You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by mi...@apache.org on 2018/10/10 18:26:08 UTC
[trafficcontrol] 10/39: Formatting changes,
links between anonymous blocking rtype and tr logs
This is an automated email from the ASF dual-hosted git repository.
mitchell852 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
commit 689fbba6b5498aeb0bebb0067533c591f3a0a12a
Author: ocket8888 <oc...@gmail.com>
AuthorDate: Wed Sep 19 06:16:32 2018 -0600
Formatting changes, links between anonymous blocking rtype and tr logs
---
.../admin/quick_howto/anonymous_blocking.rst | 96 +++++++++---------
docs/source/admin/traffic_router.rst | 112 ++++++++++-----------
2 files changed, 102 insertions(+), 106 deletions(-)
diff --git a/docs/source/admin/quick_howto/anonymous_blocking.rst b/docs/source/admin/quick_howto/anonymous_blocking.rst
index a78cc6e..2abc3f2 100644
--- a/docs/source/admin/quick_howto/anonymous_blocking.rst
+++ b/docs/source/admin/quick_howto/anonymous_blocking.rst
@@ -15,73 +15,69 @@
.. _anonymous_blocking-qht:
-**************************************
+****************************
Configure Anonymous Blocking
-**************************************
+****************************
.. Note:: Anonymous Blocking is only supported for HTTP delivery services.
-1) Prepare the Anonymous Blocking configuration file
+#. Prepare the Anonymous Blocking configuration file. Anonymous Blocking uses a configuration file in JSON format to define blocking rules for Delivery Services. The file needs to be put on an HTTP server accessible to Traffic Router.
-Anonymous Blocking uses a configuration file in JSON format to define blocking rules for delivery services. The file needs to be put on an HTTP server accessible to Traffic Router. An example of the JSON is as follows::
+ .. code-block:: json
+ :caption: Example Configuration JSON
- {
+ {
+ "customer": "YourCompany",
+ "version": "1",
+ "date" : "2017-05-23 03:28:25",
+ "name": "Anonymous IP Blocking Policy",
- "customer": "YourCompany",
- "version": "1",
- "date" : "2017-05-23 03:28:25",
- "name": "Anonymous IP Blocking Policy",
+ "anonymousIp": { "blockAnonymousVPN": true,
+ "blockHostingProvider": true,
+ "blockPublicProxy": true,
+ "blockTorExitNode": true},
- "anonymousIp": { "blockAnonymousVPN": true,
- "blockHostingProvider": true,
- "blockPublicProxy": true,
- "blockTorExitNode": true},
+ "ip4Whitelist": ["192.168.30.0/24", "10.0.2.0/24", "10.1.1.1/32"],
+ "ip6Whitelist": ["2001:550:90a::/48", "::1/128"],
+ "redirectUrl": "http://youvebeenblocked.com"
+ }
- "ip4Whitelist": ["192.168.30.0/24", "10.0.2.0/24", "10.1.1.1/32"],
+ anonymousIp
+ Contains the types of IPs which can be checked against the Anonymous IP Database. There are 4 types of IPs which can be checked: VPNs, Hosting Providers, Public Proxies, and Tor Exit Nodes. Each type of IP can be enabled or disabled. If the value is true, IPs matching this type will be blocked when the feature is enabled in the Delivery Service. If the value is false, IPs which match this type will not be blocked. If an IP matches more than 1 type and any type is enabled, the IP will b [...]
+ redirectUrl
+ The URL that will be returned to the blocked clients. Without a redirectUrl, the clients will receive an HTTP response code ``403 Forbidden``. With a redirectUrl, the clients will be redirected with an HTTP response code ``302 Found``.
+ ipWhiteList
+ An optional element. It includes a list of Classless Inter-Domain Routing (CIDR) blocks indicating the IPv4 and IPv6 subnets that are allowed by the rule. If this list exists and the value is not ``null``, client IPs will be matched against the CIDR list, and if there is any match, the request will be allowed. If there is no match in the white list, further anonymous blocking logic will continue.
- "ip6Whitelist": ["2001:550:90a::/48", "::1/128"],
- "redirectUrl": "http://youvebeenblocked.com"
- }
+#. Add the following three Anonymous Blocking parameters in Traffic Portal into CRConfig.json:
-* “anonymousIp” contains the types of IPs which can be checked against the Anonymous IP Database. There are 4 types of IPs which can be checked: VPNs, Hosting Providers, Public Proxies, and Tor Exit Nodes. Each type of IP can be enabled or disabled. If the value is true, IPs which match this type will be blocked when the feature is enabled in the delivery service. If the value is false, IPs which match this type will not be blocked. If an IP matches more than 1 type and any type is enabl [...]
+ ``anonymousip.policy.configuration``
+ The HTTP URL of the Anonymous Blocking configuration file. Traffic Router will fetch the file from this URL.
+ ``anonymousip.polling.url``
+ The HTTP URL of the Anonymous IP Database. Traffic Router will fetch the file from this URL.
+ ``anonymousip.polling.interval``
+ The interval that Traffic Router polls the Anonymous Blocking configuration file and Anonymous IP Database.
-* “redirectUrl” is the URL that will be returned to the blocked clients. Without a redirectUrl, the clients will receive an HTTP response code 403. With a redirectUrl, the clients will be redirected with an HTTP response code 302.
+ .. figure:: anonymous_blocking/01.png
+ :scale: 100%
+ :align: center
-* “ipWhiteList” is an optional element. It includes a list of CIDR (Classless Inter-Domain Routing) blocks indicating the IPv4 and IPv6 subnets that are allowed by the rule. If this list exists and the value is not empty, client IP will be matched against the CIDR list, and if there is any match, the request will be allowed. If there is no match in the white list, further anonymous blocking logic will continue.
+#. Enable Anonmyous Blocking for a Delivery Service
+ .. figure:: anonymous_blocking/02.png
+ :scale: 100%
+ :align: center
-2) Add Anonymous Blocking parameters on Traffic Ops
+#. Go to Tools->Snapshot CRConfig, perform “Diff CRConfig” and click "Write CRConfig".
-The following three new parameters are required to be added into CRConfig.json:
-
-* "anonymousip.policy.configuration": the HTTP URL of the Anonymous Blocking configuration file. Traffic Router will fetch the file from this URL.
-* "anonymousip.polling.url": the HTTP URL of the Anonymous IP Database. Traffic Router will fetch the file from this URL.
-* "anonymousip.polling.interval": the interval that Traffic Router polls the Anonymous Blocking configuration file and Anonymous IP Database.
-
-.. image:: anonymous_blocking/01.png
- :scale: 100%
- :align: center
-
-3) Enable Anonmyous Blocking for a delivery service
-
-.. image:: anonymous_blocking/02.png
- :scale: 100%
- :align: center
-
-4) Make configuration effective
-
-Go to Tools->Snapshot CRConfig, perform “Diff CRConfig” and click "Write CRConfig".
-
-.. image:: regionalgeo/03.png
- :scale: 70%
- :align: center
-
-5) Traffic Router access log with Anonymous Blocking
-
-Anonymous Blocking extends the field of "rtype" and adds a new field "ANON_BLOCK" in Traffic Router access.log to help to monitor the working of this feature.
-
-If rtype=ANON_BLOCK then the client's IP was found in the Anonymous IP Database and was blocked.
+ .. figure:: regionalgeo/03.png
+ :scale: 70%
+ :align: center
+Traffic Router Access Log
+=========================
+Anonymous Blocking extends the field of ``rtype`` and adds a new field ``ANON_BLOCK`` in the Traffic Router ``access.log`` file to help monitor this feature. If the ``rtype`` in an access log is ``ANON_BLOCK`` then the client's IP was found in the Anonymous IP Database and was blocked.
+.. seealso:: :ref:`tr-logs`
diff --git a/docs/source/admin/traffic_router.rst b/docs/source/admin/traffic_router.rst
index 8f7d173..03c7818 100644
--- a/docs/source/admin/traffic_router.rst
+++ b/docs/source/admin/traffic_router.rst
@@ -45,10 +45,10 @@ The following are requirements to ensure an accurate set up:
#. Edit ``/opt/traffic_router/conf/traffic_monitor.properties`` and specify the correct online Traffic Monitor(s) for your CDN. See :ref:`tr-config-files`
- :traffic_monitor.properties: URL that should normally point to this file. e.x. ``traffic_monitor.properties=file:/opt/traffic_router/conf/traffic_monitor.properties``
-
- :traffic_monitor.properties.reload.period: Period to wait (in milliseconds) between reloading this file. e.x. ``traffic_monitor.properties.reload.period=60000``
-
+ ``traffic_monitor.properties``
+ URL that should normally point to this file. e.x. ``traffic_monitor.properties=file:/opt/traffic_router/conf/traffic_monitor.properties``
+ ``traffic_monitor.properties.reload.period``
+ Period to wait (in milliseconds) between reloading this file. e.x. ``traffic_monitor.properties.reload.period=60000``
#. Start Traffic Router. This can be done by running ``systemctl start traffic_router`` as the root user (or with ``sudo``), and test DNS lookups against that server with e.g. ``dig`` or ``curl``. To restart Traffic Router, run ``systemctl restart traffic_router`` as the root user (or with ``sudo``). Also, because previously received CRConfigs will be cached, they need to be removed manually to actually be reloaded. This file should be located at ``/opt/traffic_router/db/cr-config.json``.
@@ -169,6 +169,8 @@ Traffic Router currently follows the zone signing key pre-publishing operational
.. _section 4.1.1.1 of RFC 6781: https://tools.ietf.org/html/rfc6781#section-4.1.1.1
+.. _tr-logs:
+
Troubleshooting and Log Files
=============================
Traffic Router log files can be found under ``/opt/traffic_router/var/log`` and ``/opt/tomcat/logs``. Initialization and shutdown logs are in ``/opt/tomcat/logs/catalina[date].out``. Application related logging is in ``/opt/traffic_router/var/log/traffic_router.log``, while access logs are written to ``/opt/traffic_router/var/log/access.log``.
@@ -230,61 +232,60 @@ Fields Always Present
``rtype`` Meanings
^^^^^^^^^^^^^^^^^^
-
-:"-": The request was not redirected. This is usually a result of a DNS request to the Traffic Router or an explicit denial for that request
-
-:CZ: The result was derived from Coverage Zone data based on the address in the ``chi`` field
-
-:DEEP_CZ: The result was derived from Deep Coverage Zone data based on the address in the ``chi`` field
-
-:DS_MISS: _*HTTP Only*_ No HTTP Delivery Service supports either this request's URL path or headers
-
-:DS_REDIRECT: The result is using the Bypass Destination configured for the matched Delivery Service when that Delivery Service is unavailable or does not have the requested resource
-
-:ERROR: An internal error occurred within Traffic Router, more details may be found in the ``rerr`` field
-
-:FED: _*DNS Only*_ The result was obtained through federated coverage zone data outside of any Delivery Service
-
-:GEO: The result was derived from geolocation service based on the address in the ``chi`` field
-
-:GEO_REDIRECT: The request was redirected (302) based on the National Geo blocking (Geo Limit Redirect URL) configured on the Delivery Service
-
-:MISS: Traffic Router was unable to resolve a DNS request or find a cache for the requested resource
-
-:RGALT: The request was redirected (302) to the Regional Geo blocking URL. Regional Geo blocking is enabled on the Delivery Service and is configured through the ``regional_geoblock.polling.url`` setting for the Traffic Router profile
-
-:RGDENY: _*DNS Only*_ The result was obtained through federated coverage zone data outside of any Delivery Service The request was regionally blocked because there was no rule for the request made
-
-:STATIC_ROUTE: _*DNS Only*_ No DNS Delivery Service supports the hostname portion of the requested url
-
-
+``-``
+ The request was not redirected. This is usually a result of a DNS request to the Traffic Router or an explicit denial for that request
+ANON_BLOCK
+ The client's IP matched an `Anonymous Blocking <anonymous_blocking-qht>`_ rule and was blocked
+CZ
+ The result was derived from Coverage Zone data based on the address in the ``chi`` field
+DEEP_CZ
+ The result was derived from Deep Coverage Zone data based on the address in the ``chi`` field
+DS_MISS
+ _*HTTP Only*_ No HTTP Delivery Service supports either this request's URL path or headers
+DS_REDIRECT
+ The result is using the Bypass Destination configured for the matched Delivery Service when that Delivery Service is unavailable or does not have the requested resource
+ERROR
+ An internal error occurred within Traffic Router, more details may be found in the ``rerr`` field
+FED
+ _*DNS Only*_ The result was obtained through federated coverage zone data outside of any Delivery Service
+GEO
+ The result was derived from geolocation service based on the address in the ``chi`` field
+GEO_REDIRECT
+ The request was redirected (302) based on the National Geo blocking (Geo Limit Redirect URL) configured on the Delivery Service
+MISS
+ Traffic Router was unable to resolve a DNS request or find a cache for the requested resource
+RGALT
+ The request was redirected (302) to the Regional Geo blocking URL. Regional Geo blocking is enabled on the Delivery Service and is configured through the ``regional_geoblock.polling.url`` setting for the Traffic Router profile
+RGDENY
+ _*DNS Only*_ The result was obtained through federated coverage zone data outside of any Delivery Service The request was regionally blocked because there was no rule for the request made
+STATIC_ROUTE
+ _*DNS Only*_ No DNS Delivery Service supports the hostname portion of the requested url
``rdtl`` Meanings
^^^^^^^^^^^^^^^^^
-
-:"-": The request was not redirected. This is usually a result of a DNS request to the Traffic Router or an explicit denial for that request
-
-:DS_BYPASS: Used Bypass Destination for Redirect of Delivery Service
-
-:DS_CLIENT_GEO_UNSUPPORTED: Traffic Router did not find a resource supported by coverage zone data and was unable to determine the geographic location of the requesting client
-
-:DS_CZ_BACKUP_CG: Traffic Router found a backup cache via fall-back (CRconfig's ``edgeLocation``) or via coordinates (CZF) configuration
-
-:DS_CZ_ONLY: The selected Delivery Service only supports resource lookup based on Coverage Zone data
-
-:DS_NO_BYPASS: No valid Bypass Destination is configured for the matched Delivery Service and the Delivery Service does not have the requested resource
-
-:DS_NOT_FOUND: Always goes with ``rtypes`` STATIC_ROUTE and DS_MISS
-
-:GEO_NO_CACHE_FOUND: Traffic Router could not find a resource via geographic location data based on the requesting client's location
-
-:NO_DETAILS: This entry is for a standard request
-
-:REGIONAL_GEO_ALTERNATE_WITHOUT_CACHE: This goes with the ``rtype`` RGDENY. The URL is being regionally blocked
-
-:REGIONAL_GEO_NO_RULE: The request was blocked because there was no rule in the Delivery Service for the request
-
+``-``
+ The request was not redirected. This is usually a result of a DNS request to the Traffic Router or an explicit denial for that request
+DS_BYPASS
+ Used Bypass Destination for Redirect of Delivery Service
+DS_CLIENT_GEO_UNSUPPORTED
+ Traffic Router did not find a resource supported by coverage zone data and was unable to determine the geographic location of the requesting client
+DS_CZ_BACKUP_CG
+ Traffic Router found a backup cache via fall-back (CRconfig's ``edgeLocation``) or via coordinates (CZF) configuration
+DS_CZ_ONLY
+ The selected Delivery Service only supports resource lookup based on Coverage Zone data
+DS_NO_BYPASS
+ No valid Bypass Destination is configured for the matched Delivery Service and the Delivery Service does not have the requested resource
+DS_NOT_FOUND
+ Always goes with ``rtypes`` STATIC_ROUTE and DS_MISS
+GEO_NO_CACHE_FOUND
+ Traffic Router could not find a resource via geographic location data based on the requesting client's location
+NO_DETAILS
+ This entry is for a standard request
+REGIONAL_GEO_ALTERNATE_WITHOUT_CACHE
+ This goes with the ``rtype`` RGDENY. The URL is being regionally blocked
+REGIONAL_GEO_NO_RULE
+ The request was blocked because there was no rule in the Delivery Service for the request
HTTP Specifics
--------------
@@ -316,7 +317,6 @@ Sample Message
|rurl |The resulting URL of the resource requested by the client |A URL String|
+-----+----------------------------------------------------------+------------+
-------------
DNS Specifics
-------------