You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@trafficserver.apache.org by Luca Rea <lu...@contactlab.com> on 2014/10/07 18:25:22 UTC

localhost access

Hi,
my proxy receive requests for localhost (127.0.0.1:xxxx), how can I deny access to local resources?

RE: localhost access

Posted by Luca Rea <lu...@contactlab.com>.

Ip_allow.config has "per source" rules, now I've applied a couple of new rules in iptables:


PORTS USED
trafficserver: 8080,8083,8084 (should be granted access to these ports?)
allowed local resources (127.0.0.1): 80,8087,8090,8093 (web services)

ATS USER
uid=501(ats) gid=501(ats) groups=501(ats)

FIREWALL ADDED RULES:
-A OUTPUT -m tcp -p tcp --match multiport -d 127.0.0.1/8 --dports 80,8080,8083,8084,8087,8090,8093 -m owner --uid-owner 501 -j ACCEPT
-A OUTPUT -m tcp -p tcp -d 127.0.0.1/8 -m owner --uid-owner 501 -j REJECT




-----Original Message-----
From: James Peach [mailto:jpeach@apache.org] 
Sent: martedì 7 ottobre 2014 19:58
To: dev@trafficserver.apache.org
Subject: Re: localhost access

On Oct 7, 2014, at 9:25 AM, Luca Rea <lu...@contactlab.com> wrote:

> Hi,
> my proxy receive requests for localhost (127.0.0.1:xxxx), how can I deny access to local resources?

Does ip_allow work for this case?

https://docs.trafficserver.apache.org/en/latest/reference/configuration/ip_allow.config.en.html

Re: localhost access

Posted by James Peach <jp...@apache.org>.

On Oct 7, 2014, at 9:25 AM, Luca Rea <lu...@contactlab.com> wrote:

> Hi,
> my proxy receive requests for localhost (127.0.0.1:xxxx), how can I deny access to local resources?

Does ip_allow work for this case?

https://docs.trafficserver.apache.org/en/latest/reference/configuration/ip_allow.config.en.html

RE: localhost access

Posted by Luca Rea <lu...@contactlab.com>.

Hi,
Don't work, it seems that 127.0.0.1 skips the parent.config rules (bug or feature?), other suggestions?

-----Original Message-----
From: Leif Hedstrom [mailto:zwoop@apache.org] 
Sent: mercoledì 8 ottobre 2014 17:53
To: dev@trafficserver.apache.org
Cc: Alan Carroll
Subject: Re: localhost access

I haven't tested it, but wouldn't the regex need to be something like "http://127\.0\.0\.1.*" ? You could also try maybe settings with dest_domain="127.0.0.1" and dest_domain="localhost" ?

- Leif

Re: localhost access

Posted by Leif Hedstrom <zw...@apache.org>.

On Oct 8, 2014, at 9:05 AM, Luca Rea <lu...@contactlab.com> wrote:

> Hi,
> 
> Oct  8 16:47:25.042720 traffic_manager  {0x7fdda89227e0} ERROR:  (last system error 32: Broken pipe)
> Oct  8 16:47:25.078427 traffic_cop  cop received child status signal [6816 256]
> Oct  8 16:47:25.078458 traffic_cop  traffic_manager not running, making sure traffic_server is dead
> Oct  8 16:47:25.078462 traffic_cop  spawning traffic_manager
> 
> 
> 
> 
> In the past (with an old release of ATS) I had something like the following:
> 
> url_regex="^http://127.0.0.1" parent="192.168.242.135:8093" (where parent returns 403)

I haven’t tested it, but wouldn’t the regex need to be something like “http://127\.0\.0\.1.*” ? You could also try maybe settings with dest_domain=“127.0.0.1” and dest_domain=“localhost” ?

— Leif

RE: localhost access

Posted by Luca Rea <lu...@contactlab.com>.

Hi,

I've removed the rules from iptables because they cause a restart loop:

Oct  8 16:43:46.004807 traffic_cop  (test) write failed [110 'Connection timed out']
Oct  8 16:43:46.004839 traffic_cop  server heartbeat failed [1]
Oct  8 16:44:59.005037 traffic_cop  (test) write failed [110 'Connection timed out']
Oct  8 16:44:59.005085 traffic_cop  server heartbeat failed [2]
Oct  8 16:44:59.005111 traffic_cop  killing server
Oct  8 16:44:59.013037 traffic_manager  {0x7f856242e7e0} FATAL: [LocalManager::pollMgmtProcessServer] Error in read (errno: 104)
Oct  8 16:44:59.013105 traffic_manager  {0x7f856242e7e0} ERROR: [LocalManager::sendMgmtMsgToProcesses] Error writing message
Oct  8 16:44:59.013136 traffic_manager  {0x7f856242e7e0} ERROR:  (last system error 32: Broken pipe)
Oct  8 16:44:59.033477 traffic_cop  cop received child status signal [4434 256]
Oct  8 16:44:59.033566 traffic_cop  traffic_manager not running, making sure traffic_server is dead
Oct  8 16:44:59.033721 traffic_cop  spawning traffic_manager
Oct  8 16:44:59.039080 traffic_manager  NOTE: --- Manager Starting ---
Oct  8 16:44:59.039107 traffic_manager  NOTE: Manager Version: Apache Traffic Server - traffic_manager - 5.1.0 - (build # 81013 on Sep 10 2014 at 13:13:42)
Oct  8 16:44:59.042224 traffic_manager  NOTE: RLIMIT_NOFILE(7):cur(718639),max(718639)
Oct  8 16:45:01.082030 traffic_server  NOTE: --- traffic_server Starting ---
Oct  8 16:45:01.082063 traffic_server  NOTE: traffic_server Version: Apache Traffic Server - traffic_server - 5.1.0 - (build # 81013 on Sep 10 2014 at 13:13:02)
Oct  8 16:45:01.082079 traffic_server  NOTE: RLIMIT_NOFILE(7):cur(718639),max(718639)
Oct  8 16:46:12.034773 traffic_cop  (test) write failed [110 'Connection timed out']
Oct  8 16:46:12.034806 traffic_cop  server heartbeat failed [1]
Oct  8 16:47:25.035064 traffic_cop  (test) write failed [110 'Connection timed out']
Oct  8 16:47:25.035096 traffic_cop  server heartbeat failed [2]
Oct  8 16:47:25.035099 traffic_cop  killing server
Oct  8 16:47:25.041909 traffic_manager  {0x7fdda89227e0} FATAL: [LocalManager::pollMgmtProcessServer] Error in read (errno: 104)
Oct  8 16:47:25.042691 traffic_manager  {0x7fdda89227e0} ERROR: [LocalManager::sendMgmtMsgToProcesses] Error writing message
Oct  8 16:47:25.042720 traffic_manager  {0x7fdda89227e0} ERROR:  (last system error 32: Broken pipe)
Oct  8 16:47:25.078427 traffic_cop  cop received child status signal [6816 256]
Oct  8 16:47:25.078458 traffic_cop  traffic_manager not running, making sure traffic_server is dead
Oct  8 16:47:25.078462 traffic_cop  spawning traffic_manager




In the past (with an old release of ATS) I had something like the following:

url_regex="^http://127.0.0.1" parent="192.168.242.135:8093" (where parent returns 403)

but with ATS 5.0 it doesn't work, can you suggest me some rule to apply in pant.config and/or remap.config please?

Re: localhost access

Posted by "Alan M. Carroll" <am...@network-geographics.com>.

Tuesday, October 7, 2014, 11:25:22 AM, you wrote:

> Hi,
> my proxy receive requests for localhost (127.0.0.1:xxxx), how can I deny access to local resources?


Would a remap rule work? That is, remap all requests to localhost to an error page.