You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2013/06/28 18:02:20 UTC
[jira] [Created] (TS-1983) ACL rules in remap.config does not take
precedence over rules in ip_allow.config
Leif Hedstrom created TS-1983:
---------------------------------
Summary: ACL rules in remap.config does not take precedence over rules in ip_allow.config
Key: TS-1983
URL: https://issues.apache.org/jira/browse/TS-1983
Project: Traffic Server
Issue Type: Bug
Components: Configuration
Reporter: Leif Hedstrom
Lets say you want to allow DELETE for a small sub-set of requests, based on remap.config rules. The reasonable configuration is to do e.g.
{code}
map http://dav.example.com http://127.0.0.1 @method=DELETE @action=allow
{code}
However, this does not work, since the global "DENY" in ip_allow.config takes precedence (it denies all DELETE's). This is actually sort of a regression I think, it did not use to behave like this I'm fairly certain.
The workaround (which is incredibly cumbersom if you have even a moderately large remap.config, is to inverse the rules. E.g.
{code}
src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE
{code}
and
{code}
map http://other.example.com http://123 @method=DELETE @action=deny
map http://another.example.com http://123 @method=DELETE @action=deny
map http://more.example.com http://123 @method=DELETE @action=deny
.
.
.
{code}
This kinda sucks to maintain, and also opens up a PEBKAC security problem, when someone adds a new remap.config rule and forgets to deny the DELETEs.
I really feel that the ACLs from remap.config (if they match, you can specify IP ranges etc. as well), should take precedence over ip_allow.config.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira