs.trafficserver.apache.org | Preview by Yahoo |
| |
| |
Thanks,
Sudheer
On Monday, January 12, 2015 11:29 AM, Mark Moseley <mo...@gmail.com> wrote:
On Sun, Jan 11, 2015 at 11:31 PM, Shu Kit Chan <ch...@gmail.com> wrote:
Hi,
I think what you need is currently missing from the ts_lua plugin.We can provide something like this
ts.server_request.server_addr.get_addr()
similar to
ts.client_request.client_addr.get_addr()
as mentioned here - https://docs.trafficserver.apache.org/en/latest/reference/plugins/ts_lua.en.html
It should be using the ts api TSHttpTxnServerAddrGet() behind the scene.
I have already filed a new Jira ticket for it - https://issues.apache.org/jira/browse/TS-3290
I can work on it by Wednesday or Thursday after i am done with my other errands.
Thanks.
Kit
On Sun, Jan 11, 2015 at 7:40 PM, Mark Moseley <mo...@gmail.com> wrote:
Hi. I'm looking at the TS_LUA_HOOK_OS_DNS hook or TS_LUA_HOOK_SEND_REQUEST_HDR as a way to do a fail-safe way of filtering *origin* IPs. Obviously this could be done at the onboard firewall level, but I thought it'd be neat to be able to do something a bit more in-line (and it's fun to play with Lua).
But despite the aforementioned hooks, there doesn't seem to be anywhere in the 'ts' table that holds what the origin's DNS hostname was resolved to. Does that get stored anywhere that ts_lua has access to? ts.server_request seemed most promising but none of the functions in there seem to return anything like the origin IP.
If there were something accessible with the origin IP, then I could do a sanity check like, pseudo-code-wise: for ip in goodips, does origin IP match ip, and if none match, then return a 403 or 400 or something.
I'm coming up blank looking through the API and source code, but I may be missing something obvious (or more likely, just looking for the wrong thing).
Even better (and I've had no luck finding this either) would be something built-in that contains a list of permitted origin IP blocks, like ip_allow.config but for the backend request (and again, there might be but I'm grepping+googling for the wrong thing).
Thanks!
That'd be tremendous, thanks!
Though off-hand, is there a more "built-in" solution to what I'm trying to do? I.e. limit what IP blocks ATS will talk to on the *origin* side? (Even if there is, having access to the origin IP in Lua is still highly desirable)
Re: Get Origin IP in Lua
Posted by Mark Moseley <mo...@gmail.com>.
On Sun, Jan 11, 2015 at 11:31 PM, Shu Kit Chan <ch...@gmail.com> wrote:
> Hi,
>
> I think what you need is currently missing from the ts_lua plugin.
> We can provide something like this
>
> ts.server_request.server_addr.get_addr()
>
> similar to
>
> ts.client_request.client_addr.get_addr()
>
> as mentioned here -
> https://docs.trafficserver.apache.org/en/latest/reference/plugins/ts_lua.en.html
>
>
> It should be using the ts api TSHttpTxnServerAddrGet() behind the scene.
>
> I have already filed a new Jira ticket for it -
> https://issues.apache.org/jira/browse/TS-3290
>
> I can work on it by Wednesday or Thursday after i am done with my other
> errands.
>
> Thanks.
>
> Kit
>
>
> On Sun, Jan 11, 2015 at 7:40 PM, Mark Moseley <mo...@gmail.com>
> wrote:
>
>> Hi. I'm looking at the TS_LUA_HOOK_OS_DNS hook or
>> TS_LUA_HOOK_SEND_REQUEST_HDR as a way to do a fail-safe way of filtering
>> *origin* IPs. Obviously this could be done at the onboard firewall level,
>> but I thought it'd be neat to be able to do something a bit more in-line
>> (and it's fun to play with Lua).
>>
>> But despite the aforementioned hooks, there doesn't seem to be anywhere
>> in the 'ts' table that holds what the origin's DNS hostname was resolved
>> to. Does that get stored anywhere that ts_lua has access to?
>> ts.server_request seemed most promising but none of the functions in there
>> seem to return anything like the origin IP.
>>
>> If there were something accessible with the origin IP, then I could do a
>> sanity check like, pseudo-code-wise: for ip in goodips, does origin IP
>> match ip, and if none match, then return a 403 or 400 or something.
>>
>> I'm coming up blank looking through the API and source code, but I may be
>> missing something obvious (or more likely, just looking for the wrong
>> thing).
>>
>> Even better (and I've had no luck finding this either) would be something
>> built-in that contains a list of permitted origin IP blocks, like
>> ip_allow.config but for the backend request (and again, there might be but
>> I'm grepping+googling for the wrong thing).
>>
>> Thanks!
>>
>
>
That'd be tremendous, thanks!
Though off-hand, is there a more "built-in" solution to what I'm trying to
do? I.e. limit what IP blocks ATS will talk to on the *origin* side? (Even
if there is, having access to the origin IP in Lua is still highly
desirable)
Re: Get Origin IP in Lua
Posted by Shu Kit Chan <ch...@gmail.com>.
Hi,
I think what you need is currently missing from the ts_lua plugin.
We can provide something like this
ts.server_request.server_addr.get_addr()
similar to
ts.client_request.client_addr.get_addr()
as mentioned here -
https://docs.trafficserver.apache.org/en/latest/reference/plugins/ts_lua.en.html
It should be using the ts api TSHttpTxnServerAddrGet() behind the scene.
I have already filed a new Jira ticket for it -
https://issues.apache.org/jira/browse/TS-3290
I can work on it by Wednesday or Thursday after i am done with my other
errands.
Thanks.
Kit
On Sun, Jan 11, 2015 at 7:40 PM, Mark Moseley <mo...@gmail.com> wrote:
> Hi. I'm looking at the TS_LUA_HOOK_OS_DNS hook or
> TS_LUA_HOOK_SEND_REQUEST_HDR as a way to do a fail-safe way of filtering
> *origin* IPs. Obviously this could be done at the onboard firewall level,
> but I thought it'd be neat to be able to do something a bit more in-line
> (and it's fun to play with Lua).
>
> But despite the aforementioned hooks, there doesn't seem to be anywhere in
> the 'ts' table that holds what the origin's DNS hostname was resolved to.
> Does that get stored anywhere that ts_lua has access to? ts.server_request
> seemed most promising but none of the functions in there seem to return
> anything like the origin IP.
>
> If there were something accessible with the origin IP, then I could do a
> sanity check like, pseudo-code-wise: for ip in goodips, does origin IP
> match ip, and if none match, then return a 403 or 400 or something.
>
> I'm coming up blank looking through the API and source code, but I may be
> missing something obvious (or more likely, just looking for the wrong
> thing).
>
> Even better (and I've had no luck finding this either) would be something
> built-in that contains a list of permitted origin IP blocks, like
> ip_allow.config but for the backend request (and again, there might be but
> I'm grepping+googling for the wrong thing).
>
> Thanks!
>