bionic (5) ip_allow.config.5.gz

Provided by: trafficserver_7.1.2+ds-3_amd64 bug

NAME

       ip_allow.config - Traffic Server IP access control configuration file

       The  ip_allow.config  file  controls  client  access to the Traffic Server proxy cache and Traffic Server
       connections to the servers. You can specify ranges of IP addresses that are allowed to  use  the  Traffic
       Server  as  a  web proxy cache or that are allowed to be remapped by Traffic Server. After you modify the
       ip_allow.config file, navigate to the Traffic Server bin directory and run the traffic_ctl config  reload
       command to apply changes. When you apply the changes to a node in a cluster, Traffic Server automatically
       applies the changes to all other nodes in the cluster.

FORMAT

       Each line in the ip_allow.config file must have the following format:

          src_ip=<range of IP addresses> action=<action> [method=<list of methods separated by '|'>]
          dest_ip=<range of IP addresses> action=<action> [method=<list of methods separated by '|'>]

       where src_ip is the IP address or range of IP addresses of the client(s) and dest_ip is the IP address or
       range  of  IP  addresses  of  the  server(s).  When  src_ip is indicated, the action ip_allow enables the
       specified client(s) to access the Traffic Server proxy cache, and ip_deny denies the specified  client(s)
       to  access  the  Traffic  Server  proxy cache. When dest_ip is indicated, the action ip_allow enables the
       Traffic Server to access the specified server(s), and ip_deny denies the Traffic  Server  to  access  the
       specified  server(s).   Multiple  method  keywords can be specified (method=GET method=HEAD), or multiple
       methods can be separated by an '|' (method=GET|HEAD). The method keyword is optional and it is  defaulted
       to ALL. This supports ANY string as the HTTP method, meaning no validation is done to check whether it is
       a valid HTTP method. This allows you to create filters for any method that your origin may require,  this
       is  especially useful if you use newer methods that aren't know to trafficserver (such as PROPFIND) or if
       your origin uses an http-ish protocol.

       By default, the ip_allow.config file contains the following lines, which allows all methods to  localhost
       to  access  the Traffic Server proxy cache and denies PUSH, PURGE and DELETE to all IPs (note this allows
       all other methods to all IPs):

          src_ip=127.0.0.1                                  action=ip_allow method=ALL
          src_ip=::1                                        action=ip_allow method=ALL
          src_ip=0.0.0.0-255.255.255.255                    action=ip_deny  method=PUSH|PURGE|DELETE
          src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny  method=PUSH|PURGE|DELETE

EXAMPLES

       The following example enables all clients to access the Traffic Server proxy cache:

          src_ip=0.0.0.0-255.255.255.255 action=ip_allow

       The following example allows all clients on a specific subnet to access the Traffic Server proxy cache:

          src_ip=123.12.3.000-123.12.3.123 action=ip_allow

       The following example denies all clients on a specific subnet to access the Traffic Server proxy cache:

          src_ip=123.45.6.0-123.45.6.123 action=ip_deny

       The following example enables the Traffic Server to access all servers:

          dest_ip=0.0.0.0-255.255.255.255 action=ip_allow

       The following example denies the Traffic Server to access all servers on a specific subnet:

          dest_ip=10.0.0.0-10.0.0.255 action=ip_deny

       2018, dev@trafficserver.apache.org