Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-1983

ACL rules in remap.config does not take precedence over rules in ip_allow.config

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 8.0.0
    • Component/s: Configuration
    • Labels:

      Description

      Lets say you want to allow DELETE for a small sub-set of requests, based on remap.config rules. The reasonable configuration is to do e.g.

      map http://dav.example.com http://127.0.0.1 @method=DELETE @action=allow
      

      However, this does not work, since the global "DENY" in ip_allow.config takes precedence (it denies all DELETE's). This is actually sort of a regression I think, it did not use to behave like this I'm fairly certain.

      The workaround (which is incredibly cumbersom if you have even a moderately large remap.config, is to inverse the rules. E.g.

      src_ip=0.0.0.0-255.255.255.255                    action=ip_deny  method=PUSH|PURGE
      

      and

      map http://other.example.com http://123 @method=DELETE @action=deny
      map http://another.example.com http://123 @method=DELETE @action=deny
      map http://more.example.com http://123 @method=DELETE @action=deny
      .
      .
      .
      

      This kinda sucks to maintain, and also opens up a PEBKAC security problem, when someone adds a new remap.config rule and forgets to deny the DELETEs.

      I really feel that the ACLs from remap.config (if they match, you can specify IP ranges etc. as well), should take precedence over ip_allow.config.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                amc Alan M. Carroll
                Reporter:
                zwoop Leif Hedstrom
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: