trafficserver icon indicating copy to clipboard operation
trafficserver copied to clipboard
verified publisher icon apache

Stats over HTTP not blocked by remap

Open alemagvs opened this issue 4 years ago • 1 comments

Hi! I'm running ATS 9.0.2 in docker built from source and while trying to setup stats_over_http plugin and blocking the calls in remap.config I ran into some problems where it just wouldn't block it. I set it up as described with plugin.config: stats_over_http.so and it works. Then to protect my resource I followed the instructions at https://docs.trafficserver.apache.org/en/9.0.x/admin-guide/monitoring/statistics/accessing.en.html#statistics-security-and-privacy but couldnt get it to work at all. All other resources I had mapped were 403'd correctly except the stats endpoint. It seems like the stats plugin is not filtered by remap.config at all!

These are just a few of the mappings that i tried, each one of them being the only one in the remap.config to have as simple config as possible:

  • map /_stats http://localhost:8080/_stats @action=deny @src_ip=0.0.0.0-255.255.255.255 expected this one to block /_stats, it did not
  • map / http://127.0.0.1/ats @action=deny expected this one to block everything, it did with a 403, except /_stats
  • map /atsstats http://127.0.0.1/atsstats @action=deny changed endpoint by loading the plugin like stats_over_http.so atsstats, /_stats gave a 403 as expected but /atsstats still gives a reply, even if it should be denied

The only thing that seems to have worked was using the plugin with a config file:

path=atsstats
allow_ip=127.0.0.1

ip_allow:
  - apply: in
    ip_addrs: 127.0.0.1
    action: allow
    methods: ALL
  - apply: in
    ip_addrs: ::1
    action: allow
    methods: ALL
  - apply: in
    ip_addrs: 0/0
    action: deny
    methods:
      - PURGE
      - PUSH
  - apply: in
    ip_addrs: ::/0
    action: deny
    methods:
      - PURGE
      - PUSH

Changes that differ from a default records.config:

CONFIG proxy.config.dns.search_default_domains INT 1
CONFIG proxy.config.http.response_server_enabled INT 1
CONFIG proxy.config.body_factory.template_base STRING tmpl
CONFIG proxy.config.http.server_ports STRING 8080
CONFIG proxy.config.http.cache.http INT 0
CONFIG proxy.config.url_remap.pristine_host_hdr INT 1

Is there anyway i can enable some debug flags to find why it doesnt filter correctly? I presume this is not working as intended

alemagvs avatar Jul 26 '21 13:07 alemagvs

This issue has been automatically marked as stale because it has not had recent activity. Marking it stale to flag it for further consideration by the community.

github-actions[bot] avatar Jul 27 '22 02:07 github-actions[bot]