You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Kingsley Foreman (JIRA)" <ji...@apache.org> on 2012/07/13 15:33:35 UTC

[jira] [Commented] (TS-1235) Deny occurring for IPs not in the ip_allow.config file

    [ https://issues.apache.org/jira/browse/TS-1235?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13413725#comment-13413725 ] 

Kingsley Foreman commented on TS-1235:
--------------------------------------

I was just also hit by this one,


53.703] Server {0x2b692129f700} WARNING: connect by disallowed client 127.0.0.1, closing
[Jul 13 19:22:53.704] Server {0x2b691de249a0} WARNING: connect by disallowed client 127.0.0.1, closing
[Jul 13 19:22:53.709] Server {0x2b691fc89700} WARNING: connect by disallowed client 127.0.0.1, closing
[Jul 13 19:22:53.713] Server {0x2b691fd8a700} WARNING: connect by disallowed client 127.0.0.1, closing
[Jul 13 19:22:53.723] Server {0x2b691fe8b700} WARNING: connect by disallowed client 127.0.0.1, closing
[Jul 13 19:22:53.724] Server {0x2b691ff8c700} WARNING: connect by disallowed client 127.0.0.1, closing
[Jul 13 19:22:53.724] Server {0x2b692008d700} WARNING: connect by disallowed client 127.0.0.1, closing
[Jul 13 19:22:53.731] Server {0x2b6920390700} WARNING: connect by disallowed client 127.0.0.1, closing
[Jul 13 19:22:53.732] Server {0x2b6920491700} WARNING: connect by disallowed client 127.0.0.1, closing
[Jul 13 19:22:53.735] Server {0x2b6920592700} WARNING: connect by disallowed client 127.0.0.1, closing
[Jul 13 19:22:53.742] Server {0x2b6920693700} WARNING: connect by disallowed client 127.0.0.1, closing
[Jul 13 19:22:53.743] Server {0x2b6920794700} WARNING: connect by disallowed client 127.0.0.1, closing
[Jul 13 19:22:53.746] Server {0x2b6920895700} WARNING: connect by disallowed client 127.0.0.1, closing
NOTE: Traffic Server received Sig 11: Segmentation fault
/usr/bin/traffic_server - STACK TRACE:
NOTE: Traffic Server received Sig 11: Segmentation fault
/usr/bin/traffic_server - STACK TRACE:
/lib/libpthread.so.0(+0xf8f0)[0x2b691b0f98f0]
/usr/lib/libtsutil.so.3(_ZNK5IpMap8containsEPK8sockaddrPPv+0xb1)[0x2b691aed3201]
/usr/bin/traffic_server(_ZN10HttpAccept9mainEventEiPv+0x254)[0x50aa24]
/usr/bin/traffic_server(_ZN18UnixNetVConnection11acceptEventEiP5Event+0x3d6)[0x65e6d6]
NOTE: Traffic Server received Sig 11: Segmentation fault
/usr/bin/traffic_server - STACK TRACE:
/usr/bin/traffic_server(_ZN7EThread13process_eventEP5Eventi+0xb4)[0x67c814]
/lib/libpthread.so.0(+0xf8f0)[0x2b691b0f98f0]
/lib/libpthread.so.0(+0xf8f0)[0x2b691b0f98f0]
/usr/bin/traffic_server(_ZN7EThread7executeEv+0x5ab)[0x67d29b]
/usr/bin/traffic_server[0x67aeb2]
/lib/libpthread.so.0(+0x69ca)[0x2b691b0f09ca]
/lib/libc.so.6(clone+0x6d)[0x2b691d73dcdd]
/usr/lib/libtsutil.so.3(_ZNK5IpMap8containsEPK8sockaddrPPv+0xb1)[0x2b691aed3201]


I can tell you what I changed

I changed 

src_ip=127.0.0.1                action=ip_allow
src_ip=0.0.0.0-255.255.255.255  action=ip_deny

to


src_ip=127.0.0.1                action=ip_deny method=PUSH|PURGE|DELETE
src_ip=0.0.0.0-255.255.255.255  action=ip_deny

                
> Deny occurring for IPs not in the ip_allow.config file
> ------------------------------------------------------
>
>                 Key: TS-1235
>                 URL: https://issues.apache.org/jira/browse/TS-1235
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Configuration, Security
>    Affects Versions: 3.1.3
>         Environment: Linux server.domain.com 2.6.32-220.el6.x86_64 #1 SMP Wed Dec 7 10:41:06 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
>            Reporter: Michael Turner
>            Assignee: Alan M. Carroll
>             Fix For: 3.3.2
>
>
> Consistently seeing this morning IPs that are not set to deny in ip_allow.config being rejected.  Here's the config file we were using:
> #
> # ip_allow.config
> #
> # Two types of rules:
> # #src_ip=<range of IP addresses> action=ip_allow
> # #src_ip=<range of IP addresses> action=ip_deny
> # Rules are applied in the order listed starting from the top.
> #
> # Ban all of the XXXX servers
> src_ip=AAA.BBB.CCC.134  action=ip_deny
> #src_ip=AAA.BBB.CCC.135 	action=ip_deny # temp unbanning. we've talked to him
> src_ip=AAA.BBB.CCC.137 	action=ip_deny
> src_ip=AAA.BBB.CCC.202 	action=ip_deny
> src_ip=AAA.BBB.CCC.203 	action=ip_deny
> src_ip=AAA.BBB.CCC.208 	action=ip_deny
> src_ip=AAA.BBB.CCC.209 	action=ip_deny
> src_ip=AAA.BBB.CCC.216 	action=ip_deny
> src_ip=AAA.BBB.CCC.217 	action=ip_deny
> src_ip=AAA.BBB.CCC.218 	action=ip_deny
> src_ip=AAA.BBB.CCC.219 	action=ip_deny
> src_ip=AAA.BBB.CCC.220 	action=ip_deny
> src_ip=AAA.BBB.CCC.222 	action=ip_deny
> src_ip=AAA.BBB.CCC.224 	action=ip_deny
> src_ip=AAA.BBB.CCC.236 	action=ip_deny
> # Banned IPs
> src_ip=AAA.BBB.CCC.212 	action=ip_deny
> src_ip=AAA.BBB.CCC.246 	action=ip_deny
> src_ip=AAA.BBB.CCC.144	action=ip_deny
> # Stock Rules
> src_ip=0.0.0.0-255.255.255.255		action=ip_allow
> src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_allow
> And here's log entries from when this config was active:
> [Apr 30 10:06:21.446] {0x2b321b2d42a0} NOTE: updated diags config
> [Apr 30 10:06:21.449] Server {0x2b321b2d42a0} NOTE: cache clustering disabled
> [Apr 30 10:06:21.492] Server {0x2b321b2d42a0} NOTE: cache clustering disabled
> [Apr 30 10:06:21.584] Server {0x2b321b2d42a0} NOTE: logging initialized[15], logging_mode = 3
> [Apr 30 10:06:21.591] Server {0x2b321b2d42a0} NOTE: traffic server running
> [Apr 30 10:06:25.140] Server {0x2b3222d2c700} NOTE: cache enabled
> [Apr 30 10:06:33.804] Server {0x2b3223534700} WARNING: connect by disallowed client AAA.BBB.CCC.111, closing
> [Apr 30 10:07:01.914] Server {0x2b324b2d2700} WARNING: connect by disallowed client AAA.BBB.CCC.111, closing
> [Apr 30 10:07:02.025] Server {0x2b324b4d4700} WARNING: connect by disallowed client AAA.BBB.CCC.144, closing
> [Apr 30 10:07:03.109] Server {0x2b3222827700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:04.594] Server {0x2b3222f2e700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:05.201] Server {0x2b3223332700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.170] Server {0x2b3223534700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.575] Server {0x2b3223736700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.690] Server {0x2b3223837700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.785] Server {0x2b3223938700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.817] Server {0x2b3223a39700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.841] Server {0x2b3223b3a700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:10.587] Server {0x2b321b2d42a0} WARNING: connect by disallowed client AAA.BBB.CCC.35, closing
> FATAL: HttpSM.cc:890: failed assert `0`
> The IPS visible in the log ending in .111 and .74 are not in the deny list anywhere.  The two ending in .144 and .35 are in the deny list.
> Please let me know what further information I can provide to help troubleshoot/reproduce this.  

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira