You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Bryan Call (JIRA)" <ji...@apache.org> on 2014/05/19 17:57:38 UTC

[jira] [Commented] (TS-1983) ACL rules in remap.config does not take precedence over rules in ip_allow.config

    [ https://issues.apache.org/jira/browse/TS-1983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14001929#comment-14001929 ] 

Bryan Call commented on TS-1983:
--------------------------------

Incompatible change that would require an major version.

> ACL rules in remap.config does not take precedence over rules in ip_allow.config
> --------------------------------------------------------------------------------
>
>                 Key: TS-1983
>                 URL: https://issues.apache.org/jira/browse/TS-1983
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Configuration
>            Reporter: Leif Hedstrom
>            Assignee: Alan M. Carroll
>             Fix For: 6.0.0
>
>
> Lets say you want to allow DELETE for a small sub-set of requests, based on remap.config rules. The reasonable configuration is to do e.g.
> {code}
> map http://dav.example.com http://127.0.0.1 @method=DELETE @action=allow
> {code}
> However, this does not work, since the global "DENY" in ip_allow.config takes precedence (it denies all DELETE's). This is actually sort of a regression I think, it did not use to behave like this I'm fairly certain.
> The workaround (which is incredibly cumbersom if you have even a moderately large remap.config, is to inverse the rules. E.g.
> {code}
> src_ip=0.0.0.0-255.255.255.255                    action=ip_deny  method=PUSH|PURGE
> {code}
> and
> {code}
> map http://other.example.com http://123 @method=DELETE @action=deny
> map http://another.example.com http://123 @method=DELETE @action=deny
> map http://more.example.com http://123 @method=DELETE @action=deny
> .
> .
> .
> {code}
> This kinda sucks to maintain, and also opens up a PEBKAC security  problem, when someone adds a new remap.config rule and forgets to deny the DELETEs.
> I really feel that the ACLs from remap.config (if they match, you can specify IP ranges etc. as well), should take precedence over ip_allow.config.



--
This message was sent by Atlassian JIRA
(v6.2#6252)