Ubuntu Manpage: ip_allow.config - Traffic Server IP access control configuration file

Provided by: trafficserver_8.0.5+ds-3_amd64

NAME

       ip_allow.config - Traffic Server IP access control configuration file

       The  ip_allow.config  file controls client access to Traffic Server and Traffic Server connections to the
       servers.  You can specify ranges of IP addresses that are allowed to connect to Traffic  Server  or  that
       are  allowed to be remapped by Traffic Server. After you modify the ip_allow.config file, navigate to the
       Traffic Server bin directory and run the traffic_ctl config reload command to apply changes.

FORMAT

       Each line in ip_allow.config file must have on of the following formats format:

          src_ip=<range of IP addresses> action=<action> [method=<list of methods separated by '|'>]
          dest_ip=<range of IP addresses> action=<action> [method=<list of methods separated by '|'>]

       For src_ip the remote inbound connection address, i.e. the IP address of the client, is  checked  against
       the specified range of IP addresses. For dst_ip the outbound remote address (i.e. the IP address to which
       Traffic Server connects) is checked against the specified IP address range.

       Range  specifications  can  be IPv4 or IPv6, but any single range must be one or the other. Ranges can be
       specified by two addresses, the lower address and the upper address, separated by  a  dash,  -.   Such  a
       range  inclusive and contains the lower, upper addresses and all addresses inbetween. A range can also be
       specified by an address and a CIDR mask, separated by a slash, /. This case is converted to  a  range  of
       the  previous case by retaining only the left most mask bits, clearing the rest for the lower address and
       setting them for the upper address. For instance, a mask of 23 would mean the left most 23 bits are  kept
       and  all bits to the right are cleared or set.  Finally, a range can be a single IP address which matches
       exactly that address (the equivalent of a range with  the  lower  and  upper  values  equal  to  that  IP
       address).

       The value of method is a string which must consist of either HTTP method names separated by the character
       '|'  or  the  keyword  literal  ALL.  This  keyword may omitted in which case it is treated as if it were
       method=ALL. Methods can also be specified by having  multiple  instances  of  the  method  keyword,  each
       specifying a single method. E.g., method=GET|HEAD is the same as method=GET method=HEAD. The method names
       are not validated which means non-standard method names can be specified.

       The  action  must be either ip_allow or ip_deny. This controls what Traffic Server does if the address is
       in the range and the method matches. If there is a match,  Traffic  Server  allows  the  connection  (for
       ip_allow) or denies it (ip_deny).

       For  each inbound or outbound connection the applicable rule is selectd by first match on the IP address.
       The rule is then applied (if the method matches) or its  opposite  is  applied  (if  the  method  doesn't
       match).  If  no  rule  is  matched  access  is allowed. This makes each rule both an accept and deny, one
       explicit and the other implicit. The src_ip rules are checked when a host connects to Traffic Server. The
       dst_ip rules are checked when Traffic Server connects to another host.

       By default the ip_allow.config file contains the following lines, which allows all methods to connections
       from localhost and denies the PUSH, PURGE and DELETE methods to all other IP addresses (note this  allows
       all other methods to all IP addresses):

          src_ip=127.0.0.1                                  action=ip_allow method=ALL
          src_ip=::1                                        action=ip_allow method=ALL
          src_ip=0.0.0.0-255.255.255.255                    action=ip_deny  method=PUSH|PURGE|DELETE
          src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny  method=PUSH|PURGE|DELETE

       This could also be specified as:

          src_ip=127.0.0.1   action=ip_allow method=ALL
          src_ip=::1         action=ip_allow method=ALL
          src_ip=0/0         action=ip_deny  method=PUSH|PURGE|DELETE
          src_ip=::/0        action=ip_deny  method=PUSH|PURGE|DELETE

EXAMPLES

       The following example enables all clients access.:

          src_ip=0.0.0.0-255.255.255.255 action=ip_allow

       The following example allows access to all clients on addresses in a subnet:

          src_ip=123.12.3.000-123.12.3.123 action=ip_allow

       The following example denies access all clients on addresses in a subnet:

          src_ip=123.45.6.0-123.45.6.123 action=ip_deny

       If the entire subnet were to be denied, that would be:

          src_ip=123.45.6.0/24 action=ip_deny

       The following example allows one to any upstream servers:

          dest_ip=0.0.0.0-255.255.255.255 action=ip_allow

       Alternatively this can be done with:

          dest_ip=0/0 action=ip_allow

       The following example denies to access all servers on a specific subnet:

          dest_ip=10.0.0.0-10.0.255.255 action=ip_deny

       Alternatively:

          dest_ip=10.0.0.0/16 action=ip_deny

       If the goal is to allow only GET and HEAD requests to those servers, it would be:

          dest_ip=10.0.0.0/16 action=ip_allow method=GET method=HEAD

       or:

          dest_ip=10.0.0.0/16 action=ip_allow method=GET|HEAD

       This  will match the IP address for the targer servers on the outbound connection. Then, if the method is
       GET or HEAD the connection will be allowed, otherwise the connection will be denied.

COPYRIGHT

       2020, dev@trafficserver.apache.org

8.0                                               Feb 03, 2020                                IP_ALLOW.CONFIG(5)