Hi!
I'm running ATS 9.0.2 in docker built from source and while trying to setup stats_over_http plugin and blocking the calls in remap.config I ran into some problems where it just wouldn't block it.
I set it up as described with plugin.config:
stats_over_http.so
and it works. Then to protect my resource I followed the instructions at https://docs.trafficserver.apache.org/en/9.0.x/admin-guide/monitoring/statistics/accessing.en.html#statistics-security-and-privacy but couldnt get it to work at all. All other resources I had mapped were 403'd correctly except the stats endpoint. It seems like the stats plugin is not filtered by remap.config at all!
These are just a few of the mappings that i tried, each one of them being the only one in the remap.config to have as simple config as possible:
map /_stats http://localhost:8080/_stats @action=deny @src_ip=0.0.0.0-255.255.255.255 expected this one to block /_stats, it did not
map / http://127.0.0.1/ats @action=deny expected this one to block everything, it did with a 403, except /_stats
map /atsstats http://127.0.0.1/atsstats @action=deny changed endpoint by loading the plugin like stats_over_http.so atsstats, /_stats gave a 403 as expected but /atsstats still gives a reply, even if it should be denied
The only thing that seems to have worked was using the plugin with a config file:
path=atsstats
allow_ip=127.0.0.1
ip_allow:
- apply: in
ip_addrs: 127.0.0.1
action: allow
methods: ALL
- apply: in
ip_addrs: ::1
action: allow
methods: ALL
- apply: in
ip_addrs: 0/0
action: deny
methods:
- PURGE
- PUSH
- apply: in
ip_addrs: ::/0
action: deny
methods:
- PURGE
- PUSH
Changes that differ from a default records.config:
CONFIG proxy.config.dns.search_default_domains INT 1
CONFIG proxy.config.http.response_server_enabled INT 1
CONFIG proxy.config.body_factory.template_base STRING tmpl
CONFIG proxy.config.http.server_ports STRING 8080
CONFIG proxy.config.http.cache.http INT 0
CONFIG proxy.config.url_remap.pristine_host_hdr INT 1
Is there anyway i can enable some debug flags to find why it doesnt filter correctly? I presume this is not working as intended
This issue has been automatically marked as stale because it has not had recent activity. Marking it stale to flag it for further consideration by the community.
Hi! I'm running ATS 9.0.2 in docker built from source and while trying to setup stats_over_http plugin and blocking the calls in remap.config I ran into some problems where it just wouldn't block it. I set it up as described with plugin.config:
stats_over_http.so
and it works. Then to protect my resource I followed the instructions at https://docs.trafficserver.apache.org/en/9.0.x/admin-guide/monitoring/statistics/accessing.en.html#statistics-security-and-privacy but couldnt get it to work at all. All other resources I had mapped were 403'd correctly except the stats endpoint. It seems like the stats plugin is not filtered by remap.config at all!These are just a few of the mappings that i tried, each one of them being the only one in the remap.config to have as simple config as possible:
map /_stats http://localhost:8080/_stats @action=deny @src_ip=0.0.0.0-255.255.255.255
expected this one to block /_stats, it did notmap / http://127.0.0.1/ats @action=deny
expected this one to block everything, it did with a 403, except /_statsmap /atsstats http://127.0.0.1/atsstats @action=deny
changed endpoint by loading the plugin likestats_over_http.so atsstats
, /_stats gave a 403 as expected but /atsstats still gives a reply, even if it should be deniedThe only thing that seems to have worked was using the plugin with a config file:
Changes that differ from a default records.config:
Is there anyway i can enable some debug flags to find why it doesnt filter correctly? I presume this is not working as intended