You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by Luca Rea <lu...@contactlab.com> on 2014/10/07 18:25:22 UTC
localhost access
Hi,
my proxy receive requests for localhost (127.0.0.1:xxxx), how can I deny access to local resources?
RE: localhost access
Posted by Luca Rea <lu...@contactlab.com>.
Ip_allow.config has "per source" rules, now I've applied a couple of new rules in iptables:
PORTS USED
trafficserver: 8080,8083,8084 (should be granted access to these ports?)
allowed local resources (127.0.0.1): 80,8087,8090,8093 (web services)
ATS USER
uid=501(ats) gid=501(ats) groups=501(ats)
FIREWALL ADDED RULES:
-A OUTPUT -m tcp -p tcp --match multiport -d 127.0.0.1/8 --dports 80,8080,8083,8084,8087,8090,8093 -m owner --uid-owner 501 -j ACCEPT
-A OUTPUT -m tcp -p tcp -d 127.0.0.1/8 -m owner --uid-owner 501 -j REJECT
-----Original Message-----
From: James Peach [mailto:jpeach@apache.org]
Sent: martedì 7 ottobre 2014 19:58
To: dev@trafficserver.apache.org
Subject: Re: localhost access
On Oct 7, 2014, at 9:25 AM, Luca Rea <lu...@contactlab.com> wrote:
> Hi,
> my proxy receive requests for localhost (127.0.0.1:xxxx), how can I deny access to local resources?
Does ip_allow work for this case?
https://docs.trafficserver.apache.org/en/latest/reference/configuration/ip_allow.config.en.html
Re: localhost access
Posted by James Peach <jp...@apache.org>.
On Oct 7, 2014, at 9:25 AM, Luca Rea <lu...@contactlab.com> wrote:
> Hi,
> my proxy receive requests for localhost (127.0.0.1:xxxx), how can I deny access to local resources?
Does ip_allow work for this case?
https://docs.trafficserver.apache.org/en/latest/reference/configuration/ip_allow.config.en.html
RE: localhost access
Posted by Luca Rea <lu...@contactlab.com>.
Hi,
Don't work, it seems that 127.0.0.1 skips the parent.config rules (bug or feature?), other suggestions?
-----Original Message-----
From: Leif Hedstrom [mailto:zwoop@apache.org]
Sent: mercoledì 8 ottobre 2014 17:53
To: dev@trafficserver.apache.org
Cc: Alan Carroll
Subject: Re: localhost access
I haven't tested it, but wouldn't the regex need to be something like "http://127\.0\.0\.1.*" ? You could also try maybe settings with dest_domain="127.0.0.1" and dest_domain="localhost" ?
- Leif
Re: localhost access
Posted by Leif Hedstrom <zw...@apache.org>.
On Oct 8, 2014, at 9:05 AM, Luca Rea <lu...@contactlab.com> wrote:
> Hi,
>
> Oct 8 16:47:25.042720 traffic_manager {0x7fdda89227e0} ERROR: (last system error 32: Broken pipe)
> Oct 8 16:47:25.078427 traffic_cop cop received child status signal [6816 256]
> Oct 8 16:47:25.078458 traffic_cop traffic_manager not running, making sure traffic_server is dead
> Oct 8 16:47:25.078462 traffic_cop spawning traffic_manager
>
>
>
>
> In the past (with an old release of ATS) I had something like the following:
>
> url_regex="^http://127.0.0.1" parent="192.168.242.135:8093" (where parent returns 403)
I haven’t tested it, but wouldn’t the regex need to be something like “http://127\.0\.0\.1.*” ? You could also try maybe settings with dest_domain=“127.0.0.1” and dest_domain=“localhost” ?
— Leif
RE: localhost access
Posted by Luca Rea <lu...@contactlab.com>.
Hi,
I've removed the rules from iptables because they cause a restart loop:
Oct 8 16:43:46.004807 traffic_cop (test) write failed [110 'Connection timed out']
Oct 8 16:43:46.004839 traffic_cop server heartbeat failed [1]
Oct 8 16:44:59.005037 traffic_cop (test) write failed [110 'Connection timed out']
Oct 8 16:44:59.005085 traffic_cop server heartbeat failed [2]
Oct 8 16:44:59.005111 traffic_cop killing server
Oct 8 16:44:59.013037 traffic_manager {0x7f856242e7e0} FATAL: [LocalManager::pollMgmtProcessServer] Error in read (errno: 104)
Oct 8 16:44:59.013105 traffic_manager {0x7f856242e7e0} ERROR: [LocalManager::sendMgmtMsgToProcesses] Error writing message
Oct 8 16:44:59.013136 traffic_manager {0x7f856242e7e0} ERROR: (last system error 32: Broken pipe)
Oct 8 16:44:59.033477 traffic_cop cop received child status signal [4434 256]
Oct 8 16:44:59.033566 traffic_cop traffic_manager not running, making sure traffic_server is dead
Oct 8 16:44:59.033721 traffic_cop spawning traffic_manager
Oct 8 16:44:59.039080 traffic_manager NOTE: --- Manager Starting ---
Oct 8 16:44:59.039107 traffic_manager NOTE: Manager Version: Apache Traffic Server - traffic_manager - 5.1.0 - (build # 81013 on Sep 10 2014 at 13:13:42)
Oct 8 16:44:59.042224 traffic_manager NOTE: RLIMIT_NOFILE(7):cur(718639),max(718639)
Oct 8 16:45:01.082030 traffic_server NOTE: --- traffic_server Starting ---
Oct 8 16:45:01.082063 traffic_server NOTE: traffic_server Version: Apache Traffic Server - traffic_server - 5.1.0 - (build # 81013 on Sep 10 2014 at 13:13:02)
Oct 8 16:45:01.082079 traffic_server NOTE: RLIMIT_NOFILE(7):cur(718639),max(718639)
Oct 8 16:46:12.034773 traffic_cop (test) write failed [110 'Connection timed out']
Oct 8 16:46:12.034806 traffic_cop server heartbeat failed [1]
Oct 8 16:47:25.035064 traffic_cop (test) write failed [110 'Connection timed out']
Oct 8 16:47:25.035096 traffic_cop server heartbeat failed [2]
Oct 8 16:47:25.035099 traffic_cop killing server
Oct 8 16:47:25.041909 traffic_manager {0x7fdda89227e0} FATAL: [LocalManager::pollMgmtProcessServer] Error in read (errno: 104)
Oct 8 16:47:25.042691 traffic_manager {0x7fdda89227e0} ERROR: [LocalManager::sendMgmtMsgToProcesses] Error writing message
Oct 8 16:47:25.042720 traffic_manager {0x7fdda89227e0} ERROR: (last system error 32: Broken pipe)
Oct 8 16:47:25.078427 traffic_cop cop received child status signal [6816 256]
Oct 8 16:47:25.078458 traffic_cop traffic_manager not running, making sure traffic_server is dead
Oct 8 16:47:25.078462 traffic_cop spawning traffic_manager
In the past (with an old release of ATS) I had something like the following:
url_regex="^http://127.0.0.1" parent="192.168.242.135:8093" (where parent returns 403)
but with ATS 5.0 it doesn't work, can you suggest me some rule to apply in pant.config and/or remap.config please?
Re: localhost access
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
Tuesday, October 7, 2014, 11:25:22 AM, you wrote:
> Hi,
> my proxy receive requests for localhost (127.0.0.1:xxxx), how can I deny access to local resources?
Would a remap rule work? That is, remap all requests to localhost to an error page.