You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Jan-Frode Myklebust <ja...@tanso.net> on 2012/10/23 21:05:02 UTC
Allow only one host access to sub-url
I need to allow the whole world access to https://www.example.com/ but
only one host (src_ip) access to https://www.example.com/service/.
What's the map rules needed to implement this?
Shouldn't something like this be the way to do it?
map https://www.example.com/service/
http://backend.example.com/service/ @action=allow @src_ip=8.8.8.8
@action=deny @src_ip=0.0.0.1-254.254.254.254
map https://www.example.com/ http://backend.example.com/
Unfortunately I don't seem to be able to get this to work? BTW what
are the order @action and @src_ip should be listed in?
-jf
Re: Unsubscribe
Posted by Reindl Harald <h....@thelounge.net>.
Am 24.10.2012 13:27, schrieb Ron West:
> Unsubscribe
and why do you tell this the list instead simply unsubscribe?
this is REALLY the same on ALL maling-lists out there
any mailing-list out there has a welcome message
so people should READ it
each message contains the following mail-headers:
* List-Help: <ma...@trafficserver.apache.org>
* List-Unsubscribe: <ma...@trafficserver.apache.org>
* List-Post: <ma...@trafficserver.apache.org>
* List-Id: <users.trafficserver.apache.org>
Unsubscribe
Posted by Ron West <we...@ohsu.edu>.
Unsubscribe
RE: Re: Allow only one host access to sub-url
Posted by Luca Rea <lu...@contactlab.com>.
One more to test:
.defflt service_range1 @action=deny @src_ip=0.0.0.1-192.168.11.10
.defflt service_range2 @action=deny @src_ip=192.168.11.12-254.254.254.254
.useflt service_range1
.useflt service_range2
map https://www.example.com/service/ http://backend.example.com/service/
.unuseflt service_range1
.unuseflt service_range2
.delflt service_range1
.delflt service_range2
Re: Re: Allow only one host access to sub-url
Posted by Jan-Frode Myklebust <ja...@tanso.net>.
On Tue, Oct 23, 2012 at 11:01 PM, Luca Rea <lu...@contactlab.com> wrote:
> Try also the following form:
>
> map https://www.example.com/service/
> http://backend.example.com/service/ @action=deny @src_ip=0.0.0.0-192.168.11.10
> map https://www.example.com/service/
> http://backend.example.com/service/ @action=allow @src_ip=192.168.11.11
> map https://www.example.com/service/
> http://backend.example.com/service/ @action=deny @src_ip=192.168.11.12-254.254.254.254
>
>
This makes ATS fail to start. Loops over:
[Oct 23 23:23:11.815] Server {0x2abc2146b940} ERROR: Couldn't insert into trie!
[Oct 23 23:23:11.815] Server {0x2abc2146b940} WARNING: Could not
insert new mapping
[Oct 23 23:23:11.815] Server {0x2abc2146b940} WARNING: Could not add
rule at line #177; Aborting!
[Oct 23 23:23:11.815] Server {0x2abc2146b940} WARNING: [ReverseProxy]
Unable to add mapping rule to lookup table at line 177
[Oct 23 23:23:11.815] Server {0x2abc2146b940} WARNING: something
failed during BuildTable() -- check your remap plugins!
[Oct 23 23:23:11.815] Server {0x2abc2146b940} WARNING: Can not load
the remap table, exiting out!
[Oct 23 23:23:11.821] Manager {0x7f523dece7e0} ERROR:
[Alarms::signalAlarm] Server Process was reset
[Oct 23 23:23:11.821] Manager {0x7f523dece7e0} ERROR: (last system
error 2: No such file or directory)
-jf
RE: Allow only one host access to sub-url
Posted by Luca Rea <lu...@contactlab.com>.
What about the other rules in remap.config?
Re: Allow only one host access to sub-url
Posted by Jan-Frode Myklebust <ja...@tanso.net>.
On Tue, Oct 23, 2012 at 10:49 PM, Luca Rea <lu...@contactlab.com> wrote:
> Are you sure proxy is authorized to access to backend services and 403 is not the error code returned from backend?
Yes, it's ATS. I see it on the format of the error page, and also I
can get to the backend service if I remove the filtering rule.
-jf
RE: Allow only one host access to sub-url
Posted by Luca Rea <lu...@contactlab.com>.
Are you sure proxy is authorized to access to backend services and 403 is not the error code returned from backend?
Re: Allow only one host access to sub-url
Posted by Jan-Frode Myklebust <ja...@tanso.net>.
On Tue, Oct 23, 2012 at 10:08 PM, Luca Rea <lu...@contactlab.com> wrote:
> Just to know... did you try moving "@action" before the "@src_ip" directive?
>
Yes I did try, but same result.
> What about the other rules in remap.config?
These are the only relevant ones I think:
redirect http://www.example.com/ https://www.example.com/
map https://www.example.com/service/ http://backend.example.com/service/
@action=deny @src_ip=0.0.0.1-254.254.254.254
map https://www.example.com/ http://backend.example.com/
and the middle one is the one I've been messing with to try to give my
single host access.. All other rules in remap.conf are for other
domain names.
-jf
RE: Allow only one host access to sub-url
Posted by Luca Rea <lu...@contactlab.com>.
Just to know... did you try moving "@action" before the "@src_ip" directive?
R: Re: Allow only one host access to sub-url
Posted by Luca Rea <lu...@contactlab.com>.
Try also the following form:
map https://www.example.com/service/
http://backend.example.com/service/ @action=deny @src_ip=0.0.0.0-192.168.11.10
map https://www.example.com/service/
http://backend.example.com/service/ @action=allow @src_ip=192.168.11.11
map https://www.example.com/service/
http://backend.example.com/service/ @action=deny @src_ip=192.168.11.12-254.254.254.254
Luca Rea
Reparto IT
System engineer
__________________________________
ContactLab s.r.l.
Via Natale Battaglia 12
20127 Milano
Tel. +39.02.283118.1
Fax. +39.02.70030269
http://www.contactlab.com
__________________________________
E-mail & E-marketing Evolution
----- Messaggio originale -----
Da: Jan-Frode Myklebust [mailto:janfrode@tanso.net]
Inviato: Tuesday, October 23, 2012 09:33 PM
A: users@trafficserver.apache.org <us...@trafficserver.apache.org>
Oggetto: Re: Allow only one host access to sub-url
On Tue, Oct 23, 2012 at 9:22 PM, Luca Rea <lu...@contactlab.com> wrote:
> Try this:
> map https://www.example.com/service/
> http://backend.example.com/service/ @src_ip=0.0.0.0-8.8.8.7 @action=deny @src_ip=8.8.8.8 @action=allow
> @src_ip=8.8.8.9-254.254.254.254 @action=deny
>
I tried this now:
map https://www.example.com/service/
http://backend.example.com/service/ @src_ip=0.0.0.0-192.168.11.10
@action=deny @src_ip=192.168.11.11 @action=allow
@src_ip=192.168.11.12-254.254.254.254 @action=deny
and when connecting from 192.168.11.11 i get 403:
$ GET https://www.example.com/service/ |head -1
<HEAD><TITLE>Access Denied</TITLE></HEAD>
and in the common.log:
192.168.11.11 - - [23/Oct/2012:21:31:13 +0100] "GET
http://backend.example.com/service/ HTTP/1.1" 403 228
-jf
FW: Cache Propagation Delay
Posted by "Owens, Steve" <St...@disney.com>.
Forwarding to the DEV group due to the nature of the question.
Put Succinctly:
The question I have is does anybody know what the upper bound is for
propagation delay on cache updates as a consequence of a PUT throughout
the cluster such that all nodes are consistent with regard to the updated
item?
See below for more information.
On 10/23/12 3:01 PM, "Owens, Steve" <St...@disney.com> wrote:
>Recently we ran in to issues with regard to cache propagation. The use
>case is as follows:
>
>1. Client does a get on a resource, and the server returns the resource
>and an Etag
>2. Client modifies the resource and does a PUT with an If-Match header.
>3. Repeat 1 and 2 several times
>
>Sometimes 2 succeeds, sometimes 2 fails with the origin service returning
>a 415 error (as per the HTTP spec).
>
>The reason for this is that when you do a PUT on a resource the ATS cache
>will purge any item under that URL. BUT, it takes time to propagate that
>change throughout the cluster.
>
>We have done gets against the cluster for an updated resource and seen
>stale data returned as much as 10 seconds after the PUT was completed.
>
>The question I have is does anybody know what the upper bound is for
>propagation delay on cache updates as a consequence of a PUT throughout
>the cluster such that all nodes are consistent with regard to the updated
>item?
>
>
>
>
>
>
Cache Propagation Delay
Posted by "Owens, Steve" <St...@disney.com>.
Recently we ran in to issues with regard to cache propagation. The use
case is as follows:
1. Client does a get on a resource, and the server returns the resource
and an Etag
2. Client modifies the resource and does a PUT with an If-Match header.
3. Repeat 1 and 2 several times
Sometimes 2 succeeds, sometimes 2 fails with the origin service returning
a 415 error (as per the HTTP spec).
The reason for this is that when you do a PUT on a resource the ATS cache
will purge any item under that URL. BUT, it takes time to propagate that
change throughout the cluster.
We have done gets against the cluster for an updated resource and seen
stale data returned as much as 10 seconds after the PUT was completed.
The question I have is does anybody know what the upper bound is for
propagation delay on cache updates as a consequence of a PUT throughout
the cluster such that all nodes are consistent with regard to the updated
item?
R: Re: Allow only one host access to sub-url
Posted by Luca Rea <lu...@contactlab.com>.
map https://www.example.com/service/
http://backend.example.com/service/ @src_ip=0.0.0.0-192.168.11.10
@action=deny @src_ip=192.168.11.11 @action=allow
@src_ip=192.168.11.12-254.254.254.254 @action=deny
Luca Rea
Reparto IT
System engineer
__________________________________
ContactLab s.r.l.
Via Natale Battaglia 12
20127 Milano
Tel. +39.02.283118.1
Fax. +39.02.70030269
http://www.contactlab.com
__________________________________
E-mail & E-marketing Evolution
----- Messaggio originale -----
Da: Jan-Frode Myklebust [mailto:janfrode@tanso.net]
Inviato: Tuesday, October 23, 2012 09:33 PM
A: users@trafficserver.apache.org <us...@trafficserver.apache.org>
Oggetto: Re: Allow only one host access to sub-url
On Tue, Oct 23, 2012 at 9:22 PM, Luca Rea <lu...@contactlab.com> wrote:
> Try this:
> map https://www.example.com/service/
> http://backend.example.com/service/ @src_ip=0.0.0.0-8.8.8.7 @action=deny @src_ip=8.8.8.8 @action=allow
> @src_ip=8.8.8.9-254.254.254.254 @action=deny
>
I tried this now:
map https://www.example.com/service/
http://backend.example.com/service/ @src_ip=0.0.0.0-192.168.11.10
@action=deny @src_ip=192.168.11.11 @action=allow
@src_ip=192.168.11.12-254.254.254.254 @action=deny
and when connecting from 192.168.11.11 i get 403:
$ GET https://www.example.com/service/ |head -1
<HEAD><TITLE>Access Denied</TITLE></HEAD>
and in the common.log:
192.168.11.11 - - [23/Oct/2012:21:31:13 +0100] "GET
http://backend.example.com/service/ HTTP/1.1" 403 228
-jf
Re: Allow only one host access to sub-url
Posted by Jan-Frode Myklebust <ja...@tanso.net>.
On Tue, Oct 23, 2012 at 9:22 PM, Luca Rea <lu...@contactlab.com> wrote:
> Try this:
> map https://www.example.com/service/
> http://backend.example.com/service/ @src_ip=0.0.0.0-8.8.8.7 @action=deny @src_ip=8.8.8.8 @action=allow
> @src_ip=8.8.8.9-254.254.254.254 @action=deny
>
I tried this now:
map https://www.example.com/service/
http://backend.example.com/service/ @src_ip=0.0.0.0-192.168.11.10
@action=deny @src_ip=192.168.11.11 @action=allow
@src_ip=192.168.11.12-254.254.254.254 @action=deny
and when connecting from 192.168.11.11 i get 403:
$ GET https://www.example.com/service/ |head -1
<HEAD><TITLE>Access Denied</TITLE></HEAD>
and in the common.log:
192.168.11.11 - - [23/Oct/2012:21:31:13 +0100] "GET
http://backend.example.com/service/ HTTP/1.1" 403 228
-jf
R: Allow only one host access to sub-url
Posted by Luca Rea <lu...@contactlab.com>.
Try this:
map https://www.example.com/service/
http://backend.example.com/service/ @src_ip=0.0.0.0-8.8.8.7 @action=deny @src_ip=8.8.8.8 @action=allow
@src_ip=8.8.8.9-254.254.254.254 @action=deny
Luca Rea
Reparto IT
System engineer
__________________________________
ContactLab s.r.l.
Via Natale Battaglia 12
20127 Milano
Tel. +39.02.283118.1
Fax. +39.02.70030269
http://www.contactlab.com
__________________________________
E-mail & E-marketing Evolution
----- Messaggio originale -----
Da: Jan-Frode Myklebust [mailto:janfrode@tanso.net]
Inviato: Tuesday, October 23, 2012 09:05 PM
A: users@trafficserver.apache.org <us...@trafficserver.apache.org>
Oggetto: Allow only one host access to sub-url
I need to allow the whole world access to https://www.example.com/ but
only one host (src_ip) access to https://www.example.com/service/.
What's the map rules needed to implement this?
Shouldn't something like this be the way to do it?
map https://www.example.com/service/
http://backend.example.com/service/ @action=allow @src_ip=8.8.8.8
@action=deny @src_ip=0.0.0.1-254.254.254.254
map https://www.example.com/ http://backend.example.com/
Unfortunately I don't seem to be able to get this to work? BTW what
are the order @action and @src_ip should be listed in?
-jf